What is Password Spraying & Why You Should Care

What is Password Spraying & Why You Should Care

Read

What is Password Spraying & Why You Should Care

Passwords have been with us for a very long time, in fact, the computer password recently celebrated its 60th birthday, since its beginning in an MIT lab in the fall of 1961.

As we approach 2022, it is estimated that there are well over 300 billion passwords in use worldwide and almost everyone knows the basics of good password security – right?

Well maybe, maybe not, the evidence would say not, the statistics remain shocking.

Here’s just one example; Did you know that more than 23,000,000 account-holders in the UK alone use the password “123456”!

What is Password Spraying

I picked that statistic, not only because it clearly highlights how big an issue bad password security remains, but also because Forbes recently reported on a rapidly rising cyberattack type that very much relates to that statistic specifically.

That attack type is Password Spraying. So, what exactly is it?

The easiest way to explain password spraying is to compare it to a much better-known password attack type, the “Brute Force” attack.

A “brute force” attack targets a small number of accounts with a substantial volume of ‘password guesses’ and is the reason why a longer password is a stronger password – it takes much (much, much) longer to cycle through every password combination for 12 characters than it does for 6 characters.

“Password Spraying” though flips this on its head and targets a huge number of accounts with a small number of “password guesses” – and as you might expect, those “guesses” are the passwords that are most used – such as our friend “123456”.

Protect yourself from Password Spraying attacks

This is a simple one – avoid those commonly used, simple passwords that are the punchlines in a million cyber security memes.

Here’s a list of the 10 most used passwords in 2021 – seriously, if you have an account anywhere that uses one of these – change it now!

  • 123456
  • 123456789
  • qwerty
  • password
  • 12345
  • qwerty123
  • 1q2w3e
  • 12345678
  • 111111
  • 1234567890

It really is that simple.

So, if “123456” is out, what should I use instead?

Password spraying is not the only reason to use “strong” passwords – but it is a good one all the same.

To create a “strong” password, simply follow this simple guide.

  • Longer = stronger: Make your passwords at least 8 characters long, preferably even longer.
  • Complexity: Your passwords should contain at least 1 uppercase, lowercase, numerical and special character.

There are other tricks, such as using a passphrase, but as long as you follow these 2 simple steps your passwords will be drastically more difficult to crack and won’t typically be included in the “guesses” used in Password Spraying type attacks.

Even better, where possible, secure your important passwords with further authentication methods, such as 2-factor authentication or biometrics, such as facial recognition, fingerprint scanning, or retinal scanning.

While much of this information may seem obvious to many, the statistics year-on-year show that it’s still as relevant as it ever was.

Ready to take the first steps toward better cybersecurity?

If you would like to know more about IT managed services that can drastically reduce your cybersecurity risk, get in touch with us.

About the author…

Julian has over 20 years of experience as a technical salesperson for IT Managed Service Providers (MSPs) and likes nothing more than a cup of coffee and a chat about how to cure your IT headaches.

The Top Cyber Security Threats & Tips On How To Defend Against Them

The Top Cyber Security Threats & Tips On How To Defend Against Them

Read

The Top Cyber Security Threats & Tips On How To Defend Against Them

The Top Cybersecurity Threats for Businesses in 2021

1. Phishing

Phishing is a hacking scheme that, in its most common form, appears to be a regular email from a legitimate source, using legitimate-looking links, attachments, business names, and logos. The email aims to persuade the recipient to perform an action, usually clicking a link or downloading an attachment.

Some email-based variations include “whale phishing” that are more targeted and primarily directed at company executives, and “spear phishing” that are targeted against a specific person.

Phishing attacks can also take non-email forms. “Smishing”, for instance, uses SMS messages to garner clicks to dangerous links, while “vishing” uses fraudulent phone calls and voice messages that pose as legitimate companies to the same end.

A more recent form of Phishing attack is “search engine phishing”, where hackers create fake online websites and rank on search engine results to steal user’s information.

In a recent study 86% of organisations reported having at least one user connect to a phishing site.

2. Malware

Malware, also known as malicious software, hacks devices by either slowing them down significantly or stopping them from working entirely. It destroys computer systems through software agents such as trojan malware, spyware, viruses, ransomware, adware, and worms.

Malware can be released into a computer by clicking an infected link, downloading a file or material from an unknown source, clicking a pop-up ad, or downloading an email attachment from an unknown sender.

Once malware is released into a computer system, hackers can gain access to your company’s network where they will usually target passwords, credit card numbers, banking data, personnel files, and other potentially valuable information.

Worryingly, over the last year, 35% of the malware attacks reported by businesses in the UK used previously unseen malware or methods of infection.

3. Ransomware

Ransomware is a specific form of malware that encrypts a user’s computer systems. Once a ransomware attack has been implemented, users can no longer access their systems or files. For users to re-access their systems, they’re required to pay a ransom fee to the cybercriminals.

Ransom transactions are often made through crypto currencies, such as Bitcoin, though cybercriminals may also request other methods of payment, such as Amazon gift cards. The ransom costs can range tremendously, depending on the target. However, many organisations that make the ransom payments still don’t retrieve access to their systems, and even if they do, have no guarantees that the attackers haven’t left other exploits in place, to attack again later.

Ransomware is often spread through a malicious download, often starting with a phishing email and, as such, an attack can be targeted to either individual employees or entire organisations.

Throughout the pandemic, over a third of UK companies reported being targeted by a ransomware attack.

4. Breaches

A data breach occurs when sensitive data is stolen from a system without authorization from the system owner. Confidential user information can include but isn’t limited to credit card numbers, social security numbers, names, home addresses, email addresses, usernames, and passwords.

Breaches may be implemented through point-of-sale (POS) systems or a network attack. A network attack is likely to occur when cybercriminals identify a weakness in a company’s online security system and use the weakness to invade the system. Social attacks are also prevalent, where hackers fool employees into granting access to an organisation’s network. For instance, they may be tricked into downloading a harmful attachment or accidentally giving out login credentials.

Once a data breach occurs, businesses must take immediate action to contain the breach and resolve the issue. Failing to do so may result in a tarnished reputation and regulatory fines.

5. Compromised passwords

Compromised passwords most often occur when a user enters their login credentials unknowingly on a fake website. Common username and password combinations also leave accounts more vulnerable to attacks. Password reuse across multiple platforms can make your systems even more susceptible to hackers, leaving multiple accounts at high risk.

When creating passwords for company accounts you should always ensure that you use unique, hard-to-guess passwords.

However, 51% of people surveyed recently said that they use the same passwords for both their work and personal accounts.

3 Tips to Combat Cybersecurity Threats

1. Acquire the skills

Many organisations, particularly small- and medium-sized businesses, may struggle with staffing the right team to ensure an organisation is protected from the latest cyber threats and able to combat an attack.

Hiring a qualified security engineer or IT security manager can be expensive, so many businesses choose to find a 3rd party cybersecurity provider instead, often combining the outsourcing of IT support and cyber security services to the same provider.

Two advantages of working with an outside organisation are that they can provide 24/7 monitoring for attacks that can occur at any time, and they are experts that stay up to date on the ever-evolving landscape of cyberattacks.

2. Educate your team

Some best cybersecurity practices may seem obvious to most, but it’s important to educate your entire team and ensure everyone is on the same page.

Talk to employees about the importance of strong passwords, how to safely use a shared network, what your internet use guidelines are, and how to handle and protect customer data.

Train your team to recognize phishing attacks by looking for URLs or email addresses that are close but not exact, identifying language with misspellings or that feels a bit “off,” and being extra-cautious of requests for passwords or other personal information.

Even savvy security teams can fall prey to a cyberattack. Giving employees things to look for can help catch an attack quickly.

Cyber Awareness Training services, such as KnowBe4, can be a cost-effective and non-disruptive method to train your staff, using a combination of simulated attacks and targeted training direct to the users.

3.  Have a cybersecurity policy

Your cybersecurity policy should be a living document that is updated as attacks evolve. However, the basics of a policy should include guidelines on protecting devices (including up-to-date operating systems, browsers, firewalls, and encryption), multi-factor authentication (not just strong passwords, but secondary methods of authentication), and data protection (including how to handle customer data and what is appropriate to send via email).

Your policies should be readily available to your employees and reviewed frequently to ensure the entire organisation understands and abides by the proper protocol.

Having a cybersecurity plan is more important than ever. With the number of cyberattacks always increasing, and more and more companies now employing some element of remote workforce, it is paramount that all companies — regardless of size — understand current cyber threats and what to do to prevent and combat them.

Having a plan that is executed thoroughly and reviewed regularly is the best first step to keeping company and customer information safe. Whether you build up in-house expertise or find a trusted outside partner, cybersecurity can no longer be a project set on the back burner. Understanding the latest threats and what to do to prevent them from impacting your organisation is key to protecting your business.

Ready to take the first steps toward better cybersecurity?

If you would like to know more about IT managed services that can drastically reduce your cybersecurity risk, get in touch with us.

3 Strategies Schools Can Apply To Protect Their Data

3 Strategies Schools Can Apply To Protect Their Data

Read

3 Strategies Schools Can Apply To Protect Their Data

Cyber-attacks on our nation’s schools have been increasing over the past few years and have spiked significantly over the past 12 months, with more than a third of primary schools (36%), over half of secondary schools (58%) and three-quarters of further education colleges (75%) reported to have suffered a cyber breach in the past year, according to recent National Cyber Security Centre (NCSC) figures.

In June of this year, the NCSC reported that recent attacks had “led to the loss of student coursework, school financial records, and data relating to COVID-19 testing.”

With the shift to online and hybrid learning, schools have found themselves more exposed than ever and with limited resources to defend their IT infrastructures, most schools are unequipped for the risk posed by today’s ever-evolving threat landscape.

Budget constraints are an ever-present obstacle to maintaining or improving security, and IT administrators also struggle with persuading students and staff to take security seriously.

Let’s look at some strategies schools can employ to make the cybersecurity grade.

Make endpoint security a priority

“Endpoints” refers to devices that users access directly, such as Servers, laptops & desktop PC’s, tablets, phones, etc., so called because it is a literal endpoint on a network.

Endpoint protection has always been a fundamental security practice, but as the network perimeter expands to include home networks, it’s now more crucial than ever. Unfortunately, due to budget constraints, school systems have struggled in this area.

To address this, administrators should consider prioritising high-risk systems and assets, such as data stores or servers, and apply threat detection to alert them of potential threats. If a violation of the school’s security policies is detected, automated actions can quickly contain threats before sensitive data is compromised. Essential mitigations should include a good antivirus solution, spam-filtering (for email accounts) and web-content filtering. You may also consider newer mitigations such as a ransomware protection solution, for example.

If budget remains an issue, schools can also leverage existing technology investments, such as the in-built security capabilities in Windows, Chromebooks and Microsoft365 to enhance protection across lower-risk assets. This is especially useful where IT administrators may not have complete “authority” over remote devices – such as a home user’s own PC – but can require that remote users have their in-built security options activated.

Awareness is key

An often-overlooked fact of cyber-security is that, even when you all the critical policy and technology mitigations in place, the most important defence is the awareness of those who use your systems on a day-to-day basis.

Educational institutions must work on building their security culture to ensure students, staff and administrators are “cyber aware.” Knowing how to identify and report a phishing email, practicing password hygiene and not sharing passwords – which has, unfortunately, become a common practice as the use of collaboration and cloud software has proliferated in recent months.

The fact is cyber-awareness training (CAT) need not be time consuming, disruptive, or expensive. Managed CAT services, incorporating simulated attacks, targeted training and auditing/reporting can be delivered on-going for very low cost – as an example, here at Supreme Systems we’re currently quoting just £2.99 per Teacher/Faculty member per month, and this service includes access to a wealth of resources that can be used for Student education sessions also.

Alternatively, you could take a more DIY approach and take advantage of free resources made available by the NCSC. Take a look here for links to NCSC practical resources to help schools improve cyber security, or here for cyber security training for school staff. While not as effective as on-going services at maintaining awareness, and will require some investment of time, this approach won’t impact already tight budgets.

The importance of good Access Management

With the rise in remote and technology-focused learning, schools must set up strict network access control policies, limiting data access to the people who need it, when they need it.

The statement that non-IT administrators should not have administrative rights on their devices or networks may sound obvious (because it is obvious) but in practice this is all too often not the case.

IT Administrators should have 2 accounts set-up – one with administrator rights to be used only when these rights are needed and their other account to be used at all other times, for everyday activities.

“Starter” & “leaver” processes are another important component to have in place, ensuring old accounts are removed and any passwords that a leaver may have been privy too are changed quickly.

With these policies in place, administrators are in a much stronger position and will mitigate against the risk of frequent turnover of students and staff. When a student graduates or a teacher leaves a position, their access rights can be quickly revoked to minimize the risk of their identity credentials falling into the wrong hands.

Where possible, you should also utilise 2-factor-authentication (also known as 2FA, multi-factor-authentication or MFA), especially for systems that access sensitive information.

Last words

Even before the pandemic, hackers discovered that schools are easy prey and a lucrative source of data and as students have returned to the classroom, the cybersecurity threat has not diminished in the slightest.

Establishing cybersecurity strategies like those above can help schools enhance their cybersecurity maturity and protect students, teachers, staff, and networks.

While many of these may seem obvious, they all require time and management, and some require financial investment too, which can result in them not being implemented at all or, just as bad, “worked around” – this is exactly what the cyber-criminals are banking on.

Ready to take the first steps toward better cybersecurity?

If you would like to know more about IT managed services that can drastically reduce your cybersecurity risk, get in touch with us.

Supreme Systems are holding a cyber-security seminar for Schools & Further Education and have 30 Free seats available on a first come, first served basis. Featuring key note speakers from CyberSecure.School, Cyber Smart & KnowBe4, the event is scheduled for October 20thplease see here for more information and registration.

Top Cyber Security Threats & Tips for Educators

Top Cyber Security Threats & Tips for Educators

Read

Top Cyber Security Threats & Tips for Educators

The past 18 months have been a trying time for the Schools and the Education sector.

There was a dramatic and quick shift to an entirely new model of learning, coupled with the potential deployment of technology that wasn’t fully vetted, and which educators and students weren’t fully prepared to use, and cybercriminals knew this and were quick to try to exploit it.

This resulted in an almost immediate and serious increase in the number of cyber-attacks targeting educational organisations specifically and, even though we’re now coming out the other side of this, the criminals show no signs of abating.

So cyber security is a priority for schools and further education and in this short article, we’re going to take a broad view of what educators should know – the top threats, and our top tips for how to deal with them.

After all, staying informed and learning the best practices of cyber security to protect yourself and your students is always the best first step to take.

Top Threats

Diagram of cyber security threats

Below are the top cybersecurity threats faced by teachers in 2021.

  • Phishing: These attacks leverage social engineering by exploiting human nature to trick victims into giving up sensitive information such as passwords or credit card details. Over 90% of cyberattacks today start with a phishing attack, according to recent reports.
  • Distributed Denial-of-Service (DDoS): These attacks occur when multiple systems flood the bandwidth or resources of the local servers. These attacks can bring systems to a standstill and cause severe disruption.
  • Data Breach: A data breach is a security incident in which private or sensitive information (such as student data) is accessed without authorization. Student and educator data breaches are consistently reported as being one of the most common types of attack and successful attacks can cause great harm, often leading on to fraud, extortion, and other criminal activities affecting those whose data was lost.
  • Ransomware: These threats involve hackers holding data hostage in exchange for money or other demands. Ransomware has grown to become one of the most common forms of attack and can be devastating when successful, causing huge disruption, financial loss and reputational harm.
  • IoT Vulnerabilities: IoT (Internet of Things) devices such as laptops, smart home accessories and tablets often lack security or are not updated on a regular basis, making it vital for teachers to prioritize security when incorporating IoT devices into the classroom. Typically, IoT devices get overlooked as they can be diverse, but they have proliferated in recent years and should be included in update cycles alongside more “standard” IT hardware.

Top Tips

Now that you understand the cyber threats that educators face today, you might be wondering, what do I need to do to ensure myself, my school and my students are safe?

Here are some tips you can follow to help prevent these attacks.

  • Encrypt Your Data: Hackers today can obtain classroom data by intercepting it while actively in transit. By protecting your data using encryption, you can prevent cyber attackers from stealing the data that you send and receive.
  • Comply With Your Institution’s Cyber Protocols: Your school should have clear processes and usage policies in place, and it is vital to know and to follow these and to contact those responsible for managing your IT if an issue arises.
  • Safeguard Your Devices from Physical Attacks: Always log out of your computer when you step away. To keep passwords safe, try to avoid writing them down or entering your credentials within view of someone else.
  • Back Up Your Data: If your work or institution requires the storage of student data, it is important to back it up to prevent attackers from targeting this private data in Ransomware-style attacks where you may be locked out until a ransom is paid.
  • Practice Good Password Management: It’s easy to take shortcuts when it comes to passwords. A password management program can help you to maintain unique passwords for all your accounts with ease. *Look out for a new article, coming soon, where we will focus on Password Managers and how to use them*

Ready to take the first steps toward better cybersecurity?

If you would like to know more about It Support or other IT managed services that can drastically reduce your cybersecurity risk, get in touch with us.

On-boarding for St. John’s Primary Academy

On-boarding for St. John’s Primary Academy

Read

On-boarding for St. John’s Primary Academy

St. John’s C of E Primary Academy is a one form entry primary school situated within the town of Wednesbury, and a part of the St. Chad’s Academies Trust. The school aims to give every child the best start possible start to their education and to provide an inclusive and loving environment for their young students to thrive and learn in. St. John’s Primary Academy is an Ofsted “Good School” award winner and are “Music Mark” and “Primary Science Quality Mark” holders.

St. John’s Primary Academy approached Supreme Systems to tender to provide IT Support services when they felt they had outgrown their existing provisions and wished to engage an IT partner able to provide the resources they need as the school continues to grow and evolve.

After the initial interviewing process was completed, Supreme Systems were shortlisted to provide a detailed proposal and budgets, and this culminated in the award of the contract to provide IT support and managed services.

As with all new IT support engagements, Supreme Systems then begin a period of “on-boarding”. The goal of Supreme Systems’ on-boarding process is to ensure a smooth, disruption free commencement of IT support and managed services and typically will run over 6weeks consisting of the 4weeks prior to the agreed “go live” date, and the first 2weeks following. However, St. John’s requested that we condense our on-boarding period from 6weeks down to just 2 as they wanted Supreme to commence services sooner. This we did.

The first order of business was to begin to collate all the information that we will need to manage the school’ IT estate and began with the opening of communications with other relevant 3rd parties, to handover or share any details that they might hold. We also began an onsite audit of the school site to record details of the infrastructure, create sitemaps and an asset register and examine the configurations of various critical devices, such as networking and servers.

All this information is recorded in a secure, encrypted, knowledgebase so that our technical team can quickly call on relevant details in the future to expedite the resolution of issues as they arise.

Alongside the onsite audits our Service Delivery Team (SDT) scheduled an induction meeting with the key contacts at the school. Usually, these are done face-to-face but due to Covid restrictions at the time this one was done via a Videoconference. The induction meeting covers the details of our IT support processes identifies any quirks of the organisation so that we can tweak aspects of how we provide our services to meet the specific needs of the school. During these meetings, the Service Delivery Team are always conscious of keeping the conversation jargon-free and non-technical.

Meanwhile, Supreme Systems’ engineers began to deploy “software agents”. These are small programs installed on workstations and servers that integrate our own Monitoring & Management systems with the client’s IT infrastructure. These “agents” not only allow us to monitor for issues remotely, alerting us to potential problems, but also enable us to quickly take remote control of a device and to deploy and manage various other IT services, such as antivirus and backup/recovery applications.

The technical team also installed various other components, such as the hardware we use as a part of our backup and recovery services.

While all this technical work was underway, Supreme Systems’ Service Delivery Team welcomed the school faculty as a whole and provided information to them on how they can access our services directly to log issues, on their agreed service levels, such as response and resolution time guarantees, and relevant processes, such as escalating the priority of an issue, and so on.

In the closing phases of our on-boarding process we will resolve any outstanding and on-going issues that the organisation has and create a “Findings & Recommendations” document that includes a 3year plan. This is a living document that evolves with changes to the IT estate and is intended to ensure that the school remains compliant and can plan and budget for future developments according to their goals.

The on-boarding period for St. John’s C of E Primary Academy was completed in the period requested by the client and Supreme Systems were able to begin delivery of all services without any disruption on the date the school requested despite the shorter than usual handover period.

Sarah Cockshott, Executive Principal for St. John’s C of E Primary Academy, commented: “An incredibly smooth transition, carried out in the upmost professional manner.  Any works that needed to be carried out were done at our convenience ensuring we were able to continue our core purpose.  All engineers and staff we have had contact with since have listened and then been more than helpful to resolve any IT issues.  Every single one of these engineers or supreme staff have been polite, friendly and carried out their work with a smile. Thank you Supreme!”

Contact us