Here our experts help you keep your IT simple, fast and safe. Their clear, direct articles on cutting edge IT topics are written for IT pros and non-pros alike.
A passwordless future, we hear, awaits us all. Multi Factor Authentication, Biometrics and so on. But until that great day comes, we’re stuck with creating passwords with ever more elaborate combinations of keyboard letters, numbers and symbols.
So we’re told.
Of course passwords must be strong. Password theft has surged 45% in just the last six months, reports Phil Muncaster of InfoSecurity Magazine.
Dozens of online password generators are available to help users create secure, high entropy passwords. But who among us can remember the results?
So why not create high-entropy passwords that are easily memorized?
Such a password can consist of just two randomly generated words – one of six letters and one of seven – connected by one keyboard symbol and two numbers.
This gives you a high-entropy password. 16 characters suffices. Which means you don’t have to write it down. You can keep it in your head.
But how to be certain that this memorable password has sufficient entropy to be secure? Do the math. There are 2,400 words with five letters and 20,000 with six letters plus all the words with six or more letters. Add up these words, square the total – you are using two randomly generated words – then factor in your symbol and two randomly generated numbers.
You have created roughly 5×1014 possibilities. That’s enough entropy for a secure password.
November 24, 2021 / by Sanjiv Bawa
Why Active Directory Segregation is Crucial
Here’s Part III in our ongoing series on keeping your systems ransomware free:
Most organizations have an Active Directory for single sign-on for all their users. This makes perfect sense since most people want to use the same set of credentials everywhere. However, this causes some security problems.
A breach of that directory will result in a loss of literally all your infrastructure. There are many organizations that manage firewalls, switches, routers AND servers using the same directory. What happens when that directory is compromised? A hacker can destroy not just your servers, but wipe out your switch configurations and everything else.
A better way to handle this problem is to use separate directories for desktops and for critical infrastructure like servers. A well-designed trust relationship between the domains will ensure that a breach in the desktop Active Directory cannot be used to hack server infrastructure. It will also allow single sign ons for most rank and file users. Domain Administrators will need to maintain multiple credentials but that’s a small price to pay for real security.
Without going into details, I will say that at Chi Networks, we don’t use a single directory but instead use multiple Active Directories for various customer-facing and internal infrastructures. We then create trust relationships among the directories to prevent a compromise on a single directory from triggering a global compromise of just about everything. We also use Linux-based LDAP for certain services as well so as not to put all our eggs in a Windows basket – never a good idea, given the ongoing security issues at Microsoft.
October 12, 2021 / by Sanjiv Bawa
Tips on Network Segregation
In our first post, we discussed the big idea of Setting Up an Administrator Clean Room to separate all of your company’s security personnel and security-purposed devices from all of its non-security personnel and unsecured devices.
This post shows how you can additionally secure your environment with network segregation.
Most System Admins understand the need for a Local Access Network (LAN) that’s totally inaccessible from the Wide Access Network (WAN) or Internet. You also need a peripheral network or Demilitarized Zone (DMZ) for a Web Server, for FTP servers and other types of service that need to be accessible from the WAN.
So, here are some tips on how to segregate your networks to prevent attacks:
August 31, 2021 / by Sanjiv Bawa
Set Up an Administrator Clean Room. It Air Gaps Your Devices and Your Staff.
Ransomware needs no introduction. It’s become the worst nightmare for System Admins and CEOs in companies worldwide.
This series of three posts offers tips and techniques to protect your organization from Ransomware and other hacking attempts. Let’s start with the most ambitious one: the Administrator Clean Room.
What is an Administrator Clean Room and Why Should Your Company Have One?
The Clean Room is a single-purpose room. It’s set up for System Administrators to do just one thing: manage production systems securely.
All other tasks performed by Sys Admins – routine ones like non-urgent research, daily communications by phone and email with bosses and clients – are all performed in a separate office. Never in the Clean Room!
This separation takes air gapping to the next level. Air gapping as widely seen today is intended to isolate all devices securing a company’s IT system from all other devices connected to its imperfectly secured local area network. It separates devices. But with the Administrator Clean Room, you create a next-level air gap isolating your company’s security-purposed devices and Sys Admins from any and all other company individuals or devices that might be vulnerable to external attacks such as ransomware, spear phishing and browser hacks.
Without an Administrator Clean Room your company is vulnerable to these outside attacks.
How the Clean Room works
All regular Sys Admin tasks are performed inside the Clean Room. These include patches, software installation and production configuration changes and resolving outages.
Only security-purposed hardware and software are allowed in the Clean Room. Just what’s needed to connect to the production servers on the critical networks that connect all production servers.
With one exception addressed below, the Clean Room has no Internet access. No browsers or email clients, USB Keys, phones or other rubbish software are allowed inside.
No PC’s are allowed inside either, only thin clients that have Terminal Services or SSH clients. You login, you administer, you log out and you exit the room.
Once outside the ACR, you have no access to the production network or System inside. Your Administrative or root passwords won’t work outside the room either.
But what about browsers needed for research purposes?
Here’s the exception. Browsers are often needed inside a Clean Room, as when a serious production problem requires on-the-spot research. The solution? Admit separate thin clients to the Clean Room with browsers set up for use only in the ACR, and using a separate network and having their own non-root passwords.
That’s it for Part I. Part II will discuss securing Windows servers. Part III will discuss Separated Networks and Separated Active Directories.
August 31, 2021 / by Sanjiv Bawa
OK, so cloud costs are soaring, as the above graphic shows, and you’re annoyed as heck.
Why? Among other things, the AWS/Azure cloud duopoly is hiking prices as high as the market will allow. (And these two behemoths account for 51% of all cloud spending.)
In response, some companies are looking to reduce soaring cloud costs by repatriating (or returning) some or most of their workloads from cloud servers to servers maintained on premises.
But repatriation is a huge hassle. Deciding which servers to repatriate and then bringing them home can be a formidable task. It’s “a non-starter” for companies lacking the IT staff to complete server repatriation – including the rewriting of code – as Sarah Wang and Martin Casdado say in a recent, in-depth investigation of repatriation.
True, cost savings are indeed substantial when repatriation is done right. Wang and Casado report that “Several experts we spoke to converged on this “formula”: Repatriation results in one-third to one-half the cost of running equivalent workloads in the cloud.
But for companies not equipped or wanting to deal with the complexities of repatriation, there’s a safe and cost-effective alternative. It is to work with a reliable MSSP whose monthly prices run from 20% to 40% lower than those of AWS and Azure.
They do exist, and Chicago-based Chi Networks is one of them. It keeps IT systems running smoothly and ransomware-free for its 600+ Enterprise and SMB customers worldwide. And its live no-hold, no-wait 24/7 expert tech phone support creates a company/MSSP relationship that the duopolies can’t come close to matching.
August 3, 2021 / by admin
Surjit Kumar Bawa, Managing Director of Chi Networks India, a subsidiary of Chicago-based Chi Networks, announced September 9 the addition of 25 staff members at its office in New Delhi and the opening of new offices in Mumbai and Bangalore.
Chi Networks CEO Sanjiv Bawa opens this article about cybersecurity issues confronting Healthcare settings today with the key observation that "The major problem is security from the inside."
News account of the discovery by Chi Networks security engineers of a potentially costly technical vulnerability in the Ventra ticket purchase-and-display app used by tens of thousands of Chicago region Metra commuters daily. Metra, the commuter rail system for the Chicago metropolitan area, transports over 80 million passengers annually. Recently it launched its Ventra ticket purchase and display app, which ...
On March 21 Chi Networks CEO Sanjiv Bawa was interviewed in the Suburban Chicago Daily Herald Business Ledger “Coffee Break” feature. He spoke about what it takes to found and grow a managed cloud company in the never-a-dull-moment environment of one of the most exciting and rapidly changing industries of our time.