How to run a last pass security audit (and why it can’t wait)

You know you’re supposed to use a password manager. In fact, you’ve been meaning to set one up for a long time, but haven’t taken the plunge yet. Even popular ones, like LastPass, seem like a pain to set up. Good news: getting started with a password manager is easier than you think.

Password managers are an essential part of your online life. They create strong passwords that are difficult to crack, they keep track of those passwords so you don’t have to remember them, and they make it easy to change your passwords after a hack. You have a lot of great choices , but for this guide we’re going to focus on LastPass ,one of our favorites, in your web browser. We like LastPass because the free version has all the features most people need, and it syncs across a single platform (like your PC, Mac, or mobile device). The free version of LastPass includes everything we’ll cover in this guide. For an additional $12/year you can also access your passwords from other platforms (like Windows and Mac, or Mac and iPhone, etc) and get some additional options for multifactor authentication.

Lifehacker Faceoff: The Best Password Managers, Compared

You have a ton of options for password managers, but when it comes to your security, you want the…

Download and Install LastPass In Your Browser

Father’s Day CBD Bundle

Send Dad flowers
Well, send him a bundle of calming CBD products made from USDA-certified organic, Kentucky-grown, whole-flower hemp oil, at least.

LastPass lives inside your browser as an extension. It’s available for just about every major browser, including Chrome , Firefox , Safari , and Opera .

1. Head to the LastPass downloads page and install the extension for your preferred browser.
2. After the installation is complete, you’ll see a new icon in your toolbar. Click that icon and select “Create an Account now.”
3. Type in your email address and create a master password. Make this password strong , it’s the password you’ll always use to access LastPass, and all of the passwords you create and store with it. Don’t forget this— you don’t have too many options if you do .

There’s also a LastPass Mac app , but most people will find the browser extension is all they need. If you plan on accessing LastPass from your mobile device, go ahead and download the app for Android , iOS , or Windows Phone too, but be prepared to sign up for a premium subscription if you want to sync passwords between multiple devices.

Save Your Login Information for the Web Sites You Visit

Now it’s time to save your passwords in the LastPass vault. There are a few ways to do this, but the easiest is to just use the internet as you normally do, and save your passwords as you log into each new site. That way LastPass does the work for you.

1. When you arrive at a site with a login page, type your username and password, but don’t click the sign in button.
2. Click the LastPass icon inside the password field, then click “Save credentials for this site.”

As you do this, your LastPass account will gradually fill up your vault with all your passwords and login information. Now, when you revisit those sites, LastPass can automatically enter your username and password for you.

If you used your browser’s built-in password manager in the past, or if you’ve used another supported password manager, like 1Password , you can import all your login information directly into LastPass. This process varies depending on which manager you used before, but you’ll find all the information you need over on LastPass’s Importing Passwords guide .

Fix Your Weak Passwords with the Security Challenge

Next, let’s fix all those junky, easily-hacked passwords you’ve been using. As you enter more and more passwords into LastPass, you’ll want to go in and audit those passwords and create better ones. There are a few ways to do this, but as you’re starting out, the simplest method is to use LastPass’s built-in security challenge.

1. In your browser, click the LastPass icon > My Vault.
2. Click the Security Challenge tab.
3. Click Show My Score.
4. Enter your LastPass password when prompted.
5. Wait for LastPass to analyze all your passwords.

LastPass will show you a report of all your passwords, divided into four self-explanatory sections: Change Compromised Passwords, Change Weak Passwords, Change Reused Passwords, and Change Old Passwords.

Click on each section to expand it and see which passwords LastPass recommends you change. For many popular sites, LastPass can automatically change your password with no real effort from you. Just click the Auto-Change button and LastPass will automatically create a new password for that site in the background and save it so you can use it the next time you visit.

If a site doesn’t support auto-change, you need to update your passwords manually. LastPass tries to make this as painless as possible, but it’s still a little work:

1. Click “Launch Site” and LastPass will open that site in a new tab.
2. Log in with your username and password, and find the change password section in the account details for that site.
3. In the new password field, click the LastPass icon, then select “Generate a New Password.” LastPass will create a new password for the site.
4. When prompted, select “Save Site” to save your new password information.

Depending on how many different sites you’re fixing here, this can be a long, cumbersome process, so fire up a movie on Netflix and set aside a bit of time to take care of them all.

Account Information

Share with Your Friends

Why you should perform regular security audits

Why you should perform regular security audits

Most companies believe that their computer systems are secure. But one of the only ways to determine whether this is actually true is by performing a thorough audit of computer systems. Jonathan Yarden explains why your company should make a point of auditing its security on a regular basis, and he spells out some of the particular challenges you may encounter.

In less than a decade, Internet security has
evolved from an almost esoteric topic to become one of the more
important facets of modern computing. And yet it’s a rarity to find
companies that actually consider information security to be an
important job function for all workers—and not just the IT
department’s problem.

Unfortunately, it’s the general opinion of most
companies, particularly at the management level, that their
computer systems are secure. However, one of the only ways to
determine whether this is actually true is by performing a thorough
audit of computer systems. But most companies don’t make it a habit
of performing regular security audits, if they perform them at
all.

In my experience, many companies base their
Internet and information security strategy entirely on assumptions.
And we’re all familiar with that old saying about making
assumptions.

But I don’t entirely blame companies for
failing to conduct periodic computer security audits. Frankly, the
complexity and variability of administering and interpreting a
comprehensive computer systems audit is equal to the complexity and
variability of the systems used in corporations.

Several dozen popular commercial network and
computer security auditing programs are currently available. While
I’ve used several myself, I’ve honestly found no favorites. These
tools produce mountains of useful information, but understanding
what to do with the data is no simple job.

Most computer network and system security
audits begin the same way. An automated program gathers information
about hosts on the corporate network, identifying the type of
network device. If applicable, it also scans the TCP and UDP
services that are present and “listening” on the host, and it might
even determine the versions of the software supplying an Internet
service.

In most cases, the process involves at least
two automated scans—one of internal networks, which are generally
behind a firewall, and one of the Internet subnet used by the
corporation. If a security audit doesn’t include both an interior
and exterior scan, then you’re not getting a complete picture of
what hosts are on your organization’s network.

In addition, I also recommend that companies
perform their own auditing whenever possible. If not, it’s vital
that you select an Internet security vendor you don’t currently do
business with.

Security audits produce a huge amount of data,
and you need to be prepared to review this information in order to
truly benefit from the audit. It’s also important to understand
that a computer security audit may report potential problems where
no real issue exists.

For example, an isolated switch from 1998 in an
internal network could quite possibly be running firmware that’s
vulnerable to a denial-of-service flood. Should you replace it?
Probably not. Nor should you be too concerned about the ancient
Windows NT 4 system running outdated voice mail software that’s
subject to an obscure TCP sequence number exploit. It’s not running
anything other than a specialized application for voice mail
services, and it’s behind the firewall.

But some issues should concern you. For
example, it’s a good idea to disable guest accounts on dedicated
Windows servers. Don’t run IIS on Windows domain controllers, and
DNS servers should not be running services other than DNS
either.

However, a security audit may not always
identify these issues, and one could debate whether it’s actually a
security problem. When there’s doubt, disable unused services, or
determine a secure solution.

The major problems with security audits are
that they typically produce either too much data or not enough. A
dearth or an excess of data can lead to misinterpretation and even
exploitation of the information. Fear remains a very effective way
to sell unnecessary equipment and services to companies that don’t
truly understand security.

For example, one company’s recent Internet
security audit completely ignored the security issue of direct VPN
connections to the internal network and a dial pool, both of which
completely bypassed the firewall. Coincidentally, while the same
vendor that performed the audit was busy replacing functioning
internal network equipment due to “vulnerable” firmware, one of the
many recent Sober flavors was busy spreading internally, sourced
from a remote office connected via a VPN.

Knowing what is and what isn’t a significant
issue goes to the very core of understanding Internet and
information security. While assumptions can be correct, in many
cases, they’re dead wrong. Perform regular security audits on your
organization’s network to be sure. And if you’re not using a
particular TCP or UDP service, shut it off.

Miss an issue?

Check out the Internet Security Focus Archive, and catch up on the most recent editions of Jonathan Yarden’s column.

Want more advice for locking down your network? Stay on top of the latest security issues and industry trends by automatically signing up for our free Internet Security Focus newsletter, delivered each Monday.

Jonathan Yarden is the senior UNIX system administrator, network security manager, and senior software architect for a regional ISP.

如果你执行松懈的密码管理和卫生，这只是一个时间问题，直到越来越多的大规模安全漏洞之一烧伤你。 不要感谢你躲避过去的安全漏洞子弹和盔甲自己对未来的。 请继续阅读，我们将向您展示如何审核密码并保护自己。

什么是大交易，为什么这是重要的？

今年10月，Adobe透露，已经发生了严重的安全漏洞，影响了300万用户的Adobe.com和Adobe软件。 然后他们将数量修改为3800万。 接着，更令人震惊的，当从黑客数据库被泄露，该分析的数据库安全研究人员回来说，它更像是1.5亿被盗用的用户帐户。 这种程度的用户暴露将Adobe破坏作为历史上最严重的安全漏洞之一运行。

然而，Adobe在这方面并不孤单; 我们只是打开他们的违约，因为它是最近的痛苦。 仅在过去几年里，已经发生了数十个大量的安全漏洞，其中用户信息（包括密码）已经被破坏。

LinkedIn在2012年受到打击（646万用户记录受损）。 同一年，eHarmony受到了影响（150万用户记录），Last.fm（650万用户记录）和Yahoo!（450,000用户记录）。 索尼Playstation网络在2011年受到打击（1.01亿用户记录受损）。 Gawker Media（Gizmodo和Lifehacker等网站的母公司）在2010年遭遇打击（130万用户记录受损）。 而那些只是大事故的例子，使新闻！

该隐私权信息交流中心保持安全漏洞的数据库，从2005年到现在 。 他们的数据库包括各种各样的违约类型：受损的信用卡，被盗的社会保险号码，被盗的密码和病历。 该数据库，如本文的发布，是由含617937023用户记录 4,033漏洞 。 不是每一个这些数亿的违规涉及用户密码，但千百万他们做到了。

那么为什么它很重要？ 除了违约行为的明显和即时安全隐患外，违约行为造成附带损害。 黑客可以立即开始测试他们在其他网站收获的登录和密码。

大多数人都懒得使用他们的密码，有一个很好的机会，如果有人使用[email protected]的密码bob1979，相同的登录/密码对将在其他网站工作。 如果这些其他网站更高的档案（如银行网站或他在Adobe使用的密码实际上解锁他的电子邮件收件箱），那么有一个问题。 有人访问您的电子邮件收件箱后，他们可以开始重置其他服务的密码，并获得访问权限。

1. 您的电子邮件密码应该是长，强，并且在所有登录中完全唯一。
2. 每次登录得到一个长期的，强大的和唯一的密码。 无密码重用。 永远。

现在，在这一点上，你可能会推迟一点，因为，坦率地说，几乎没有人有完美的气密密码实践和安全。 如果你的密码卫生不足，你不是孤单的。 事实上，现在是供认的时候了。

我写了几十个安全文章，关于安全漏洞的帖子，以及其他密码相关的帖子，我一直在How-To Geek。 尽管是恰恰是一种明智的人应该知道谁更好，尽管使用密码管理器和生成安全的密码为每一个新的网站和服务，当我通过跑我的电子邮件泄露的Adobe登录的名单和匹配它反对妥协的密码，我仍然发现我被烧了。

所有这一切本来是可以避免的，如果我已经完全实行我鼓吹并不仅仅是创造了独特而强大的密码，而且审计我的旧密码，以确保这种情况在首位从来没有发生过。 无论你从来没有试图与密码实践保持一致和安全，或者你只需​​要检查它们，让自己放松，彻底的密码审计是密码安全和安心的途径。 阅读，我们向您展示如何。

准备您的Lastpass安全挑战

本指南不包括设置LastPass，因此如果您尚未安装并运行LastPass系统，我们强烈建议您设置一个。 检查出的HTG指南入门LastPass的开始。 虽然LastPass已经更新，因为我们写的指南（界面更漂亮，更好的流线型现在），你仍然可以轻松地按照步骤。 如果你是第一次设置LastPass的，请确保您的浏览器导入你所有存储的密码，因为我们的目标是要审核你使用的每一个密码。

进入每一个用户名和密码进入LastPass的：无论你是全新的，以LastPass的，或者你还没有完全被使用它的每次登录，现在是要确保您输入每次登录到LastPass的系统的时间。 我们要呼应我们给的建议我们的电子邮件恢复指南梳理您的电子邮件收件箱中提醒：

在您的电子邮件中搜索注册提醒。 它不会很难记住你经常使用的登录，如Facebook和你的银行，但可能有几十个外包服务，你可能甚至不记得你使用你的电子邮件登录。 使用诸如“欢迎使用”，“重置”，“恢复”，“验证”，“密码”，“用户名”，“登录”，“帐户” 。 再次，我们知道这是一个麻烦，但一旦你这样做了一个密码管理器在你身边，你有一个所有你的帐户的主列表，你永远不会再做这个关键字hunt。

您LastPass的帐户启用双因素身份验证：这一步是不是绝对必要的运行安全审计，但同时我们有您的关注，我们要尽我们所能来鼓励你，当你在你的LastPass的周围碴帐号， 打开双因素身份认证 ，以进一步保护您的LastPass的保管库。 （不仅提高您的帐户安全性，您的安全审核得分也会提高！）

采取LastPass安全挑战

现在你已经导入了所有的密码，现在是时候为自己安慰自己的不是在1％的核心密码安全忍者的耻辱。 访问LastPass的安全挑战页面，并按下“开始挑战”在页面的底部。 系统将提示您输入主密码，如上面的屏幕截图所示，然后LastPass将提供检查您的保管库中包含的任何电子邮件地址是否是其跟踪的任何违规的一部分。 没有好的理由不利用这一点：

如果你幸运，它返回一个负数。 如果你幸运，你会得到一个弹出窗口这样询问，如果你想了解更多关于违反你的电子邮件涉及：

弹出窗口后，您将被转入LastPass安全挑战赛的主要面板。 记住前面的指南，当我谈到我当前如何执行良好的密码卫生，但我从来没有得到正确更新很多旧的网站和服务？ 它真的显示在我收到的分数。 哎哟：

这是我的成绩与多年值得随机密码混合。不要太惊讶，如果你的分数甚至更低，如果你一直使用相同的少数弱密码一遍又一遍。 现在，我们有我们的分数（不论真棒还是可耻的，它可能是），是时候挖掘数据。 您可以使用分数百分比旁边的快速链接或只是开始滚动。 第一站，让我们看看详细的结果。 考虑这是一个10000英尺的密码状态概述：

虽然你应该注意这里的所有统计数据，真正重要的是“平均密码强度”，你的平均密码有多弱或强，更重要的是“重复密码数”和“重复密码的网站数量“。 在我的审计中，43个网站有8个。 显然，我一直很懒地在超过几个网站重复使用相同的低级密码。

下一步，“分析的网站”部分。 在这里，您将发现通过重复使用密码（如果您有重复密码），唯一密码以及最后在LastPass中没有存储密码的登录所组织的所有登录和密码的具体分解。 当你看着列表，惊叹密码强度的对比。 在我的情况下，我的一个金融登录被给予45％的密码分数，而我的女儿的Minecraft登录得到了完美的100％的得分。 再次，哎。

修复你的可怕的安全挑战得分

审计列表中有两个非常有用的链接。 如果您点击“显示”，它会显示该网站的密码，如果您点击“访问网站”，您可以直接跳转到网站，以便您可以更改密码。 不仅应该更改每个重复的密码，而且附加到被违反的帐户（例如Adobe.com或LinkedIn）的任何密码都应该永久停用。

根据您有多少或少数密码（以及您对密码实践的了解程度），此过程的这一步可能需要10分钟或整个下午。 虽然更改密码的过程将根据您更新的网站布局而有所不同，但以下是一些一般性指南（我们使用我们的密码更新，以“记住牛奶”为例）：访问密码更改页。 通常，您需要输入当前密码，然后生成新密码。

通过单击锁定与圆形箭头标志。 LastPass插入新密码槽（如上图所示）。 查看您的新密码，并根据需要进行调整（例如延长密码或添加特殊字符）：

最后，你需要审核的最后一件事是你的LastPass主密码。 通过单击挑战屏幕底部的“测试我的LastPass主密码的强度”链接，这样做。 如果您没有看到这个：

测量结果并进一步增强您的LastPass安全性

在您通过重复密码列表，已删除的旧条目，以及其他整理并保护您的登录/密码列表的列表后，是时候再次运行审核。 现在，为了强调，您下面看到的分数只是通过提高密码安全。 （如果启用附加的安全功能，如多因素验证 ，您会收到10％左右升压）。

不错！ 在消除了每个重复的密码，并使所有现有的密码达到90％的力量或更好，它真的提高了我们的分数。 如果你好奇为什么它没有跳到100％，有几个因素在发挥，其中最突出的是，一些密码永远不能被提升到鼻烟的LastPass标准，因为愚蠢的政策到位站点管理员。 例如，我的本地图书馆的登录密码是一个四位数PIN（在LastPass安全级别上得分为4％）。 大多数人会在他们的列表中有一些类似的异常值，这将拖他们的分数。

现在，您已经审核了您的密码，并且您在使用一个稳定的唯一密码，让我们利用这种向前的势头。 打了我们的指南，使LastPass的更安全通过增加密码的迭代中，因国家限制登录，等等。 在运行我们在这里概述的审计，遵循我们的LastPass安全指南，并打开双因素算法，你会有一个防弹密码管理系统，你可以引以为豪。

Azure provides a wide array of configurable security auditing and logging options to help you identify gaps in your security policies and mechanisms. This article discusses generating, collecting, and analyzing security logs from services hosted on Azure.

Certain recommendations in this article might result in increased data, network, or compute resource usage, and increase your license or subscription costs.

Types of logs in Azure

Cloud applications are complex with many moving parts. Logging data can provide insights about your applications and help you:

• Troubleshoot past problems or prevent potential ones
• Improve application performance or maintainability
• Automate actions that would otherwise require manual intervention

Azure logs are categorized into the following types:

Control/management logs provide information about Azure Resource Manager CREATE, UPDATE, and DELETE operations. For more information, see Azure activity logs.

Data plane logs provide information about events raised as part of Azure resource usage. Examples of this type of log are the Windows event system, security, and application logs in a virtual machine (VM) and the diagnostics logs that are configured through Azure Monitor.

Processed events provide information about analyzed events/alerts that have been processed on your behalf. Examples of this type are Microsoft Defender for Cloud alerts where Microsoft Defender for Cloud has processed and analyzed your subscription and provides concise security alerts.

The following table lists the most important types of logs available in Azure:

Log integration with on-premises SIEM systems

Integrating Defender for Cloud alerts discusses how to sync Defender for Cloud alerts, virtual machine security events collected by Azure diagnostics logs, and Azure audit logs with your Azure Monitor logs or SIEM solution.

Next steps

Auditing and logging: Protect data by maintaining visibility and responding quickly to timely security alerts.

Security logging and audit-log collection within Azure: Enforce these settings to ensure that your Azure instances are collecting the correct security and audit logs.

Configure audit settings for a site collection: If you’re a site collection administrator, retrieve the history of individual users’ actions and the history of actions taken during a particular date range.

Search the audit log in the Microsoft 365 Defender portal: Use the Microsoft 365 Defender portal to search the unified audit log and view user and administrator activity in your organization.

Unfortunately, LastPass put some restrictions on its free version in 2021, but it’s still good a good free option as long as you don’t need multiplatform support. Multiplatform support is now a premium option.

See how LastPass stacks up against the competition:

What does LastPass do?

The apps and browser extensions work the same for almost every platform. You log into the service, add your various accounts, and LastPass offers to auto-fill the login details when you reach any given website. Android, iOS, and PC all have slightly different methods to engage with it, but none of them are difficult. You should be able to get used to it after just a few logins.

Finally, LastPass does offer encryption on both free and premium accounts. It is encrypted and decrypted with AES-256 bit encryption with PBKDF2 SHA-256 along with salted hashing. Everything takes place at the device level. The encryption keys are never sent to LastPass servers, and the company can’t access your personal information at all. That’s great news for both free and premium users.

What comes with LastPass Free?

Base features

• An encrypted vault to store things like passwords, form fill items (address, email, etc), and a note function for hidden notes
• Save and fill site login credentials
• Autofill website logins on all available platforms
• Unlimited password storage
• Support for things like Wi-Fi passwords, credit cards, bank accounts, membership cards, driver licenses, and other sensitive data

Advanced features

• A password generator that creates long, random passwords that are much harder for hackers to guess
• Two-factor authentication including support for LastPass Authenticator (Google Play link)
• Password auditing functions on both mobile and PC. This tells you if you re-use a password multiple times and how strong your passwords are. Simply use the Security Dashboard on PC or the Security Challenge function on mobile.

Extras

• A built-in web browser
• You can share passwords with other LastPass members on a one-to-one basis. This is good when sharing accounts with significant others or kids.

The downside

• You can only use the free version of LastPass on one platform and you have to pick whether it’s PC or your phone. This limitation takes effect in mid-March 2021. Basically, you can use it on your phone and tablet or your PC and laptop, but not both. Read more here.

You can do quite a bit with a free account. Additionally, the Security Challenge helps you identify weaknesses in your password habits and even gives you tips on how to solve them. It’s not great if you have multiple devices, but it does keep your stuff synced in case you ever upgrade to the premium version.

What extras do you get with LastPass Premium?

Basic features

• The difference in basic features is LastPass Premium allowing you to sync your information between multiple devices on multiple platforms, a new thing starting in March 2021.

Advanced features

• More storage (up to 1GB) for secure notes and other stuff
• Emergency Access support lets you give access to a family member in case of an emergency. It works by letting them log in to get your credentials, but the app makes them wait an hour to access anything so you can revoke permission if needed.

Extra features

• LastPass offers premium customer support for paying customers.
• One-to-many password sharing. It works just like the one-to-one password sharing for the free version, except you can share with a lot more people.
• Unlocks some minor features on various versions of LastPass. For instance, some forms of biometrics on the Windows app require the premium version of LastPass.

That’s it really. LastPass Premium really only unlocks a few extra things. It doesn’t appear to hold any important features behind a paywall.

How much does LastPass Premium cost?

Individual accounts

• $36 per year (single account) — A single premium account runs for $36 per year (plus tax). You may see it as $3 per month in some adverts. $36 per year averages out to that, but LastPass bills on an annual basis, so you have to pay the $36 up front.
• $48 per year (family account) — Family accounts come with up to six premium licenses for you and your family members for easier password sharing. It does not come with any additional features compared to the single premium account except the increased number of users.

Business accounts

• Business accounts range in price from $3 per user per month to $8 per user per month based on your needs and team size. We recommend checking out the pricing page for LastPass and contacting the company if you plan to go with this route.

Should I upgrade?

Still, there are some perks for premium users. The extra level of support from the company may please some people, especially if they use their accounts for important stuff like work. Additionally, the extra biometrics options might be nice for people who invested in laptops or desktops with fingerprint readers. We’re not saying premium is a rip-off or that it’s not worth having. LastPass gives you a ton of stuff for free and there’s simply no need to go premium unless you absolutely need to. We’re not fans of the fact that you have to pay to use multiple platforms, but that’s obviously another perk.

Looking for some alternatives? Try these:

LastPass is surprisingly friendly to free users and that makes it an easy recommendation for just about anybody. Plus, it’s a big name in this space so it’s often among the first to adopt new features when they come out. For example, it was one of the first to use Android’s native auto-fill functionality when it launched in Android 8.0 Oreo. As long as it continues to do well, we see no reason not to use either the free or premium version depending on your personal needs.

Caliber Service Matrix

Information Security Data and & Compliance

Caliber Security is highly skilled in classifying, managing, and protecting data. Our information security audit prep and compliance consultants are experts at preparing companies for privacy compliance audits, as well as dealing with potential data loss of fraud. Caliber is structured with speed and agility in mind. If issues exist, can you afford to wait? Time is of the essence.

Our services include:

Audit Prep & Compliance Mapping

It’s a rare enterprise that looks forward to being audited. It’s the rarer one that can say with confidence where they stand on every information security policy and control applicable to their situation before the process starts — and that their controls are truly suited to both the environment and the relevant compliance regime(s).

At Caliber, our GRC-facing consultants have deep hands-on familiarity with not only the security audit prep and compliance process but with multiple compliance regimes, including HIPAA, ISO 27Kx, HiTRUST, SOC 2, CMMC, and so forth. Our security compliance consultants excel at understanding how regimes overlap and echo each other, which enables us both to assess your company’s audit posture and to identify where your current or proposed controls over- or under-serve their purpose. Caliber may not be able to make you actually look forward to an information security and compliance audit, but our process will help you address it smoothly and efficiently — and with an enhanced understanding of how your enterprise meets the spirit and the letter of relevant compliance regimes.
Right on Time, the First Time
“Failing a network compliance audit, only leads to additional or continual audits. It is wise, to be prepared the first time to eliminate future audit requests. At Caliber, we perform network audits thoroughly the first time and before the required due date!

Our security audit and compliance team will ensure your organization’s audit will not return to your desk, only to repeat the process again. This is why it is very important to hire a network professional who has demonstrated a strong, accurate audit track record. At Caliber, we protect your reputation so your organization isn’t facing potential penalty costs, risks of repeat visits and additional audits.”

Privacy Compliance and Data Protection Officer (DPO) Planning

As data privacy regulations proliferate around the world, Data Protection Officers (DPOs) have become newly indispensable at companies dealing with privacy compliance. DPOs must monitor internal security audits, elevate staff awareness and compliance with privacy requirements, and stay abreast of the fast-moving regulatory space.

Caliber can help you to develop the processes and structures necessary to successfully bring a DPO into your organization. We’ve supported both experienced and newly minted DPOs in developing actionable, scalable privacy compliance plans. As active members of the community, our privacy-facing consultants keep constant tabs on the tumultuous regulatory landscape worldwide. Our experiences across multiple industry sectors and state/national jurisdictions give us unparalleled insight into best practices at companies large and small, and we’ve helped numerous DPOs successfully integrate their skills and insights into the workplace.

Information Classification Asset Management

The first rule of information security is clear: If you don’t know what you’ve got, you can’t protect it. Knowing your assets — hardware, software, and data — and understanding their value, importance, and sensitivity is foundational to properly allocating resources to securing them. In theory, each department of your organization knows what’s in its orbit; however, when it’s time for an audit-, DPO-, or C-level view of the whole, getting the full picture can be remarkably difficult.

Caliber’s information-classification and asset-management consultants have tackled this situation at companies large and small for over a decade. We’ve developed a highly effective hierarchical approach to the problem, using an easy-to-implement assignment strategy to compile a clear, evidence-based snapshot of assets in specific functional areas or across the company. Our experts work with each client to further map their data into a functional, scalable inventory suitable for determining data protection requirements, critical (or unnecessary) controls, logging requirements, dataflow and data-archiving needs, resource allocation, custodian and owner appointment, and much more.

Data Loss and Breach Response and Forensics

Unfortunately for everyone involved, a security data breach isn’t just a single miserable moment in time. It’s crucial to determine not only what data has been affected, but how long the situation’s been in effect, how the attackers did it, and whether the vulnerabilities that made the security data loss or breach possible have been addressed.

In that situation, Caliber provides forensic clarity leveraging our security data loss and breach consultants. We’ll capture and analyze network traffic data and, in combination with archived traffic data (as available), forensically determine the nature, duration and scope of the compromise, and deliver actionable information on what must be done to ensure that all possible vulnerabilities have been addressed. Our analytics are detailed, and we document our findings carefully to ensure that your next steps can be the best steps possible.

For more information on our broader Response capabilities, please see “Incident Response Support” in our Continuity and Recovery section.

Fraud and Data Breach Detection Management

In the event of a breach or suspected breach resulting in fraudulent activity, everyone’s got questions — and all too often those questions are time-sensitive, as legal and regulatory requirements dictate the window available to figure out what’s happened, whether the breach is still happening, how it happened, and what’s affected. IT and infosec staff already fighting the fire may find themselves spending an untenable amount of time fielding urgent questions from legal and compliance SMEs — or, if things are truly ugly, the C-level and crisis communications.

Caliber can support your team in detecting and assessing urgent fraud and data breach situations, with an eye to preparing you to discuss facts and findings with corporate counsel as well as non-technical stakeholders such as C-levels and boards of directors. Our multi-layered detection and assessment capabilities help to communicate the facts of the situation to Legal, Internal Audit, and allied teams as they determine how to proceed. Our security data loss and breach consultants have an extraordinary range of experiences with fraud situations originating both inside and outside client companies, and they are sensitive to the logistics and documentation requirements each type of investigation entails.

WordPress is, without a doubt, the most popular content management system on the web. But this also means it’s one of the most frequently targeted content management systems around. This means cybersecurity is of the utmost importance for people and businesses with WordPress websites.

Research shows that the average WordPress website isn’t nearly as secure as it should be. According to developer John Darrel, 73.2 percent of the most popular WordPress installations are vulnerable. Likewise, just 39 percent of websites are running the most current version of the software.

Never assume that your WordPress website is secure. You need to take as many precautions as you possibly can. Here are a few pointers to help you protect your site:

1. Choose the Right Host
“Your hosting company is usually the first wall hackers have to break through to get access to your site so investing more upfront and purchasing a more expensive hosting plan will definitely pay off,” developer Brenda Stokes Barron explains.

Barron suggests choosing a hosting company that performs regular malware scans and daily backups. A host that employs DDOS prevention measures is also ideal.

2. Follow Proper Protocol
Any time you make a major change, it’s imperative that you follow recommended WordPress protocol. Don’t try to pave your own way, as this typically means cutting corners and exposing your website to unnecessary risk.

Let’s say, for example, that you’re migrating a blog from Blogger to WordPress . Following the proper steps of exporting content, setting up permalinks, and establishing the right redirects will keep your blog safe and secure throughout the process.

3. Update Regularly
As annoying as it can be to constantly update your website, you have to take WordPress updates seriously.

“With any new release, WordPress gets improved and its security is improved too,” WordPress blogger Adelina Tuca writes. “Lots of bugs and vulnerabilities are fixed every time a new version comes out. Also, if any particularly malicious bug gets discovered, the WordPress core guys will take care of it right away, and force a new safe version promptly. If you don’t update, you will be at risk.”

4. Back Up Regularly
It’s also important to regularly back up your website. With so many easy and cost-effective solutions available, you should be updating once a day. At the very least, you need to do it two or three times per week.

5. Be Smart with Passwords
Contrary to popular belief, most WordPress hacks aren’t overly complex or sophisticated. Hackers often compromise websites by simply logging in with a username and password.

The best and easiest way to strengthen your WordPress site’s security is to use strong passwords. (It’s also wise to ditch the default “Admin” username for something unique.)

6. Limit Login Attempts
When hackers crack passcodes, they typically run dozens or hundreds of different combinations to zero in on the correct string of characters. You can make things more difficult for them by limiting login attempts and changing your password frequently.

7. Enable a WAF
One of the most effective ways to protect a WordPress site against external threats is to use a Web Application Firewall, also known as a WAF.

A WAF adds multiple security elements to your website and helps you fight off different attacks and threats as they evolve and iterate. They come in both hosted and cloud-based options – though most agree that cloud-based WAFs are superior. They work by blocking all bad traffic at their network, sending only legitimate requests on to your website.

Not sure which WAF to use? Good options include SUCURI WAF, Wordfence, Malcare, Cloudflare, and StackPath.

8. Uninstall Unused Plugins
Every plugin you have installed on your WordPress website is another possible point of entry for a hacker. Thus, if you’re not actively using a particular plugin, there’s no point in letting it sit.

If you plan to use the plugin again in the future, you can temporarily deactivate it. And while this is somewhat effective, a better option is to uninstall it altogether. This has the added effect of speeding up your website.

Keep Your Website Safe
Those that neglect website security and refuse to go above and beyond will expose their businesses and customers to high levels of risk. This can result in costly attacks, legal consequences and damage to branding.

The time to keep your website safe is now – before you experience any sort of attack or compromise. By building your WordPress site with the proper foundation, you can ensure optimal success in other areas. Don’t take any shortcuts!

How to Locate Your Ancestors in the SSDI

• Share
• Flipboard
• Email

The Social Security Death Index is a huge database containing vital information for more than 77 million people (primarily Americans) whose deaths have been reported to the U.S. Social Security Administration (SSA). Deaths included in this index may have been submitted by a survivor requesting benefits or in order to stop Social Security Benefits to the deceased. Most of the information (about 98%) included in this index dates from 1962, although some data is from as early as 1937. This is because 1962 is the year that the SSA began to use a computer database for processing requests for benefits. Many of the earlier records (1937-1962) have never been added to this computerized database.

Also included in the millions of records are approximately 400,000 railroad retirement records from the early 1900s to 1950s. These begin with numbers in the 700-728 range.

What You Can Learn From the Social Security Death Index

The Social Security Death Index (SSDI) is an excellent resource for finding information on Americans who died after the 1960s. A record in the Social Security Death Index will generally contain some or all of the following information: last name, first name, birth date, death date, Social Security number, the state of residence where the Social Security number (SSN) was issued, the last known residence and the location where the last benefit payment was sent. For individuals who died while residing outside of the U.S., the record may also include a special state or country residence code. Social Security records can help provide information needed to find a birth certificate, death certificate, obituary, maiden name, parents names, occupation or residence.

How to Search the Social Security Death Index

The Social Security Death Index is available as a free online database from numerous online organizations. There are some who charge for access to the Social Security Death index as well, but why pay when you can search it for free?

For best results when searching the Social Security Death Index, enter only one or two known facts and then search. If the individual had an unusual surname, you may even find it useful to search on just the surname. If the search results are too large, then add more information and search again. Get creative. Most Social Security Death Index databases will allow you to search on any combination of facts (such as a birth date and first name).

With over 77 million Americans included in the SSDI, locating a particular person can often be an exercise in frustration. Understanding the search options is extremely important in helping to narrow down you search. Remember: it is best to start off with just a few facts and then add additional info if it is needed to fine tune your search results.

Search the SSDI by Last Name
When searching the SSDI you should often start with the last name and, perhaps, one other fact. For best results, select the “Soundex Search” option (if available) so that you don’t miss possible misspellings. You can also try searching for the obvious alternate name spellings on your own. When searching for a name with punctuation in it (such as D’Angelo), enter the name without the punctuation. You should try this both with and without a space in place of the punctuation (i.e. ‘D Angelo’ and DAngelo). All names with prefixes and suffixes (even those which don’t use punctuation) should be searched both with and without the space (i.e. ‘McDonald’ and ‘Mc Donald’). For married women, try searching under both their married name and their maiden name.

Search the SSDI by First Name
The first name field is searched by exact spelling only, so be sure to try other possibilities including alternate spellings, initials, nicknames, middle names etc.

Search the SSDI by Social Security Number
This is often the piece of information that genealogists searching the SSDI are looking for. This number can enable you to order the individual’s Social Security application, which can lead to the discovery of all sorts of new clues for your ancestor. You can also learn which state issued the SSN from the first three digits.

Searching the SSDI by State of Issue
In most cases, the first three numbers of the SSN indicate which state issued the number (there are a few instances where one three digit number was used for more than one state). Complete this field if you are fairly positive of where your ancestor was living when they received their SSN. Be aware, however, that people often lived in one state and had their SSN issued from another state.

Searching the SSDI by Birth Date
This field has three parts: the birth date, month and year. You may search on just one or any combination of these fields. (i.e. the month and year). If you have no luck, then try narrowing down your search to just one (i.e. the month or the year). You should also search for obvious typos (i.e. 1895 and/or 1958 for 1985).

Searching the SSDI by Death Date
Just as with the birth date, the death date lets you search separately on the birth date, month and year. For deaths prior to 1988 it is advisable to search on the month and year only, as the exact date of death was seldom recorded. Make sure to search for the possible typos!

Searching the SSDI by Location of Last Residence
This is the address where the person was last known to be living when the benefit was applied for. About 20% of records do not contain any information on Last Residence, so if you are having no luck with your search you may want to try searching with this field left blank. The residence location is entered in the form of a ZIP code and includes the city/town which is associated with that ZIP code. Keep in mind that boundaries have changed over time, so make sure to cross reference the city/town names with other sources.

Searching the SSDI by Last Benefit Information
If the individual in question was married you may find that the last benefit and location of last residence are one and the same. It is a field which you will usually want to leave blank for your search as the last benefit could often have been paid to any number of people. This information can prove to be extremely valuable in the search for relatives, however, as next of kin were usually the ones to receive the last benefit.

Many people search the Social Security Death Index and quickly get discouraged when they can’t locate someone they feel should be listed. There are actually a lot of reasons why a person may not be included, as well as tips to finding people who aren’t listed as you would expect.

Have You Exhausted All Your Options?

Before concluding that your ancestor’s name is not in the index, try the following:

Applies to: SQL Server (all supported versions)

In a high security environment, the Windows Security log is the appropriate location to write events that record object access. Other audit locations are supported but are more subject to tampering.

There are three key requirements for writing SQL Server server audits to the Windows Security log:

• The audit object access setting must be configured to capture the events. The audit policy tool ( auditpol.exe ) exposes a variety of sub-policies settings in the audit object access category. To allow SQL Server to audit object access, configure the application generated setting.
• The account that the SQL Server service is running under must have the generate security audits permission to write to the Windows Security log. By default, the LOCAL SERVICE and the NETWORK SERVICE accounts have this permission. This step is not required if SQL Server is running under one of those accounts.
• Provide full permission for the SQL Server service account to the registry hive HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security .

Incorrectly editing the registry can severely damage your system. Before making changes to the registry, we recommend that you back up any valued data on the computer.

The Windows audit policy can affect SQL Server auditing if it is configured to write to the Windows Security log, with the potential of losing events if the audit policy is incorrectly configured. Typically, the Windows Security log is set to overwrite the older events. This preserves the most recent events. However, if the Windows Security log is not set to overwrite older events, then if the Security log is full, the system will issue Windows event 1104 (Log is full). At that point:

• No further security events will be recorded
• SQL Server will not be able to detect that the system is not able to record the events in the Security log, resulting in the potential loss of audit events
• After the box administrator fixes the Security log, the logging behavior will return to normal.

Before You Begin

Limitations and Restrictions

Administrators of the SQL Server computer should understand that local settings for the Security log can be overwritten by a domain policy. In this case, the domain policy might overwrite the subcategory setting (auditpol /get /subcategory:”application generated”). This can affect SQL Server ability to log events without having any way to detect that the events that SQL Server is trying to audit are not going to be recorded.

Security

Permissions

You must be a Windows administrator to configure these settings.

To configure the audit object access setting in Windows using auditpol

Open a command prompt with administrative permissions.

On the Start menu, point to All Programs, point to Accessories, right-click Command Prompt, and then click Run as administrator.

If the User Account Control dialog box opens, click Continue.

Execute the following statement to enable auditing from SQL Server.

Close the command prompt window.

To grant the generate security audits permission to an account using secpol

For any Windows operating system, on the Start menu, click Run.

Type secpol.msc and then click OK. If the User Access Control dialog box appears, click Continue.

In the Local Security Policy tool, expand Security Settings, expand Local Policies, and then click User Rights Assignment.

In the results pane, double-click Generate security audits.

On the Local Security Setting tab, click Add User or Group.

In the Select Users, Computers, or Groups dialog box, either type the name of the user account, such as domain1\user1 and then click OK, or click Advanced and search for the account.

Click OK.

Close the Security Policy tool.

Restart SQL Server to enable this setting.

To configure the audit object access setting in Windows using secpol

If the operating system is earlier than Windows Vista or Windows Server 2008, on the Start menu, click Run.

Type secpol.msc and then click OK. If the User Access Control dialog box appears, click Continue.

In the Local Security Policy tool, expand Security Settings, expand Local Policies, and then click Audit Policy.

In the results pane, double-click Audit object access.

On the Local Security Setting tab, in the Audit these attempts area, select both Success and Failure.

This guide will show how to lock a system user’s account after a specifiable number of failed login attempts in CentOS, RHEL and Fedora distributions. Here, the focus is to enforce simple server security by locking a user’s account after consecutive number of unsuccessful authentications.

This can be achieved by using the pam_faillock module which helps to temporary lock user accounts in case of multiple failed authentication attempts and keeps a record of this event. Failed login attempts are stored into per-user files in the tally directory which is /var/run/faillock/ by default.

pam_faillock is part of Linux PAM (Pluggable Authentication Modules), a dynamic mechanism for implementing authentication services in applications and various system services which we briefly explained under configuring PAM to audit user login shell activity.

How to Lock User Accounts After Consecutive Failed Authentications

You can configure the above functionality in the /etc/pam.d/system-auth and /etc/pam.d/password-auth files, by adding the entries below to the auth section.

• audit – enables user auditing.
• deny – used to define the number of attempts (3 in this case), after which the user account should be locked.
• unlock_time – sets the time (300 seconds = 5 minutes) for which the account should remain locked.

Note that the order of these lines is very important, wrong configurations can cause all user accounts to be locked.

The auth section in both files should have the content below arranged in this order:

Now open these two files with your choice of editor.

The default entries in auth section both files looks like this.

After adding the above settings, it should appear as follows.

Then add the following highlighted entry to the account section in both of the above files.

How to Lock Root Account After Failed Login Attempts

To lock the root account after failed authentication attempts, add the even_deny_root option to the lines in both files in the auth section like this.

Once you have configured everything. You can restart remote access services like sshd, for the above policy to take effect that is if users will employ ssh to connect to the server.

How to Test SSH User Failed Login Attempts

From the above settings, we configured the system to lock a user’s account after 3 failed authentication attempts.

In this scenario, the user tecmint is trying to switch to user aaronkilik , but after 3 incorrect logins because of a wrong password, indicated by the “Permission denied” message, the user aaronkilik’s account is locked as shown by “authentication failure” message from the fourth attempt.

Test User Failed Login Attempts

The root user is also notified of the failed login attempts on the system, as shown in the screen shot below.

Failed Login Attempts Message

How to View Failed Authentication Attempts

You can see all failed authentication logs using the faillock utility, which is used to display and modify the authentication failure log.

You can view failed login attempts for a particular user like this.

View User Failed Login Attempts

To view all unsuccessful login attempts, run faillock without any argument like so:

To clear a user’s authentication failure logs, run this command.

Lastly, to tell the system not to lock a user or user’s accounts after several unsuccessful login attempts, add the entry marked in red color, just above where pam_faillock is first called under the auth section in both files (/etc/pam.d/system-auth and /etc/pam.d/password-auth) as follows.

Simply add full colon separated usernames to the option user in.

For more information, see the pam_faillock and faillock man pages.

You might also like to read these following useful articles:

That’s all! In this article, we showed how to enforce simple server security by locking a user’s account after x number of incorrect logins or failed authentication attempts. Use the comment form below to share your queries or thoughts with us.

If You Appreciate What We Do Here On TecMint, You Should Consider:

TecMint is the fastest growing and most trusted community site for any kind of Linux Articles, Guides and Books on the web. Millions of people visit TecMint! to search or browse the thousands of published articles available FREELY to all.

If you like what you are reading, please consider buying us a coffee ( or 2 ) as a token of appreciation.

We are thankful for your never ending support.

Applies To: Windows Vista, Windows Server 2008, Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2012, Windows 8

This procedural topic for the IT professional describes steps to configure a security policy setting on the local computer, on a domain-joined computer, and on a domain controller.

This topic pertains to the versions of Windows designated in the Applies To list above. Some of the user interface elements that are described in this topic might differ from version to version.

You must have Administrators rights on the local computer, or you must have the appropriate permissions to update a Group Policy Object (GPO) on the domain controller to perform these procedures.

When a local setting is inaccessible, it indicates that a GPO currently controls that setting.

In this topic

To configure a setting for your local computer

To open Local Security Policy, on the Start screen, type, secpol.msc.

Navigate the console tree to Local Computer Policy\Windows Settings\Security Settings

Under Security Settings of the console tree, do one of the following:

Click Account Policies to edit the Password Policy or Account Lockout Policy.

Click Local Policies to edit an Audit Policy, a User Rights Assignment, or Security Options.

When you find the policy setting in the details pane, double-click the security policy that you want to modify.

Modify the security policy setting, and then click OK.

Some security policy settings require that the computer be restarted before the setting takes effect. Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.

To configure a setting for computer that is joined to a domain

The following procedure describes how to configure a security policy setting for a Group Policy Object when you are on a workstation or server that is joined to a domain.

You must have the appropriate permissions to install and use the Microsoft Management Console (MMC), and to update a Group Policy Object (GPO) on the domain controller to perform these procedures.

To open the MMC and add the Group Policy Object Editor, on the Start screen, typeВ mmc.msc.

On the File menu of the MMC, click Add/Remove snap-in, and then click Add.

In Add Standalone Snap-in, double-click Group Policy Object Editor.

In Select Group Policy Object, click Browse, browse to the GPO you would like to modify, and then click Finish.

Click Close, and then click OK.

This procedure added the snap-in to the MMC.

In the console tree, locate GroupPolicyObject [ComputerName] Policy, click Computer Configuration, click Windows Settings, and then click Security Settings.

Do one of the following:

Click Account Policies to edit the Password Policy or Account Lockout Policy.

Click Local Policies to edit an Audit Policy, a User Rights Assignment, or Security Options.

Click Event Log to edit event log settings.

In the details pane, double-click the security policy setting that you want to modify.

If this security policy has not yet been defined, select the Define these policy settings check box.

Modify the security policy setting and then click OK.

To configure a setting for a domain controller

The following procedure describes how to configure a security policy setting for only a domain controller (from the domain controller).

To open the domain controller security policy, in the console tree, locate GroupPolicyObject [ComputerName] Policy, click Computer Configuration, click Windows Settings, and then click Security Settings.

Do one of the following:

Double-click Account Policies to edit the Password Policy, Account Lockout Policy, or Kerberos Policy.

Click Local Policies to edit the Audit Policy, a User Rights Assignment, or Security Options.

Click Event Log to edit event log settings.

In the details pane, double-click the security policy that you want to modify.

If this security policy has not yet been defined, select the Define these policy settings check box.

Modify the security policy setting, and then click OK.

Always test a newly created policy in a test organizational unit before you apply it to your network. When you change a security setting through a GPO and click OK , that setting will take effect the next time you refresh the settings.

Table of contents

Scan your project for vulnerabilities and automatically install any compatible updates to vulnerable dependencies:

Run audit fix without modifying node_modules , but still updating the pkglock:

Skip updating devDependencies :

Have audit fix install semver-major updates to toplevel dependencies, not just semver-compatible ones:

Do a dry run to get an idea of what audit fix will do, and also output install information in JSON format:

Scan your project for vulnerabilities and just show the details, without fixing anything:

Get the detailed audit report in JSON format:

Get the detailed audit report in plain text result, separated by tab characters, allowing for future reuse in scripting or command line post processing, like for example, selecting some of the columns printed:

To parse columns, you can use for example awk , and just print some of them:

Fail an audit only if the results include a vulnerability with a level of moderate or higher:

The audit command submits a description of the dependencies configured in your project to your default registry and asks for a report of known vulnerabilities. The report returned includes instructions on how to act on this information. The command will exit with a 0 exit code if no vulnerabilities were found.

You can also have npm automatically fix the vulnerabilities by running npm audit fix . Note that some vulnerabilities cannot be fixed automatically and will require manual intervention or review. Also note that since npm audit fix runs a full-fledged npm install under the hood, all configs that apply to the installer will also apply to npm install — so things like npm audit fix –package-lock-only will work as expected.

By default, the audit command will exit with a non-zero code if any vulnerability is found. It may be useful in CI environments to include the –audit-level parameter to specify the minimum vulnerability level that will cause the command to fail. This option does not filter the report output, it simply changes the command’s failure threshold.

• npm_version
• node_version
• platform
• node_env
• A scrubbed version of your package-lock.json or npm-shrinkwrap.json

In order to ensure that potentially sensitive information is not included in the audit data bundle, some dependencies may have their names (and sometimes versions) replaced with opaque non-reversible identifiers. It is done for the following dependency types:

• Any module referencing a scope that is configured for a non-default registry has its name scrubbed. (That is, a scope you did a npm login –[email protected] for.)
• All git dependencies have their names and specifiers scrubbed.
• All remote tarball dependencies have their names and specifiers scrubbed.
• All local directory and tarball dependencies have their names and specifiers scrubbed.

The non-reversible identifiers are a sha256 of a session-specific UUID and the value being replaced, ensuring a consistent value within the payload that is different between runs.

The npm audit command will exit with a 0 exit code if no vulnerabilities were found.

If vulnerabilities were found the exit code will depend on the audit-level configuration setting.

Andrew is the News Editor for Review Geek, where he covers breaking stories and manages the news team. He joined Life Savvy Media as a freelance writer in 2018 and has experience in a number of topics, including mobile hardware, audio, and IoT. Read more.

@andrew_andrew__
Feb 1, 2021, 9:51 am EDT | 1 min read

Security experts suggest using a VPN whenever you surf the web, but doing so is easier said than done. VPNs slow down your connection and often have trouble when jumping between Wi-Fi and 4G on mobile devices. That’s why ExpressVPN built a new VPN protocol, called Lightway, with a focus on speed, power-efficiency, and the mobile web experience.

Most VPN services aren’t optimized for today’s internet users and rely on pre-made protocols that are full of useless legacy code (or don’t work well on mobile devices, which don’t support the common AES standard). But Lightway is an all-new protocol built from the ground-up by ExpressVPN. It contains just around 1,000 lines of code, allowing you to connect to anonymous servers in a fraction of a second without wasting processing power or battery. (ExpressVPN is one of the only services to go down this route, Cloudflare being a notable exception).

But Lightway’s most innovative feature isn’t its speed or power efficiency; it’s the protocol’s tolerance for internet dropouts and network switching. Older VPN protocols have to restart your session after a drop-out, and tend to stutter when switching from Wi-Fi to 4G on mobile devices. Lightway, with its focus on the modern web experience, maintains a connection when switching networks on laptops or phones, and continues your VPN session after internet dropouts without the wait time of other services. Until now, Speedify was the only service to support seamless networking switching.

Interestingly, ExpressVPN plans to open source Lightway for transparency and scrutiny. If you’re interested in the Lightway code or don’t want to use a closed-source VPN software, check out ExpressVPN’s developer blog post on Lightway.

ExpressVPN is our highest recommended VPN service thanks to its speed, reliability, strict no-logging policy, and advanced features like split tunneling. You can try ExpressVPN and its new Lightway protocol today for as low as $10 a month. Current ExpressVPN customers can try Lightway after updating their ExpressVPN app on desktop or mobile. Bear in mind that Lightway isn’t available on iOS yet, but it supports Windows, macOS, Linux, Android, and routers.

ExpressVPN

ExpressVPN is one of the fastest, most reliable, and most secure VPN services available today. Its new Lightway protocol sets a new standard for speed and power-efficiency, and its one of the first VPN protocols to account for network switching on mobile devices.

One of the biggest threats to your business isn’t the economy. It’s not more competition. It’s hackers trying to bring down your website and steal your data.

Attacks happen to large and small companies every single day. Unfortunately, about 60% of small businesses that are hit with a cyberattack fail to make it six months after the attack.

There’s a lot at stake to keep your website safe and secure. You want to make sure that you know of the various security vulnerabilities that hackers can expose.

What are the most common security vulnerabilities among websites?

Read on to find out.

Table of Contents

1. Easy to Guess Password

One of the largest data breaches to date is the Equifax breach. Over 143 million records were exposed when hackers gained access to their systems.

The breach was subject of many investigations and cost the company billions of dollars. One research firm found that one of the company’s databases in Argentina used one of the most basic login credentials. The username and passwords were ‘admin.’

That’s right, a multi-billion dollar international conglomerate used the most basic login information on their databases. They may as well give hackers the keys to the candy shop.

Believe it or not, this is a common occurrence among large and small businesses. They want something easy to remember in the sea of passwords that they have to remember. Yet, by having simple login information, it’s easier to guess passwords and put your site at risk.

The best way to guard against this is to use a password generator that creates strong passwords and store them in a password app like LastPass.

2. Failure to Update

You’re likely to use WordPress as the content management system of your site. WordPress is great because you can build a site without being a coding expert.

Plus, there’s a plugin for every possible feature and optimization you could want. There’s one for SEO, installing code in your headers, making your site faster and more.

Of course, there’s one for security, too.

These plugins and the WordPress core are updated frequently. Developers will often discover security flaws or new ways to improve the performance of the plugins and core.

Using an older version of software leaves your site vulnerable to attack because you’re running software that has security holes. You need to update your site regularly to ensure that you’re running the latest version of the software.

3. SQL Injection

WordPress runs on a SQL database. Hackers can inject code into your database that takes over your site. The malicious code can override commands in the SQL database, giving hackers full reign to your website.

They can then take information like passwords, login information, and customer data for their own purposes.

4. Remote File Inclusion

Some businesses use their websites for customers and vendors to upload paperwork, like contracts or health information.

Hackers can use this upload ability to upload executable files. Once these are activated, your site is toast. The best protection against this attack is to disallow anything from being uploaded to your site.

If you must have documents uploaded, you’ll want to install a script that can tell when malicious software or code has been uploaded to your site.

5. Not Using HTTPS

More sites are using HTTPS because it creates trust with visitors, and it can help with SEO.

The real reason why you want to use HTTPS if you don’t already is security. HTTPS uses secure socket layers, which secures the connection between your site’s servers and the visitor’s web browser.

6. Redirection of Pages

Your backend file directory contains your site’s pages. Hackers can get into your directory and redirect pages to other, malicious pages.

One large healthcare organization was hacked, and payments were redirected to a hacker’s own site, designed to look like the healthcare site. When customers made payments, those payments went to hackers.

It’s not just payment pages that people can be redirected to. They can be sent to sites that have malicious software that infects your customers’ devices.

7. Secure Your Emails

Did you know that email is still used by hackers successfully? It’s actually the most common way that security systems are breached.

It turns out that the biggest security vulnerability isn’t your website itself. It’s your employees. You want to make sure that your employees are educated on security threats and phishing emails.

You also want to use secure email ports when setting up your email accounts.

8. Open WiFi Networks

Does your business offer public WiFi as a courtesy to customers? That can put your website and network in jeopardy.

Public WiFi is great until it’s hacked because it’s not secure. A skilled hacker can get into the backend of your network and cause a lot of problems.

The best thing that you can do is to offer WiFi, but have it password protected. This gives you more control over your network.

9. Lack of Security Audits

Have you ever performed a security audit of your website and network? What you don’t know can hurt you in the case of website security.

An audit will give you the information you need to expose and plug up security vulnerabilities. Security audits can be performed by an IT consultancy. They’ll take an objective view of your website and networks and give recommendations to keep your systems secure.

Expose and Fix Your Website Security Vulnerabilities

So much of your business depends on a functioning website. When your site is taken over by hackers, you can lose your search rankings, revenue, and productivity. Most of all, you lose your customers’ trust in your company.

That is something that you can’t recover from and why businesses shut down after an attack. The best way to prevent an attack is to know the top security vulnerabilities and how your site can be attacked.

You should also perform an audit to see how your site’s security can be improved.

Finally, you should install a WordPress plugin that works hard to keep your site secure. Take a look at our plugin and buy it today.

Native auditing

Microsoft provides an AD account lockout tool to check the lockout status. This tool can be downloaded here. After installing the tool, go to the folder you selected to extract the tool’s files. The LockoutStatus.exe tool will help you find the source of an account lockout and resolve it.

Before getting started, make sure that your audit policies are set to audit logon events. To do this:

• Go to the Group Policy management console → Computer configuration → Policies → Windows Settings → Security Settings → Local Policies → Audit Policy.
• Enable Audit account logon events and Audit logon events. Turn on auditing for both successful and failed events.

Using the account lockout and management tool:

Run the LockoutStatus.exe tool, and go to File → Select target.

Type the user’s login name or sAMAccountName.

Enter the domain name.

Click OK to see the lockout status of the user you selected.

The following details will be displayed:

User State – Tells you if the account is locked.

Lockout Time – Time at which the account got locked out.

Org Lock – Domain Controller in which the lockout happened.

Finding the source of the lockout:

• Go to the domain controller that the lockout status displayed.
• Open the Event Viewer, and search the logs for Event ID 4740.
• The log details of the user account’s lockout event will show the caller computer name.
• Go to this caller computer, and search the logs for the source of this lockout.
• Search the logs for the events that happened around the time when the user was locked out.
• Check the user’s recent logon history, login attempts, services, and application using the user account’s credentials, scheduled tasks, mapped drives, etc.
• If any of the above are using a stale password, update the user’s password, and force replication.

ADAudit Plus: Account lockout tool

Unlike the LockoutStatus tool provided by Microsoft, where you need to jump between multiple systems and consoles to pinpoint the source of lockout, ADAudit Plus allows you to analyze account lockouts in a single click. The who, when, where, and why of every account lockout is detailed in neat reports. These reports are collected in real time and can be exported to formats including CSV, PDF, XML, and HTML.

These reports provide the:

• Name of the user that got locked out
• Domain controller and caller computer the user got locked out from
• Time of lockout
• Previous login attempts of the user
• Details of services, mapped drives, and applications using the user account’s credentials

Get instant alerts when a privileged user is locked out or if the volume of lockouts is too high. These alerts can also be sent straight to the admin’s or technician’s email or mobile device via SMS from ADAudit Plus. With this AD lockout tool, you can find and resolve account lockouts in less than a few minutes.

Native auditing becoming a little too much?

Simplify file server auditing and reporting with ADAudit Plus.

I am using Robot Framework, and was setting up a function that uses the Built In Libraries “Set Test Variable” command to reset a password variable, however it is storing the new variable name in the Robot Framework Log.

Is there any existing keyword to securely set a variable during the test so the actual variable change is not displayed in the Robot Framework log? Some secure keyword that may do this, similar to SeleniumLibrary’s Input Password for typing passwords into fields, but doesn’t store the password in the log?

This is how I currently have it, but the new variable is displayed in the log output:

1 Answer 1

Given that logging is central to test execution, have a secure test step is something that in my view somewhat conflicting. The best approach is that the system-under-test does not contain any interesting information and the used accounts do not provide access to any other system.

In addition using temporary accounts, only active for the duration of the (short) test cycle, also helps in securing an environment where the information is of value. However, as faulty software may trigger screenshots or log information otherwise not logged, the log files generated in of these types of t tests should only be accessible to those employees who have access to the original data.

With all of this said, there are a few things you can do to help your cause in Robot Script.

First one is to create all the required variables from the command line or using variable files. As they are created before logging is started there not logged.

Second one is to create a custom python keyword that fetches and uses the secure value. This prevents any logging and most likely and leaking of values.

Last one is to utilize the Set Log Level keyword. However, this approach has a down side that you need to assume that the in-between steps can inadvertently increase or decrease the log level permanently in case of a failure. This is why I added the [Teardown] example to handle such cases.

When the announcement came last week that some data might have been compromised on servers at LastPass, the password management company that hosts my encrypted password database, I wasn’t too worried.

But I did change my master password, for reasons I’ll get to shortly. The experience also made me reexamine how I manage my password data. Users with strong passwords had little to worry about. But there are three other key things you need to do to protect yourself.

Why I use it

I use LastPass to synchronize my password database between the different devices I use – home PC, Mac Mini, MacBook, iPad, etc. I could store all of my data locally, but LastPass allows me to store a local copy of my password data on each device and maintain a master copy in the cloud that keeps all of those local copies up to date.

LastPass has some very sophisticated methods for protecting your data, but it can’t protect users from themselves. Your hosted data is encrypted, but access to your data is only as secure as your master password and the other security protections LastPass offers to help you protect it.

LastPass doesn’t know your master password. Software running on your local computer encrypts your master password, applies a salted hash to it and sends the data to LastPass.com. LastPass stores the result of the salt and uses that, not your master password, to authenticate you. This makes it even harder for a stolen password to be used.

The potentially compromised data from LastPass’ servers included the salted hash and user names. “That would be enough to set up a potential attacker so they could start going through and looking for people with weak master passwords without having to hit our servers,” said LastPass CEO Joe Seigrist, who explained the “network traffic anomaly” in a PC World interview.

Sameer Kochhar, director at LastPass, says, “We only had the salted hash in our database, so they’d have to guess password, compute the salted hash, and then compare it to the value stored in the database. But even if they managed to do this they still don’t have access to your actual encrypted data (sites, usernames, passwords, formfills, etc.).

“We secured against this threat by locking down all user accounts. Specifically, if a user tries to log into their LastPass vault from a new location (an IP address from which they never logged in before), then we would deny them access. To gain access, they have to prove to us that they are who they say they are by clicking on an link that we send them by email.”

In other words, to protect users who might have had a weak master password, LastPass prevented everyone from getting access to the online password vault from an unrecognized IP address until they responded to an e-mailed verification. It also prompted users to change their master passwords upon login.

A hint of trouble

Fortunately, I didn’t have a weak password, although I did run LastPass’ security check feature just to double check. But what worried me was that my password hint, which also might have been compromised, might possibly be used to figure out my master password. My hint was a little too cute, allowing me to glean the groups of values that make up my master password.

So I did try to change my master password — and that’s where I ran into trouble. While you can log into your local copy of LastPass and access your data locally, you need to log into LasPass.com to change your master password. Unfortunately, LastPass’ servers were overwhelmed when the news hit, and I was unable to log in. So I had to wait — something that would have been nerve wracking had I used a weak password.

But I had another reason to chill: I use LastPass’s Grid two-factor authentication feature, which is required from any computer except one in my home office. That means any hacker not only would need to crack my user name and master password but also enter a string of data that only I know. LastPass’s Grid feature generated a random grid of numbers which I printed out and carry in my wallet. It randomly asks for the numbers from different positions on that grid every time I log in. No numbers, no passwords. The product also supports two other multifactor authentication schemes: the software-based Sesame, which runs from a thumb drive, and Yubikey, a USB-based hardware key, for additional security.

One thing about this whole episode did give me pause: As LastPass has grown, it — and my data — have become a bigger target than if I had simply hosted my encrypted password database in my own cloud-based shared storage service. That is something that a competing product, 1Password, allows you to do with third-party services such as DropBox. But 1Password does not offer two-factor authentication — a feature I feel is essential if you’re going to host your password data in the cloud.

Four tips for locking down LastPass

So if you’re going to use LastPass and store your password data in the cloud, how should you protect yourself? Here are my four recommendations:

1. Use a strong master password – and verify the strength using LastPass’ Security Check feature.
2. Don’t use a password hint. Or, if you do, don’t think you’re so clever that a hacker can’t reverse engineer your thinking. If it’s not completely unfathomable to anyone except you, don’t use it. A better method: Write your master password down, store it in your safe deposit box and user your key to retrieve it if you forget.
3. Have a strong password on your e-mail account. Because LastPass uses your e-mail address as your user ID and allows users to recover from a forgotten master password via e-mail (as do many online accounts, including banking), a weak e-mail password can unravel everything.
4. Use multi-factor authentication – either Grid or Sesame or Yubikey. In each case you need to carry something with you. I use the Grid feature, which requires that I enter both the master password and numbers located in randomly selected positions in a randomly generated, printed number grid that I have with me at all times. Yes, entering a master password and four randomly selected alphanumeric characters from a grid in my wallet is a hassle — inserting a Sesame or Yubikey USB device is much faster — but the Grid simply requires a piece of paper in my wallet, not a key I might lose. And LastPass lets me exempt specific machines, such as my home PC. So I only really need to use it when I travel.

Related Stories

Robert L. Mitchell writes on a wide range of topics, including analytics, emerging technologies, green IT and data centers.

Comments

stshank commented Jun 5, 2017

Did you search for similar issues before submitting this one?
yes

Describe the issue you encountered:
LastPass periodically requires me to reauthenticate with its second factor (in my case, a 6-digit code from Google Authenticator). Sometimes in Brave a new tab opens with a LastPass dialog box up asking me to authenticate again, but no amount of entering new codes makes the dialog. However, the LastPass icon turns from gray to red (or maybe it was red all along?), indicating the authentication was successful or unnecessary. The problem is sporadic. I’m not sure if it comes more frequently than the 30-day period that an authentication should last.

Platform (Win7, 8, 10? macOS? Linux distro?):
MacOS 10.12.6 beta (but this issue has been around for a few months for me)

Brave Version (revision SHA):
Brave 0.15.314
rev 75ffa36
Muon 3.0.202
libchromiumcontent 58.0.3029.110
V8 5.8.283.38
Node.js 7.9.0
Update Channel dev
os.platform darwin
os.release 16.7.0
os.arch x64

Steps to reproduce:

1. Install LastPass with dual-factor authentication
2. Wait

Actual result:
LastPass 2FA authentication dialog box doesn’t go away

Expected result:
LastPass 2FA authentication works (or isn’t triggered when it’s not needed)

Will the steps above reproduce in a fresh profile? If not what other info can be added?
unclear

Is this an issue in the currently released version?
yes

Can this issue be consistently reproduced?
unclear but it’s happened to me several times.

Screenshot if needed:

The text was updated successfully, but these errors were encountered:

When it comes to cybersecurity in today’s digital landscape, the cloud is one of the most misunderstood elements. Otherwise intelligent business leaders seem to think that the cloud is far less secure than it is. Why is this? And what’s ultimately true?

Back to the Basics of Cloud Computing
To correct the record on common cloud security myths and misconceptions, we must begin on an equal playing field. This means establishing a common-ground understanding of what cloud computing is. According to Microsoft’s definition, “Cloud computing is the delivery of computing services—including servers, storage, databases, networking, software, analytics, and intelligence—over the Internet (‘the cloud’) to offer faster innovation, flexible resources, and economies of scale. You typically pay only for cloud services you use, helping you lower your operating costs, run your infrastructure more efficiently, and scale as your business needs change.”

That’s a pretty simple yet comprehensive definition—so we won’t try to complicate things further by rephrasing. Cloud computing is preferred over traditional, on-premises solutions because of its cost-effectiveness, scalability, high performance, reliability, and, yes, exceptional security.

Five Cloud Security Myths to Stop Believing
Now that we have a fundamental understanding of the cloud, we can address some of the significant concerns, myths and misconceptions surrounding cloud security in the business world.

1. The Cloud is Unsafe
For non-techies and many people outside of the cybersecurity profession, it’s difficult to imagine how storing data somewhere beyond your reach can be a safe method of protecting digital assets. However, if you study the actual technology beyond cloud security, it becomes evident that it’s far less susceptible to being compromised or attacked than a physical server in your own building.

The top keys to securing data are to implement strong governance, diligent monitoring and auditing, and strict access rights. These can be deployed in a superior manner in the cloud. This makes it a much stronger ecosystem from the start.

2. The Cloud Is Easier to Attack
One myth that’s dominated the industry for years is that since the cloud is managed by cloud service providers (CSPs), it must be more susceptible to threats. But once again, this is misleading.

As Box explains, “CSPs have matured their security expertise and toolsets over the years.” In many cases, it has become safer to work with a CSP than to handle data security on your own. With a CSP, you benefit from regular patching, security monitoring, and additional firewalls and threat-prevention solutions.

3. Data Can’t Be Controlled in the Cloud
The notion that data can’t be controlled in the cloud is an elementary misconception. The idea that you have more control over data when it’s in a server closet down the hall versus with a cloud provider hundreds or thousands of miles away misses the entire point. Once data is placed into the cloud, it’s not only more secure, but it’s also just as accessible. Geography has nothing to do with the ability to retrieve your data.

4. Cloud Computing Is Too New to Trust
People naturally have distrust in new things. So, it’s only logical that a specific segment of the marketplace pushes back against the cloud. But here’s the truth: The cloud isn’t as novel as most people think. Its origins stem from the 1990s, when businesses began deploying software over the internet. So, it’s been around for more than 20 years at this point, and has been maturing throughout that time.

5. Multi-Tenancy Puts Data at Risk
One concern businesses have with cloud adoption is the idea of operating within a public cloud environment. While it’s true that a public cloud is a multi-tenant environment—meaning multiple users’ data is stored on the same server—this isn’t nearly as dangerous or convoluted as it seems.

Multi-tenant environments have strict partitions and security systems to prevent anyone on the same cloud from accessing your data. They are no more or less risky than any other type of storage environment.

Adding It All Up
As confounding and nebulous as the concept may seem to the non-techie portion of the marketplace, the reality is that, when managed correctly, cloud security is far more secure than traditional on-premises solutions. And the sooner the masses realize this, the quicker we can fight back against the steep uptick in cyberattacks and ransomware.

Editor’s note: For related resources from ISACA, download our Azure audit program and find out about the new Certificate of Cloud Auditing and Knowledge (CCAK), a credential from ISACA and Cloud Security Alliance.

The authorization/login process can either be successful or no. Even the both login outcomes are security related and should be documented (audited), the focus should be on the failed logins. These can be a result of accidentally mistyped username/password, expired credentials, or insufficient permissions. However, failed logins can also indicate malicious attempts to access confidential data hosted on SQL Server instances.

Methods for auditing failed logins in SQL Server

SQL Server provides several native methods for auditing failed logins. Some of them are easy to set up, others provide more details than the others. They all have in common that the audited information is difficult to review.

Login auditing in SQL Server Management Studio

One of the options to audit failed logins is to turn on the appropriate option in SQL Server in the Server Properties dialog (the Security node) of a SQL Server instance in Object Explorer.

The setting is on the instance level. The SQL Server instance must be running to capture failed logins. Otherwise, there will be no information available. This applies to all SQL Server native auditing techniques.

Once the option is set, failed logins are captured in SQL Server log files and shown in the Log File Viewer of SQL Server Management Studio. These files can be queried using an undocumented xp_readerrorlog extended stored procedure.

Additionally, captured failed logins can be reviewed using the Windows event viewer, in the Application sub-node of the Windows Logs node.

Even this auditing method is easy to set up, there are numerous downsides that make it inappropriate for usage. The main issue is related to native log files. They get recycled and are difficult to be saved automatically for later use. Also, whether the logs are reviewed using built-in viewers or queried, they contain numerous entries not related to failed logins and this noise is difficult to remove.

The Trace technology and auditing failed logins

SQL Server traces and Profiler can also be used for auditing failed logins, but as the feature is announced to be deprecated in future versions of SQL Server, it’s not recommended to use this approach moving forward.

Using SQL Server Audit to capture failed logins

The Audit feature in SQL Server is built on top of Extended Events. It’s the technology that will be additionally developed and expanded in future SQL Server versions. It was introduced in SQL Server 2008 and can be used on both instance and database level. Failed login auditing belongs to the instance level. Therefore, the limitation reflected in supporting database level auditing in the Enterprise and Developer editions only, does not affect our intention to audit failed logins using any SQL Server edition.

To audit failed logins in SQL Server, we’ll create a new audit object for a SQL Server instance. Afterwards, we’ll create a server audit specification object tied to the audit object. Although the same audit object can be used by multiple server audit specifications, it’s a good practice to declare one audit object per auditing event type (e.g. failed logins) to avoid noise in captured information by other audited events. Also, this makes a maintenance of an auditing structure (audit and server audit specification objects along with corresponding log files) easy.

To declare the audit object:

Expand the Security node in Object Explorer of SQL Server Management Studio and select the New Audit option in the context menu of the Audits sub-node

Type in the name for the audit object (e.g. AuditFailedLogins) and set other parameters per your needs. In this example, we’ll specify the folder where repository log file(s) will be saved. A number of log files and whether they will be rolled over and how, can be defined using the Audit File Maximum Limit section. If you don’t want to lose any captured information on failed logins, keep Maximum rollover files and Unlimited checked.

To declare the server audit specification for auditing failed logins and tie it to the previously created audit object:

1. Select the New Server Audit Specification in the context menu of the Server Audit Specifications node.
2. Type in the name for the server audit specification (e.g. FailedLoginsSpecification) and select the AuditFailedLogins audit object (previously declared) from the Audit drop down menu.

Select the FAILED_LOGIN_GROUP value in the Audit Action Type field of the Actions grid. Note that the rest of the fields for the row cannot be set if the FAILED_LOGIN_GROUP value is set and they remain blank.

The created set of SQL Server Audit objects is enough to capture failed logins once they occur. The information about failed logins is stored in the logs as specified in the audit object. The logs can be reviewed using the View Audit Logs option in the context menu of the audit object which opens Log File Viewer.

Over time, the number of entries in the logs can increase and basic available filtering in Log File Viewer cannot be useful. To overcome this, the information about failed logins in log files can be queried:

I am a one-man IT right now but I may be moving on in a month or so. maybe.

If this happens, I may have little to no time to teach and train up my replacement, whoever that might be. It’s possible the company could use their HR sources to hire someone without me even being involved. It’s possible some random person could show up as my replacement without me even being able to make sure they have the proper skillset.

Anyway, my question is about how I should prepare for the new person. It’s not reasonable that I would have some kind of “how to” book that covers every single piece of work I’ve ever done, I can’t train a non-IT person to become an IT.

Let’s think about this backwards, if you were moving into a company as the only IT person, what sort of information or organization would you LIKE to have in place so you can get started as quickly as possible?

I will have basic things like access to our entire password database and all the internet accounts I have. A simple network map of the office and router audits to know how things are set up there. They will have a MySQL database that I host just on my own work machine which records a lot of IT-related stuff that I used for a lot of random things.

They will have my two primary local folders for company files and for IT-related files, and while the folder structure is reasonably self-explanatory, it’s pretty vast, maybe even confusing.

I could never get this company to use any sort of standardized ticketing system or document store, so I never got in the habit of (read: never the freaking time!) to properly document every single task I ever performed. So the biggest thing lacking is a nicely organized wiki or knowledgebase. I do have a bunch of my procedures written out in individual Word docs, but I’d prefer a better, more easily searchable and updateable form of documenting and revising, like a wiki or knowledgebase.

Anyway, if you had one month to try and make sure your transition is smooth, what preparations would you do?

There are so many random things, like my ESX server that runs some Linux boxes and tests, but not services the company uses, so do I completely disband the server so as not to confuse them? I have a local WAMP install with lots of random PHP tools I’ve built or tested and lots of projects that are in the works. I don’t want to confuse them with unfinished projects, tests, or tools that they may never use or even know exist. Should I just get rid of all of it? Or document ever single thing in there? I don’t have time to go deep into code and document it as if my replacement is a programmer, so I don’t know what to do with all these projects.

I also have research projects, documents I wrote when researching marketing stuff, or ecommerce solutions or CRMs and CMSes etc. Just lots of research and meeting notes and company white papers etc etc. Should I try to document every last lovin file and why it exists? Or should I just delete them all because they may not be relevant to the new guy and the projects he will get involved in and take over?

Like many IT people, you often want to step in and start fresh. If I started this job, one of the first things I’d want to do is probably format my workstation and start fresh with my own tools and style and probably start everything over anyway. I don’t want to waste my time because the new guy probably won’t work in the exact same way I do.

What about random accounts with random software? This user on Spiceworks is the same user for the SW software, so do I just not pass along my account? Obviously not since this is my “social” account too. I have account at Wunderlist and Evernote and stuff but these are mixed with personal data, same as Dropbox and Box.com, and many other services I had to register for in order to use their software. Do I keep that software personally and let the new guy register his own copies? Or do I sign up my own personal accounts everywhere and move the little bit of personal stuff out of them?

I’m not sure where to start, and may only have a month to properly get my documentation, procedures and IT information up to date. I have never found a wiki or knowledgebase tool that I like but I feel this is what I need to do to get my documentation out of Word files and into a properly index KB database. This company doesn’t like to buy things, so I’m always stuck with using opensource/free stuff.

Any tips and pointers would be great. I fully realize how important documenting is, as all IT people do, but spending time writing stuff down doesn’t make the CEO any more cash, so it tends to take a back seat for more profitable activities. That’s just the politics, it is what it is.

This post is going to show how to run multiple jobs out of a single YAML file from an Azure DevOps Pipeline. This post is going to build on the Azure DevOps project created in previous posts. If you are just joining this series check out the previous posts to find out how the project has progressed.

Starting Point and the Plan

As the sample stands now we have a single Pipeline that builds two different ASP.NET Core web applications in a single job using the following YAML.

This post is going to take this pipeline and split the build and publish of the two web applications and make each application its own job. In Pipelines a job is something that a single agent takes and runs. By splitting into multiple jobs the pipeline can run multiple jobs at the same time if you have enough build agents available. One reason to do this would be to speed up the total Pipeline run if you have parts of your build that are independent. Another example of why you would need jobs is if the different jobs need different agents such as one needing a Windows agent and another a Linux agent.

Creating the Jobs

Having different jobs means we are going to have to move things like what agent pool to use and the steps for the job under a jobs element and then declare a specific job and the details that job needs to run. As you can see in the following example the end goal is the same as the YAML from above (except it is dealing with a specific project), but the details are nested under jobs and defined under a job.

Also notice that you can still define variables that can be used across jobs as is done above with the buildConfiguration variable. The following is the full YAML file that builds and publishes the artifacts for both web applications.

After all your edits are done commit the changes to your YAML file and then run the pipeline. As you can see from the following screenshot of my sample pipeline run the pipeline has two jobs instead of one that the original YAML resulted in. Also, note that the pipeline results in two published artifacts (one per job in our case) instead of the one with the original.

Wrapping Up

As mentioned above there are a lot of reasons you might want to split up your pipeline into multiple jobs and hopefully, you now have a good idea of how that is done. Make sure and check back in the future for a post on how to take repeated tasks and make them reusable.

Chris Hoffman is Editor-in-Chief of How-To Geek. He’s written about technology for over a decade and was a PCWorld columnist for two years. Chris has written for The New York Times and Reader’s Digest, been interviewed as a technology expert on TV stations like Miami’s NBC 6, and had his work covered by news outlets like the BBC. Since 2011, Chris has written over 2,000 articles that have been read nearly one billion times—and that’s just here at How-To Geek. Read more.

Many websites have leaked passwords. Attackers can download databases of usernames and passwords and use them to “hack” your accounts. This is why you shouldn’t reuse passwords for important websites, because a leak by one site can give attackers everything they need to sign into other accounts.

Have I Been Pwned?

Troy Hunt’s Have I Been Pwned website maintains a database of username and password combinations from public leaks. These are taken from publicly available breaches that can be found via various sites on the web, or dark web. This database just makes it easier to check them yourself without visiting the sketchier parts of the web.

To use this tool, head to the main Have I Been Pwned? page and search for a username or email address. The results tell you whether your username or email address has ever appeared in a leaked database. Repeat this process to check multiple email addresses or usernames. You’ll see which leaked password dumps your email address or username appears in, which in turn gives you information about passwords that might have been compromised.

If you want to get an email notification should your email address or username appear in a future leak, click the “Notify me” link at the top of the page and enter your email address.

You can also search for a password to see whether it has ever appeared in a leak. Head to the Pwned Passwords page on the Have I Been Pwned? website, type a password in the box, and then click the “pwned?” button. You’ll see whether the password is in one of these databases and how many times it’s been seen. Repeat this as many times as you like to check additional passwords.

Warning: We strongly recommend against typing your password on third-party websites that ask you for it. These can be used to steal your password if the website isn’t honest. We recommend you only use the Have I Been Pwned? site, which is widely trusted and explains how your password is protected. In fact, popular password manager 1Password now has a button that uses the same API as the website, so they’ll send hashed copies of your passwords to this service, too. If you want to check whether your password has been leaked, this is the service you should do it with.

If an important password you use has been leaked, we recommend changing it immediately. You should use a password manager so it’s easy to set strong, unique passwords for each important site you use. Two-factor authentication can also help protect your critical accounts, as it will prevent attacks from getting into them without an additional security code—even if they know the password.

LastPass

LastPass has a similar feature integrated into its Security Challenge. To access it from a LastPass browser extension, click the LastPass icon on your browser’s toolbar, and then select More Options > Security Challenge.

LastPass finds a list of email addresses in your database and asks if you want to check whether they’ve ever appeared in any leaks. If you agree, LastPass checks them against a database and sends information about any leaks to them via email.

LastPass also offers a view of “Compromised” passwords here. This list shows you which websites have had security breaches since you’ve last changed your password on them, which means your password potentially could have leaked. It’s a good idea to change the passwords of any sites that appear here.

1Password

The web-based version of the 1Password password manager can now check whether your passwords have been leaked, too. In fact, 1Password uses the same Have I Been Pwned? service we covered above. It has an integrated “Check Password” button that automatically submits the password to the service and provides a response. In other words, it works the same way as using the Have I Been Pwned? website.

If you’re a 1Password user, you can take advantage of this service by signing into your account on 1Password.com. Click “Open Vault” and then click one of your accounts. Press Shift+Control+Option+C on a Mac or Shift+Ctrl+Alt+C on Windows, and you’ll see a “Check Password” button that checks if your password appears in the Have I Been Pwned? database. It’s a new, experimental feature, so it’s hidden for now, but it should be integrated into future versions of 1Password in a better way.

This feature also will be integrated into 1Password’s Watchtower feature in the future. The Watchtower feature warns you from within the 1Password application if any passwords you’ve saved are potentially vulnerable and need a password change.

The most important thing you can do is to not reuse passwords, at least for important websites. Your email, online banking, shopping, social media, business, and other critical accounts should all have their own unique passwords, so a leak by one website doesn’t put any other accounts at risk. Password managers help make strong unique passwords possible, ensuring you don’t have to remember a hundred different passwords.

You tried to sign in with your Microsoft account and you received a message that said:

Your security info change is still pending

You can’t access this site right now

You received this message because all the security info (such as alternate contact methods) that you previously added to your account was removed and replaced with new info and you need to wait 30-days for the changes to take effect.

There are still things you may be able to do with your account, but in most cases, you won’t be able to access any Microsoft site that asks for this security verification info.

Tip: Security info is any alternate contact info such as an email or phone number that you added for account verification purposes. See Microsoft account security info and verification codes for more information.

What you can and can’t do during the pending request

When all security info is removed from a Microsoft account, the account is put into a restricted state for 30-days.

While we understand this 30-day period might be frustrating, this is done to protect and alert you in case the security info was removed by someone who had unauthorized access to your account.

We’ll send notifications during the 30-days to the original security info, which could be a phone number or email address. These notifications are sent to alert you that changes were made to your security info.

If you removed this security, you might have the option to cancel the request. See below.

Cancel the request to remove security info

We can’t expedite the 30-day process unless you cancel the request.

You can cancel the request if you removed the security info yourself. If you didn’t remove the info, and you think this may have been done by someone with unauthorized access, follow the steps to alert us of this.

You were the person who removed the security info

If you’re the person who removed all the security verification methods for your Microsoft account, you can go ahead and cancel the request from the Security info change is still pending window.

Sign in to the Security page for your Microsoft account.

On the Your security info change is still pending window, select the link, cancel this request and follow the prompts. You’ll need access to these security proofs to complete the cancel request.

You didn’t make the security info changes to your account

If you’re not the person who made the security change and suspect your account was compromised, do the following:

Sign in to the Security page for your Microsoft account.

On the Your security info change is still pending window, select the link, let us know towards the bottom of the window and follow the prompts.

What you can do during the 30-day pending period

The table below lists what you can or can’t access to during the 30-day period.

Important: If 2-factor verification was turned on, you won’t have access to anything in the table below. Your options are to wait the 30-days or cancel the request following the steps above.

When trying to access a page or do something under the Not available column, you might see a message that says, “You can’t access this site right now.” This message occurs because these pages contain sensitive info and require additional security verification. To access anything in the Not available column, wait the 30-days or cancel the request.

You can access most Microsoft services such as signing in to Xbox, Skype, Outlook.com, OneDrive, etc.

You won’t have access to your OneDrive vault.

You can continue to:

View order history

Make a purchase from the Microsoft Store

Manage a subscription

Update your billing or mailing address

You won’t have access to payment options such as making updates to your credit card info

Make updates that require a security code

You won’t have the ability to:

Update your password

Access parental controls

Update your account aliases

Security best practices

Here are a few things you can do to help you avoid ending up in this pending state again.

Use an authenticator app

Avoid changing all security info at once.

Set reminders to regularly review all your security info and make sure it’s still valid.

Make sure there’s more than one security option on your account.

If a phone number is one of your security options, make sure the number is still valid and this number can receive text messages.