At PAndora FMS we have IT professionals on an altar. Literally, one next to the water dispenser in the office. I’m serious! It even has its blessed liturgical cloth, its flattering parsley, its candles and the incense! But there are still things that these people miss. Here’s a hint: it’s related to ITOM.
IT Operations Management (ITOM) and automation
We all agree in the industry that IT professionals waste too much time every day, struggling with minor tasks within IT Operations Management (ITOM).
And it is that ITOM covers everything necessary to support the network infrastructure that provides IT services.
This includes both the hardware (switches, servers, data center firewalls…) as well as the company’s network and the tools needed to make sure everything works properly.
According to the latest surveys, 78% of IT professionals say they spend at least 10% of their time proactively optimizing their environments.
This extra time spent on maintenance and conservation obviously takes time from proactive optimization.
And this is where automation comes in.
Automation is that miracle from heaven that sets IT professionals free to stop wasting time and focus on things that really matter, and not on boring tasks!
Of course, most IT professionals know firsthand the value of automation.
That’s why they have their altar. *Visitable during working hours, and donations are accepted.
But automation has not yet reached ubiquity regarding ITOM.
And it’s time for that to change!
That’s why we want you to start considering automating the following types of tasks:
Complex tasks with multiple steps
Repetitive routine tasks or tasks triggered by a recurring event
Tasks where a large amount of data needs to be filtered based on specific, predefined criteria
As we said, in these cases, automation can help the incredible intellects of IT professionals, and their almost intrinsic creativity to focus on other needs. Perhaps, even with automation, you will minimize the possibility of human error in tasks.
What is the next step?
Certainly the next step is to consider which are the most relevant ITOM tools.
If your megalomaniac goal is, for example, to optimize a large government network, look for the products best designed to scale and then make sure the vendor and product are approved for use in government networks.
Here, for example, the most relevant ITOM tools could be:
Performance monitoring
Configuration management
Security and intrusion detection and prevention
Troubleshooting
If you then relax and have a tea and take enough time to consider specific processes that can benefit from automation, such as automating network configurations, you may help out your IT professionals do more efficiently tasks like:
Meeting compliance requirements, implementing configuration changes quickly and efficiently, or reducing downtime caused by faulty devices.
And network configuration automation is only one area from among them all.
Think about the possibility of automating workflows and your IT staff crying dramatically when finally getting their lives back!
Or automating tasks initiated by mobile devices, etc.
Prepare for change!
Naturally, automation leads us to the development of a new type of skills within IT staff.
The more tasks are automated, the more IT professionals become automation supervisors instead of performing those tasks themselves.
That is, while before more specialized staff needed to understand perfectly what the inner workings of each piece of hardware were like, with automation, these people need to be much more aware of how the software works.
They need to understand application programming interfaces and how they can dictate things like policies, rules, and user access.
Conclusions
ITOM and automation together are virtually the panacea for IT professionals.
The secret of a successful transition is to go little by little, in a gradual and logical progression.
Securing tasks, processes, and skill sets so that they move together toward a better future filled with altars in the office for IT professionals!
About Version 2 Version 2 is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About PandoraFMS
Pandora FMS is a flexible monitoring system, capable of monitoring devices, infrastructures, applications, services and business processes.
Of course, one of the things that Pandora FMS can control is the hard disks of your computers.
“But what does that have to do with why I should back up my Microsoft 365 data?” you ask. Good question. In fact, it’s a great question, and one that leads to lots of other questions (thus the structure of this post as a sort of informal Q & A).
This steady, sustained, and impressive revenue growth came about because organizations value the collaboration and communication features in Office 365 highly enough not just to subscribe, but to stay on the platform. Every minute that your users are using Office 365 applications and services, they’re creating and editing the data that your business needs to operate.
“What’s the worst that could happen?”
Lots of people tend to think that bad things only happen to other people. It’s natural to assume that the extensive data protection measures in Microsoft’s platform will keep your data safe—but that’s not entirely true. In future articles, I’ll dig into specific parts of the Microsoft data protection world and talk about their strengths and weaknesses, but for now, let’s say that it’s more accurate to say that Microsoft’s native data protection measures may protect you against some types of catastrophic data loss, but there are still lots of things to watch out for.
First, not all data items are created equal; that email in your sent items folder accepting the meeting request for Bob’s retirement party isn’t worth as much as the Excel file that has your end-of-quarter sales data. To make this problem worse, let’s not forget that not all workloads are equally well protected. Some services have recycle bins, and some do not. Some provide support for document versioning, and some don’t.
Second, consider which threats you really need to protect against. Aliens probably aren’t going to attack Microsoft’s entire network and burn down all their data centers—the biggest risk you actually face isn’t Microsoft permanently losing your data (although it does sometimes happen).
Instead, there are some bigger risks you face, including, but not limited to, these:
Service outages: A Microsoft outage will keep you from getting access to your data. The multiple outages in Azure multi-factor authentication that blocked users from logging on to the service in 2019, 2020, and 2021 are great examples.
Malicious deletion: A security breach or problem will cause you to lose access to your data, either because ransomware has removed or encrypted it or because something else in the chain gets broken.
We sum these potential causes up with a simple phrase: mishaps, mistakes, and malice.
As you can see, the native data protection features included with the service may not help in all these scenarios, especially because you may have important data in workloads that don’t have much protection. Having an independent cloud-based backup with no dependencies on Microsoft’s services can preserve your ability to access your data even during an Azure AD or other outage.
“Is Microsoft responsible for my data?”
In a word: No, as you can see from this Microsoft article. Microsoft essentially says that they’re responsible for security (which in this case I’ll say means the confidentiality, integrity, and availability)of the infrastructure used to run Office 365, but that in the end you are the owner of, and responsible for, the data itself.
If you carefully read the Office 365 or Azure service descriptions, you won’t find any promises by Microsoft that say things like “we promise to protect your data” or “we’ll never lose your data.” Instead, when you examine their security best practices for various parts of their estate, you’ll see recommendations to back up your data, test your backups, maintain good personnel security, and so on—all things that Microsoft may also be doing, but on which you probably shouldn’t bet your company.
“Do I really need a third-party backup tool?”
It’s an old cliché that aviation regulations are “written in blood.” When it comes to backups, it might be less dramatic and more fair to say that backup best practices are written in tears, lost dollar bills, or maybe in shredded resumes.
The risk of unrecoverably losing some of your data, though, grows in line with multiple factors: how much data you have, how much of it is high-value, how many people have write access to it, and how emerging security threats hold that data at risk. Having an immutable copy of your important data stored securely in an independent cloud is terrific insurance against both large- and small-scale risks.
If you don’t have third-party backup and Microsoft cannot restore your data, you’re just out of luck. We went with Keepit to ensure both consistent backup and long-term retention of our data.
Ken Schirrmacher, Sr. Director of IT/Interim CIO at Park ‘N Fly
“What do I do now?”
If you haven’t ever lost data because of malice, mistakes, or mishaps, maybe you’re not convinced of the value of robust, cloud-independent backup for your data. Sadly, though, most of us have indeed lost data for some (or maybe all!) of these reasons.
Either way, the first step in deciding how to best protect your SaaS data is to take an honest and comprehensive look at the potential losses you’d face from not having timely access to your critical data. The built-in reports in the Microsoft 365 admin center will help tell you who your most active users are and who has how much data in OneDrive, SharePoint, and Exchange Online. Couple that with your own knowledge of your business and you’ll get a good start on deciding where the potential catastrophes might lie.
Next, think clearly about the risks you face, both from the standpoint of your IT organization’s capability and maturity but also from the overall standpoint of your business. Many organizations have increased their spending on security—which is often beneficial!—but haven’t done anything to improve their ability to protect against mishaps or mistakes, much less to carefully plan and test a recovery strategy.
If, after doing these things, you realize that some or all of your Microsoft 365 data is valuable enough for your company to protect to continue day-to-day operations, then you can read more about how Keepit Backup and Recovery for Microsoft 365 can help protect your data on our product page.
About Version 2 Version 2 is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About Keepit At Keepit, we believe in a digital future where all software is delivered as a service. Keepit’s mission is to protect data in the cloud Keepit is a software company specializing in Cloud-to-Cloud data backup and recovery. Deriving from +20 year experience in building best-in-class data protection and hosting services, Keepit is pioneering the way to secure and protect cloud data at scale.
Today’s organizations rely on numerous business applications, web services, and custom software solutions to meet business communications and other transaction requirements.
Typically, multiple applications frequently require access to databases and other applications to query business-related information. This communication process is usually automated by embedding the application’s credentials in unencrypted text in configuration files and scripts.
Administrators often find it difficult to identify, change, and manage these credentials. As a result, passwords remain unchanged, which may lead to unauthorized access to confidential systems.
Thus, hardcoded passwords can facilitate the work of technicians, but can also be an easy entry point for malicious agents. Keep reading the text and learn more about what hardcoded passwords are and how to manage this feature with security.
What Are the Risks of Using Hardcoded Passwords?
Data breaches are one of the scariest threats to a company. Exposure of sensitive data, whether by accident or by criminals, can lead to loss of competitive advantage and even fines in case of exposure of personal information.
According to IBM’s report, the global average cost of a data breach for an organization costs about $3.86 million in 2020, with an increase from about $1 million to $4.77 million if the breach is due to an employee’s compromised credentials.
In this scenario, companies are making large investments to reduce their attack surface and prevent possible data breaches. However, there is one threat that is usually underestimated among the many threats that need to be taken care of, although it possibly compromises the life of an entire company: hardcoded passwords.
Passwords encoded in a public codebase can be compared to closing the door of a house and forgetting the key in the lock: this is the most direct and obvious way to cause a data breach, in fact, hardcoded credentials do not need any specific skill to be exploited.
Following other risks associated with hardcoded passwords, there is the fact that many applications or devices can share the same hardcoded password. As a result, guessing the password can allow cybercriminals to connect to and control all other devices or apps that use the same password.
Unfortunately, guessing or learning the embedded combination may be easier than you think. Many developers share their code on GitHub and websites without realizing that by doing so, they can reveal passwords in plain text.
Of course, cybercriminals are also aware of this, so it may just be a matter of time before they find the shared passwords accidentally. Not to mention that various malicious apps and tools can force the password of the app or device, so keeping it encoded in the source code is always a risk.
How Are Hardcoded Passwords Used and Where Are They Found?
Passwords are everywhere. Sometimes they are apparent, encoded in code or configuration files. Other times, they take the form of API keys, tokens, or cookies.
Because they pose a security risk, there is no other way to say this: hardcoded passwords need to be deleted.
Hardcoded passwords are a practice used by developers when building a webpage or application. Using this practice, developers embed important information (passwords and other secret data) into the code language (rather than obtaining the passwords from external sources or generating them when needed).
As a result, encoded credentials contain passwords and other important secrets, and while they are not visible from the outside, they are almost very obvious and easy to find in the code language, which makes them a major security risk.
Within your business, you may have found hardcoded passwords in some ways, including:
Setting up and establishing a new system.
API and system integration.
Creating encryption or decryption keys.
To define privileged access.
To simplify application-to-application or application-to-database communication.
Hardcoded passwords can be found at:
Software applications, both on-premises and hosted in the cloud.
BIOS and other firmware on computers, mobile devices, printers, and servers.
DevOps applications.
Networks that include routers, switches, and a multitude of other control systems.
Mobile devices enabled for IoT and the internet.
Hardcoded passwords are not encrypted. This is exactly why they represent a critical security flaw.
What Are Examples of Security Incidents Involving Hardcoded Passwords?
Passwords remain by far the most widely used method for authenticating users in applications and systems, despite the long-standing efforts of technology industry leaders to find more secure alternatives.
The increasing number of attacks involving theft or compromised credentials over the past few years has focused more attention on ways to enhance the security of password-based authentication mechanisms.
Despite all the efforts of security professionals, cybersecurity incidents involving hardcoded credentials still occur. Below are the most well-known cases worldwide involving this problem.
Mirai Attack
Mirai malware, which gained prominence in late 2016 (although it may have been active years before), verifies Telnet service on Linux-based IoT boxes with Busybox (such as DVRs and WebIP cameras) and on stand-alone Linux servers.
Then, through a brute force attack, it applies a table of 61 hardcoded default usernames and passwords to attempt a login.
Mirai and its variants have been used to assemble huge botnets of IoT devices, up to about 400,000 connected devices, without the knowledge of most of its owners.
Mirai-related botnets have carried out some of the most disruptive DDOS attacks ever seen, with victims such as French Telecom, Krebs on Security, Dyn, Deutsche Telekom, Russian banks, and the country of Liberia.
Uber Violation
While Mirai’s attacks were most notable for causing business downtime, Uber violation resulted in the exposure of information from 57 million customers, as well as about 600,000 drivers.
As with Mira, the hardcoded credentials were faulty. An Uber employee has published plain text credentials in the source code that was posted to Github, which is a popular repository used by developers.
An experienced malicious hacker simply found the credentials embedded in GitHub and used them to gain privileged access to Uber’s Amazon AWS instances.
What Are the Best Practices and Solutions for Hardcoded Password Management?
Many companies are aware of the problem posed by hardcoded credentials and know that passwords must be managed carefully. So here’s a list of best practices for managing hardcoded passwords in your IT environment.
Discover and Identify All Types of Passwords
Trying to find out if the hardcoded credentials are being used in the code is a good first step. The use of unencrypted text credentials also occurs in configuration files, infrastructure such as code, and containers.
Discover and identify all types of passwords, keys, and other secrets throughout your IT environment and place them under centralized management. Continually discover and integrate new secrets as they are created.
In addition to being a possible security exposure, the use of hardcoded passwords can affect cyber resilience. Besides gaining visibility into their use, it is best to properly govern and protect the use of credentials to improve security and resilience.
Attention to DevOps Tools
Delete hardcoded and embedded passwords in DevOps tool settings, build scripts, code files, test builds, production builds, applications, and more.
A best practice is to use a secret server or a credential vault to manage all kinds of secrets, such as passwords and SSH keys. This approach provides an API that gives access to policy-based secrets and eliminates the need to store credentials in unencrypted text in applications/configuration files/services.
Manage hardcoded credentials permanently, such as through API calls, and apply password security best practices. Deleting standard and hardcoded passwords effectively removes dangerous backdoors from your environment.
Create and Use Strong Passwords
Apply password security best practices, including length, complexity, exclusivity expiration, rotation, and more across all types of passwords.
Credentials, if possible, should never be shared. If a credential is shared, it must be changed immediately. Credentials for more sensitive tools and systems should have more rigorous security parameters, such as single-use passwords and rotation after each use.
Monitor Privileged Sessions
Apply privileged session monitoring to record, audit, and monitor all privileged sessions (for accounts, users, scripts, automation tools, and others) to improve oversight and accountability.
This may also involve capturing keys and screens (allowing live viewing and playback). Some business privilege session management solutions also allow IT teams to identify suspicious session activity in progress and to pause, block, or terminate the session until the activity can be properly assessed.
Manage Third-Party Credentials
Extend credential management to third parties and ensure partners and suppliers are compliant with credential use and management best practices.
Leverage threat analysis to continually analyze the use of credentials to detect anomalies and potential threats. The more integrated and centralized credential management is, the better you can report accounts, key applications, containers, and systems exposed to risk.
Adopt DevSecOps
With the speed and scale of DevOps, it is crucial to create security in the DevOps culture and lifecycle (from the beginning, design, construction, testing, launch, support, and maintenance).
Adopting a DevSecOps culture means that everyone shares responsibility for security, helping to ensure accountability and alignment across teams. In practice, this should imply ensuring that best practices for secret management are in place and that the code does not contain embedded passwords.
Correct credential and secret management policies, supported by effective processes and tools, can make it much easier to manage, transmit and protect secrets and other inside information.
What Are the Next Steps to Manage Hardcoded Passwords?
You are probably wondering why people are still using hardcoded passwords. The main answer is because it is easier to do, and keeps the coding process less complicated.
In addition, hardcoded passwords are made to never be changed, therefore, they represent a part of the code language. Many developers fear changing them so as not to interrupt different types of operations within the system.
If you take into account that a medium-sized organization may have hundreds or thousands of passwords and other secret data spread across all devices, applications, and systems, you can assume that it is not an easy process to fix hardcoded credentials.
A PAM (Privileged Access Management) solution helps improve application security posture by reducing human error, automating security-related tasks, and improving perception and governance.
As for changing credentials, it is possible to schedule automatic rotation and impose the use of strong and exclusive credentials without the need to intervene manually in all applications that use them.
senhasegura allows the easy removal of passwords and hardcoded credentials from data sources through scripts, application codes, configuration files, and SSH keys via servers. The password vault connects to the main servers and synchronizes the password change with the database. The application, therefore, does not lose connection.
The integrated application can access the senhasegura API at any time and receive the updated password of the resource to be accessed. In this way, this critical data will be inaccessible to all attackers and malicious users.
About Version 2 Version 2 is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About Senhasegura Senhasegura strive to ensure the sovereignty of companies over actions and privileged information. To this end, we work against data theft through traceability of administrator actions on networks, servers, databases and a multitude of devices. In addition, we pursue compliance with auditing requirements and the most demanding standards, including PCI DSS, Sarbanes-Oxley, ISO 27001 and HIPAA.
The Fire Brigade Zone Rivierenland (Zone Antwerp 2) is one of the 35 Belgian and one of the five Antwerp rescue zones. The zone officially started operating on 1 January 2015 and provides fire and medical assistance (ambulance) in the southwest of the province of Antwerp.
The Fire Brigade Zone Rivierenland comprises 19 municipalities that together represent a population of approximately 420,000. The total surface of the service area covers approximately 570 km². The Zone Rivierenland also borders on other ones like Antwerp, Rand, Kempen, East Flemish Brabant, Flemish Brabant West, East and Waasland.
Which applications are used via Awingu?
The IT department of the Fire Brigade Squad Rivierenland explains which applications are made available through Awingu in a safe way, based on the profile of the user.
ABIFIRE
For many zones ABIFIRE is the centre of daily operations. It contains modules for intervention reports, privacy-related personnel data, construction advice, prevention reports, material management and much more. If this package is not available for technical or security reasons, the operation of the zone practically stops.
For Rivierenland, it was therefore an absolute necessity to secure ABIFIRE even more. For them it was a minimum requirement that they could secure the login procedure with multi-factor authentication. As this is also built into Awingu, this was the first checkbox that could be ticked.
3P
The 3P package is a mandatory tool of the Government in procurement procedures. This application is also made available in the Awingu Virtual Workspace because the 3P licence only works with pre-agreed domain credentials.
BLUEBEAM
As a CAD programme, Bluebeam is a widely used tool within rescue districts to draw or modify plans. At HVZ Rivierenland this application runs on a separate server.
“Before Awingu was brought into use, this program was installed locally on each device. This required a lot of maintenance and follow-up, which can now be done centrally at the server level due to the limited IT team. Also, the performance for those who work remotely through Awingu is optimal with this CAD application. Thanks to Awingu, we were able to tick 2 more boxes.”
HERMES
The old, well-known accounting program is no longer current or in use at the zone. However, there is still a need to be able to access certain data here. Awingu as secure gateway brings here the perfect balance between security and user experience. Also, the impact of the irregular use of Hermes is nil, since the Awingu licenses are based on a concurrent model and not on a named basis. Another thing HVZ Rivierenland could tick off thanks to Awingu!
MERCURIUS
The Mercurius billing software is not only used by HVZ Rivierenland, but also by various local police zones. (Today, more than 60 police zones in Belgium work with Awingu). Within the HVZ, the need arose to build in some extra security. For example, there was no MFA foreseen for the internally hosted, web-based application, making the security risk too high. By putting this application behind Awingu, with MFA and a protocol switch on the Awingu appliance, a direct connection between the end user device and the server backend environment is avoided.
DIV
The DIV of the Flemish Government can now also be accessed directly, whereas previously the IT service had to push an Internet shortcut in each user profile.
REMOTE DESKTOP
To securely access your own servers from the outside, a secure connection is made via Awingu’s remote desktop functionality. In addition, every login and activity can be traced in the Awingu dashboard. Something that has proven to be very useful. This was the case when a certain anti-virus program caused another program to close down promptly. Of course, this also happened to be on a non-managed device belonging to one of the volunteers who work for the zone… Via the track & trace in Awingu, this issue could be detected and resolved fairly quickly, says the IT department as an anecdote.
The effect of Awingu at HVZ Rivierenland
We can conclude that the users are satisfied and the IT team even more so because, compared to the former Citrix use, there has been a strong simplification with Awingu.
“Volunteers who do not use a managed device from the zone, can simply use their own device to access the necessary applications as well as the file share that was integrated after the switch to Awingu. On top of that, nothing needs to be installed on the devices themselves, because Awingu is completely browser-based. This saves our IT admins time for configuration and maintenance, but also significantly reduces the cost for the type of devices.”
The only thing that still needs to be installed is the remote application helper when using a Smartcard (eID).
In terms of security, huge steps have been taken with the introduction of just one tool, Awingu:
MFA is built in for free
All data processed through the browser is encrypted
A complete audit of everything is available
Even screen recording is used in some cases (especially when suppliers need access to the network).
The fact that HVZ East-Flemish Brabant and West-Flemish Brabant have also started working with Awingu, shows that HVZ Rivierenland is not alone and has made the right decision with this future proof solution.
About Version 2 Version 2 is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About Awingu Awingu produces a browser-based Unified Workspace solution. It allows users to work and collaborate from virtually anywhere using any device compatible with HTML5 browsers. As a turnkey solution, Awingu offers businesses the ease and convenience of platform-independent mobility and offers everything you need to stay productive: legacy and cloud applications, documents and data. Awingu requires zero configuration and zero client software installation, making IT administration extremely simple.
