Passwords are the bane of user and admin existence.

Keeping track of hundreds of passwords is tough, and employees inevitably forget them. When that happens, they’re frustrated that they can’t access the tools they need to do their job, and IT teams waste their precious time on lock-out tickets.

To circumvent this aggravating process, many employees create simple passwords or reuse them, which threatens their employer’s security and puts customer data at risk.

Many IT teams try to mitigate these issues by implementing single sign-on (SSO) or a password manager. But using just one or the other can still put a burden on IT and leave the company vulnerable to breaches. 

What organizations really need is a unified approach to access that will enforce password health while allowing IT to control all target systems and support multiple authentication types. But is that even possible?

Below we’ll review why unmanaged passwords are so risky, describe the pitfalls of standalone SSO, and explain what a new world could look like when SSO and a password manager are implemented together.

The Dangers of Unmanaged Passwords

Unmanaged passwords are often a key component of cyberattacks, which are only getting more prevalent as employees have to remember more and more passwords to complete their day-to-day work. For example, Verizon’s 2022 Data Breach Investigations Report found that stolen login credentials were associated with half of all data breaches — a 30% increase from 2017.

And data breaches aren’t cheap. In 2022, the average cost of a data breach in the US was $9.44M, up from $9.05M last year. Plus, they tarnish a brand’s reputation, leading to further revenue losses.

But password management is expensive even without a breach. The average password reset can cost companies $70. When extrapolated to an entire organization, that adds up quickly.

While IT can send regular reminders to update passwords and educate employees on what makes a strong password, that’s not enough to mitigate risks. And those practices don’t reduce strain on IT either.

A password manager can reduce the chances of a breach and decrease pressure on IT by:

• Enforcing password requirements – to comply with NIST 800-63 guidelines
• Generating strong passwords – to ensure password length and complexity 
• Rotating passwords – to ensure people are updating their passwords frequently
• Syncing across operating systems and devices – to prevent as many lockouts as possible

While password managers certainly help, they still force employees to login into every application individually and, ideally, require additional layers of authentication to protect a user’s master password. 

Resource Access With and Without SSO

Single sign-on, or SSO, is related to password management because it grants access to multiple applications after users provide one set of login credentials. 

Without SSO, users still must remember and type in a username and password for every application they want to connect to. In that situation, you run the risk of employees sharing passwords, keeping sticky notes with their passwords on them, reusing passwords for several different applications, or creating passwords that are extremely easy to guess.

As discussed above, these habits can cause devastating financial and reputational damage. SSO and other Identity-as-a-Service platforms lessen the chances of a breach and decrease IT load by:

• Using Security Assertion Markup Language (SAML) protocol to establish secure connections
• Increasing admin control
• Simplifying onboarding and offboarding
• Preventing shadow IT
• Lowering password fatigue
• Adding in extra authentication like MFA

But SSO doesn’t solve everything — it doesn’t generate passwords, enforce password policies, or rotate passwords like a password manager can.

Benefits of a Password Manager + SSO

Combining the benefits of a password manager and SSO gives you the best of both worlds.

Users no longer have to create hundreds of complex passwords and worry about forgetting them. With a password manager and SSO, you can meet password-based access needs while imposing new authentication practices, including federation and multi-factor authentication (MFA). Adding more security best practices increases the protection of valuable IP and sensitive customer data.

The best joint password manager and SSO solutions store passwords locally on endpoints, making it tougher for hackers to get the data they want. In addition, some come with a relay infrastructure, allowing users to share passwords via end-to-end encrypted communication.

Ultimately, users get access to sites and services quickly, while IT admins can monitor and enforce password health on the back end without slogging through a slew of password reset tickets.

Secure Single Sign-On and Password Management With JumpCloud

The fact of the matter is that no one SSO or password management solution is going to safeguard your company from attacks and dramatically reduce IT’s workload. To truly accomplish those two objectives, you need to unify your tech stack and consolidate your IT tooling. Luckily, that’s what you get with the JumpCloud Directory Platform, which combines SSO and password management into a cloud-based directory.

With JumpCloud’s robust yet easy-to-use platform, IT can lay the foundation for unified access across all users, systems, and authentication types, including MFA. JumpCloud also has a newly released password manager, and its open directory infrastructure streamlines the login process for your employees. IT staff also benefit from having more time and budget to focus on strategic initiatives.

Ready to get started? Try JumpCloud for free, or schedule a demo today.

October is Cybersecurity Awareness Month, and this year’s theme is See Yourself in Cyber, which focuses on the individual’s role in cybersecurity. This month, the JumpCloud blog will focus on helping you empower everyone in your organization to do their part regarding cybersecurity. Tune in throughout the month for more cybersecurity content written specifically for IT professionals and MSPs.

When we think of cyberattacks, we tend to envision the biggest and most disastrous ones — ones that involve well-known companies, expose tons of important data, and cause some serious fallout and public mistrust. While these attacks are real and dangerous, they’re not the only ones out there. 

The reality is that cyber attacks affect businesses of all sizes and in all industries. Sometimes, our focus on the big ones can eclipse the less flashy ones that are just as dangerous to small and medium-sized enterprises (SMEs). In fact, a 2021 survey found that over 42% of small business respondents had experienced a cyber attack within the last year.

Mounting a viable defense starts with understanding what you’re up against — and even understanding the basics of common threats and defense measures can go a long way. The following are six of the most common attack vectors that can hit SMEs. 

1. Ransomware 

Because the largest ransomware attacks tend to dominate news cycles, many people don’t realize that ransomware attacks on SMEs are common as well. In fact, 50-70% of ransomware attacks are aimed at small businesses.

What Ransomware Looks Like for SMEs

Ransomware generally follows the same basic principles in attacks of all sizes: adversaries seize and lock a company’s data or assets and promise to return them upon payment of a ransom. For large enterprises, these ransoms can reach into the millions. For SMEs, they are often smaller — ransoms as low as $10,000 are common. While this may sound like a silver lining for SMEs, there’s a darker motive at play: adversaries know SMEs will pay them.  

For established enterprises with decades of built-up resources, six-figure ransoms and the downtime associated with an attack are painful, but not often a death sentence. For SMEs with tighter resources, this isn’t always the case — the downtime and loss of data access alone can be crippling for a tightly-run SME. To adversaries, this means SMEs will fight to get their data back — so they demand a “reasonable” ransom and can expect with near-certainty that the SME will pay it. According to research, more than half of them do. 

The Ramifications

The ramifications of a data breach to your employees, customers, partners, and reputation are grave: a Ponemon study found that 65% of consumers whose data was breached lost trust in the company that experienced the breach. 

What’s more, paying the ransom doesn’t guarantee that your data hasn’t been compromised or shared when under the adversary’s control. Of the 59% of SMEs who said they had paid a ransom in a survey, only 23% got all their data back.

In fact, paying up can endanger your organization further: it tells hackers that you are willing and able to pay ransoms to reclaim your data. And now that they’re familiar with your defenses and architecture, they’ll have an easier time attacking you again. Unfortunately, repeat attacks are highly likely — either from the same criminal organization, or from another organization that the attackers sold your information to. 

2. Supply-Chain Attacks 

Most of us are familiar with supply chain attacks, where an infection starts with a large corporation and spreads as it comes into contact with other businesses through the supply chain. And while we’re likely to hear about supply-chain attacks on large businesses, news sources don’t always report on their trickle-down effects on smaller businesses in the supply chain.

How Supply-Chain Attacks Affect SMEs

In supply-chain attacks, SMEs aren’t usually direct targets, but rather casualties resulting from a larger breach. Thus, large supply-chain attacks have ramifications on many of the target organization’s partners, customers, or vendors. In REvil’s attack on Kaseya’s VSA software, for example, many of those impacted were SMEs that used the product. In another example, the famous SolarWinds breach was originally believed to have affected a few dozen organizations. It actually impacted over 250.

3. Phishing and Its Variants

Some of the most basic and low-effort tactics remain common — and effective — infiltration methods. Phishing remains one of the top three threats SMEs face, even despite increasing organizational awareness around it. 

The reason phishing is still so common is two-fold: 

1. It is effective for adversaries. From the cybercriminal’s point of view, phishing is relatively easy to deploy, and it often yields lucrative results. It takes few resources and minimal skill to launch phishing attacks, and yet they continue to dupe employees into sharing credentials, network access, and other sensitive (and, for cybercriminals, profitable) information and assets. 

2. It preys on human error. Unlike many other attack vectors that leverage vulnerabilities in systems, phishing uses social engineering to take advantage of human nature (and human error) to gain initial entry. It only takes one mistake to allow an attack to take hold — and the average organization has a 37.9% phishing test fail rate.

Targeted Phishing in SMEs

Cybercriminals have refined tactics to mount more targeted and precise attacks with different types of phishing. Spear-phishing, for example, involves background research to convincingly target individuals rather than bulk-sending a list to a group of recipients. This personalization and specific targeting makes spear-phishing attempts harder to spot — like the popular scam that involves posing as the target’s boss in a text or email. These messages often use conversational language and use the names of the target and the boss, which can make them quite convincing. 

Some adversaries take this type of attack a step further with whaling, which uses spear-phishing tactics to target company executives. Because executives have extensive access to systems and data, whaling is particularly popular — especially with SMEs, where scarce resources could hamper their ability to adequately train leaders on security and phishing awareness and best practices. 

4. Software Vulnerability Exploits 

Leveraging software vulnerabilities is a common way to gain access into an organization’s systems. Often, exploited vulnerabilities are known and even have patches available. In fact, many of the top exploited vulnerabilities were found years ago — for example, a Microsoft Office vulnerability found in 2017 continues to plague businesses that haven’t kept up with their patches. In a Ponemon survey, 60% of respondents who had experienced a breach said it could have occurred through a known vulnerability that had a patch available, but the organization hadn’t applied it. 

Why SMEs Are Vulnerable

Routine patching is a critical basic cyber hygiene activity, and it is highly effective at blocking this type of attack. However, large-scale organizations are more likely to have formal patch management solutions in place than SMEs, which can make SMEs an easier target. In a 2022 JumpCloud survey, only about half of SME respondents said they were confident that their organization’s patch management strategy was sufficient to protect against known vulnerabilities. 

5. Account Takeover

As businesses move to the cloud and dispersed infrastructure becomes the norm, identity has increasingly come to define the new perimeter. Because identity permeates every element of the infrastructure, it has become a common infiltration point. In fact, the number of password-stealing attacks on SMEs around the world increased by almost 25% from 2021 to 2022, and nearly 80% of attacks leverage identity to compromise credentials. 

How ATO Attacks Work

In account takeover (ATO) attacks, adversaries gain access to the network by taking over a user’s account. Account access can be gained through various means, including password-stealing ware, social engineering, and using (often, by purchasing) the credentials of already-breached accounts. Once the adversary has taken over the account, they can access resources and move around the network under the guise of a legitimate user. This makes account takeovers difficult to detect. 

6. Advanced Persistent Threats

SMEs that work with large enterprises may be more susceptible to advanced persistent threats (APTs), which are sophisticated attacks carried out stealthily over an extended period of time. APTs typically consist of infiltration, lateral movement toward targeted data or assets, and exfiltration. APTs can start from any ingress point, and can enter through methods as simple as a phishing attack or stolen password.

For example, an adversary could gain the credentials of an employee with base-level permissions through a phishing scam, then take over the account to analyze the network and gather permissions, access and store the target data, and finally exfiltrate it to sell for profit.

APTs are harder to detect in sprawled IT environments, which are common in SMEs that have grown quickly. IT sprawl limits the ability to fully carry telemetry data from one element to another, which makes infiltration and lateral movement hard to detect. 

Shoring Up SME Security 

Because cybersecurity attacks on SME attacks don’t always make headlines, SMEs often underestimate their vulnerability and underinvest in security. However, adversaries have something to gain from just about any business; SMEs face many of the same threats that enterprises do. 

The attacks above are some of the most common, but SMEs face a multitude of threats via many different vectors. And while it’s impossible for anyone to achieve 100% immunity from threats, it’s possible for SMEs to develop a strong, reliable security program that deflects most attacks. 

This morning, like many before it, I woke up and thought, “Today is the day I come up with some  magical blog post idea that changes someone’s world!” I showered, threw on my Global Panini attire and a pair of Uggs slippers, cooked up an omelet, and made a pourover (my new obsession).

I plodded downstairs to the office and fired up the computer. I opened a new document, raised my hands to the keyboard and — nothing. Complete brain freeze. 

It’s hard to be amazing week after week. I know you feel this too. You have IT projects that are stacked up. Your boss is on you week after week to make their world more secure without adding friction for the users. Or your MSP is feeling stagnant and you need to come up with some new services to offer — or figure out how to offer your current services in a different way.

The week over week of having to be “on” all the time…it diminishes your ability to be creative after a while. Problem-solving becomes what keeps you from getting out of bed each morning instead of driving you to be 1% better every day. I get that. I hear you loud and clear.

The Block is Real

This creativity block thing is real. Very real. And if you were just doing IT for the fun of it — creating a playspace for yourself — you wouldn’t have to worry. But, folks, this IT thing is what you get paid to do. You can’t just say, “too bad, so sad” and head off to the zoo, y’know? 

Over here in the MacAdmins community, we have a great Slack instance where people are doing amazing things and being really creative. You go there, looking for something – a solution, some inspiration, a new job – but you’re still left uninspired. And you wonder why. Could be burnout. Could be general tiredness. Could be something else – let’s explore.

Brainstorming

At a recent standup (yes I now speak the language Agiletongue) I asked for a lift from my brilliant and creative teammates. Ideas, people, I needed ideas! It didn’t matter how outrageous they were. In fact, the more outrageous, the better. Anything is a springboard. As we’ve talked about previously, brainstorming requires a plethora of input and little to no judgment. 

And as a response to my request I got….nuthin. No ideas. Not a one. I wonder if it’s just the heat of this unbelievably hot summer cooking our brains or if people are just plumb wore out from current events. No clue, but nobody had any ideas for me. 

The next day, though, someone pinged me with an idea. “What about recipes?” they  said. “It’ll be fun,” they said.

I work for a tech company. Our product does (amongst other incredible things) device and identity management. IT stack centralization. MDM and security management. Automation. With my IT background, I hear the word “recipe” my brain goes to GitHub and shell scripts and munki and other IT management types of things. But, alas, that is not what they meant.

They meant real recipes. Food recipes. Don’t get me wrong, I like food. It’s an important part of my day to day life. But, hmmm…was this a weird ploy to turn this into a happy homemaker column? I was both confused and a little offended but I stuck with the discussion knowing that I’d find out if I just let them talk. 

How Does That Fit Into Tech?

Little by little the discussion started to make sense. 

Us admins are under a lot of pressure to be perfect all the time. For many (if not all) of us, one mistake can cost our companies their reputation (not to mention financial and productivity loss). In some cases, if a mistake is big enough, it could cost our jobs or our client. So if you weren’t feeling stressed before you started reading this, you probably are now. Sorry!

One way to get past the stress is to get up from your chair, step away from your desk, and get active doing something that is not related to tech (if stepping away won’t get you in trouble, that is).

Thinking about other things is a great way to open channels that allow you to come up with solutions. We’ve all experienced this — our best ideas come in the middle of the night; or the middle of a shower. 

Points to anyone who, by now, has accurately predicted where this is going.

A Story and a Treat

Growing up in my house meant that there was a plethora of home-baked goods. I don’t mean, a few store-bought cookies. I mean my mother baked. Daily. And there were always people over who didn’t live in this house.

The counter always had a few different kinds of cookies, a cake, maybe brownies, and on special occasions there were eclairs in the fridge. There were always bowls and beaters waiting to be licked clean and getting to the frosting bowl first meant you had to hide behind a locked door, lest someone steal it right out of your hands.

But one particular tradition we had was that on our birthday we got to choose our favorite dinner and our favorite cake. Mom wasn’t the best cook (I won’t say food was overcooked and dry and we’re probably lucky we didn’t all get food poisoning regularly, but…oh, I guess I will say it), but she could definitely bake.

So my choice was always spaghetti with meatballs (safe and really hard to mess up) and mom’s chocolate banana layer cake. I used to call it my migraine cake because every time I’d eat it I would end up with a migraine. Also, it was worth it every single time. I don’t do that anymore because now I know that my post-cake morbidity was due to celiac — but I can still taste it in my memory.

Here It Is

And, so, it is with a full heart and a now-hungry tummy that I gift you this recipe. Posting it here serves two purposes: 

• Getting up and doing something completely different from your work frees up your brain and refreshes your spirit.
• Eating something delicious can reduce your stress level. Even if it’s not a healthy option, a treat is good for the soul.

The recipe card (mom retyped every one of her recipes onto an index card with our Selectric typewriter that only had an all-caps ball) is well-worn. It has food stains all over it. It may have even gotten a bit too close to the heat. But it’s still here and someday it will be passed down to someone in the family. 

Chocolate Banana Cake 

Serves: 16 

Baking time: 30-35 minutes

Notes: This cake is best when frosted between layers and on the outside with a buttercream frosting.

Ingredients:

• 2 ¼ cups sifted flour
• 1 tsp baking powder
• ¾ tsp baking soda
• 1 tsp salt
• 1 tsp vanilla extract
• ½ cup sour milk
• ⅔ cup shortening (may substitute butter or margarine)
• 1 ½ cup sugar
• 2 eggs
• 2 ounce Bakers chocolate
• 1 cup mashed ripe bananas

Directions:

1. Preheat oven to 350º Fahrenheit.
2. Sift together flour, baking powder, baking soda, and salt.
3. Cream shortening together with the sugar until fluffy. 
4. Add eggs, one at a time, beating after each addition to shortening mixture.
5. Mix chocolate in with egg and shortening. Stir in vanilla extract.
6. Add the dry ingredients, alternating with the banana and milk in small amounts.
7. Turn into two 9-inch greased pans.
8. Bake for 30–35 minutes or until a toothpick inserted into cakes comes out clean.
9. Let the cake cool completely before removing from pans and frosting.

Nutrition Information*: 1 slice (1/16th of the cake) contains 241 Calories, 11.1g Total Fat, 4g Saturated Fat, 21mg Cholesterol, 220mg Sodium, 355.5g Total Carbohydrates, 1.4g Dietary Fiber, 20.3g Total Sugars, 3.2g Protein

*Note that this does not include the nutrition facts of the buttercream frosting

Let us know if this helped reduce your stress by baking it or by eating it. Or both! Join us in the community and tell us your favorite recipe for freeing up your IT brain.

As businesses continue returning to the office, more and more MSPs are being pressed to ensure that employees are able to return with minimal pain. Wi-Fi connectivity is often the very first issue that users will run into in a new office setting, so MSPs are finding that they must revisit how they handle the security of the wireless networks that they manage. 

Common Wi-Fi Security Vulnerabilities

It’s very likely that your customers have their Wi-Fi set up with a guest network for visitors to use and a pre-shared key that employees are given on the first day of their employment. However, this authentication method is only marginally better than having no password at all and is very dangerous if the Wi-Fi provides access to domain-associated resources. 

Addressing Connection Concerns

Being that your customers’ Wi-Fi keys are likely older than COVID-19, there has never been a better time to switch to a tried and tested solution: RADIUS. With RADIUS configured, network authentication takes place against a directory that has been configured to allow a user’s existing login credentials (username and password) to grant and revoke access to network resources. 

RADIUS adds a much needed layer of security between users and a Wi-Fi network, while also bringing added convenience to your customers’ wireless networks. While RADIUS comes with a plethora of benefits, implementation can feel intimidating — but, it doesn’t have to be!

Using JumpCloud’s Cloud RADIUS Feature

In order to set up RADIUS for a client, you will need a directory to use as the source of truth for user authentication, and JumpCloud has the perfect solution for you. Here at JumpCloud, we leverage our powerful open directory platform to offer a high-quality, easy-to-use Cloud RADIUS solution that our customers love, giving them cloud-directory-fueled authentication and MFA to keep their networks secure and efficient. 

1. Utilizing the Full Functionality of JumpCloud Alone

In addition to its Cloud RADIUS feature, implementing JumpCloud’sopen directory platform opens the door to a variety of other important features such as SSO, MDM, software deployment, and policies to help manage your users and endpoints. 

In effect, with JumpCloud, you will not only be able to address your clients’ immediate network security and user experience needs, but you’ll also be able to position your services in a new way. You’ll be able to offer current and potential customers a more forward-facing and expansive service using all of JumpCloud’s capabilities — including helping clients consolidate their technology stack or adding much needed features into their IT infrastructure.

Now, I know what you’re thinking: “That’s great, but I am not in a position to migrate directory services. I simply want to deploy RADIUS to improve Wi-Fi and VPN authentication, and I already have customers using Azure Active Directory (AAD).”

Well, I have some good news for you: you can leverage your existing Azure AD environments in harmony with JumpCloud thanks to our new feature: RADIUS Authentication with Azure AD Credentials.

2. Using JumpCloud’s RADIUS Feature With Azure AD

Surprisingly (or maybe ironically?) enough, the implementation of RADIUS with Azure AD is reliant upon on-prem resources, with physical servers needing to be allocated to perform the required tasks. JumpCloud is a strong proponent of equipping MSPs and IT professionals with world-class tools to get their jobs done effectively, which means we focus on creating solutions for problems like this.

This means that we’ve made it so you can leverage JumpCloud’s Cloud RADIUS feature while maintaining Azure AD as the source of truth for your directory needs, effectively giving you the best of both worlds, with no on-prem setup necessary. This means that your customers can enjoy secure networks while improving ease of access to networks among their credentialed employees. On that same note, what this means for you, is that you now have a cloud-based RADIUS solution that can be implemented for any of your customers without gutting their existing directories.

Getting Started With Cloud RADIUS

Here are some guides to help you begin launching Cloud RADIUS across your MSP business and your clients’ orgs.

• JumpCloud’s Cloud RADIUS Overview
• RADIUS Configuration and Authentication (AzureAD)
• Configuring a Wireless Access Point (WAP), VPN, or Router for JumpCloud’s RADIUS

Cloud RADIUS Benefits

Check out some of the benefits that JumpCloud’s RADIUS solution will give to your clients:

• Improved user experience that only requires a single, unique password to connect to networks and resources to get work done both in the office and remotely via a VPN.
• Streamlined user onboarding and offboarding due to the activation or deactivation of a single set of secure credentials compared to many different usernames and passwords.
• Fewer help desk tickets related to the pain associated with changing a PSK (pre-shared key) for a Wi-Fi network.
• Simplified compliance that’s easier to prove by getting rid of a shared network password that anyone can get ahold of.
• Easier network access for your techs. They’ll no longer be scrambling to figure out Wi-Fi passwords when performing site visits (this will also drastically lower the chance of a tech needing to huddle to one corner of a closet to get the single bar of LTE signal available for their hotspot to connect to your documentation service to find the Wi-Fi password. Definitely not speaking from personal experience. Sidenote: Why did they stop putting a network port on laptops?).

Ultimately, the largest benefit of having Cloud RADIUS from JumpCloud implemented is that you now have a solution that can be easily replicated across your entire customer base. Whether you’re working with a company that has never touched a directory service before (which JumpCloud can easily help with), or a customer that has been holding onto that 12 year-old server for dear life, JumpCloud is here to help you modernize your customers’ infrastructure. 

With Cloud RADIUS, your service offerings around network management can fully revolve around a single authentication standard, your hardware vendor of choice, and a unified support approach that will delight your customers. 

JumpCloud for MSPs

At JumpCloud, we are serious about setting MSPs up for success when working with in-office, hybrid, and fully remote clients. To do this, we have developed a dedicated platform for MSPs, called JumpCloud for MSPs. 

JumpCloud for MSPs is an open directory platform that enables our partners to centralize identity, authentication, access, and device management capabilities under one umbrella without having to tear and replace any existing infrastructure.