Latest News

Does your company force a password every couple of months? Well, you may be surprised to hear that the latest recommendations on password security from the National Cyber Security Centre (a part of GCHQ) is to avoid this practice. In fact, this isn't even new. They published this password advice in 2015!

Forcing users to change a password too often will usually lead to one of two things. Either they will choose something that is hard to remember, using a combination of capital and lower case letters, numbers and punctuation, but usually quite short as it takes longer to remember and type in.

Or they might use a password that is easy to remember and just change a number at the end of their password string. Maybe they will do something a little more complicated, but it is extremely common for subsequent passwords to be very similar.

In the first case, this is very inconvenient for users and they may end up having to reset passwords regularly, which can often lead to them doing the second scenario. Why is this an issue? Well, if a hacker gets hold of a password it isn’t going to take them long to figure out minor changes, or even complicated changes if the base word is the same. These passwords are also usually relatively short as users are still forced to add numbers, punctuation and include both upper and lower case characters, so they keep them short and easy to remember.

Short passwords can be brute forced in a relatively short amount of time even by your average home computer. For example, the random 8 character password of “+Df?x7;@” would take about 12 days to brute force normally. However, if the hacker has access to a botnet, this could be reduced to 4 hours or less. It is hard for a human to remember, but really easy for a computer to figure it out.

The current recommendation is to use a password made up of 3 or 4 random words that have nothing to do with you. For example, something like, “AngryCarrotWhispersAlone” would take more than 160,000 years to brute force as it is 24 characters long but is easy to remember. It helps to have something random that conjures strong imagery in your head to aid with remembering. You don’t want to have to write it down anywhere to remember it!

Quick tips:

  • Use a different password for every site. If one site gets compromised, you don’t want hackers to be able to use your password to log into other sites.
  • If you speak more than one language, you could include an uncommon word from a different language. If not, you could use a colloquialism or the name of a really obscure celebrity. This is all just to add another layer of protection against hackers who could use lists of common words to try and speed up the hacking.
  • It can be hard to think of something completely random. Try using a random word generator like https://www.textfixer.com/tools/random-words.php to get some ideas. After generating words a few times, I came up with, “FrozenArcaneParachuteShipment” and “ShotgunHoneybeeMohawk”
  • Check how strong your password is using Kaspersky’s strength checker. It even tells you how long it would take to brute force your password. https://password.kaspersky.com/
  • If possible, use two-factor authentication, password managers, completely random long strings of varying characters and ignore most of what I’ve said so far. Those methods are a lot more secure. This is just advice for if these are not available and you have to remember passwords.
  • Your password might already be compromised. Click here to read about a massive data breach from earlier this year, including a way to check to see if you've been compromised!

AngryCarrotWhispersAlone

Data encryption key

You wouldn’t trust a stranger with the keys to your house, so why would you trust them with the keys to your data?

Here at VSL, we thrive on creating great business relationships and we want to be as helpful as we can to all of our customers. However, one question we get asked every now and again is, “I’ve lost my encryption key. Can you send a new one?”

The thing is, we don’t hold on to any of the encryption keys. Coupled with our AES-256 encryption, this gives you the strongest possible data protection. For example, in the unlikely event that there is a data breach on our side, it wouldn’t be feasible for a hacker to use the encryption key to easily unscramble the data.

This is the same principle as to why we don’t keep the password to your account. It follows both VSL’s best practices and also helps you to comply with data protection laws such as the GDPR.

Of course, we understand that sometimes an encryption key could be missed. This is why we always prompt users to take a copy down when the key is generated.

How else do we keep your data safe?

All data that we back up in the cloud is stored in ISO 27001 accredited data centres, which means they are reliable and secure, not for just the time being either! ISO 27001 shows that the data centres are constantly reviewing and updating their systems to ensure they stay one step ahead of new threats and the latest business developments.

It’s also worth mentioning that all data is kept in award-winning UK and US data centres and doesn’t leave the country of origin. If your data originates in the UK, then you can be sure that’s where it will stay. This gives you the peace of mind that all data is going to be processed via all the applicable laws and regulations, along with our best practices.

Click here to read more about Datahive and its security features.

To answer this question we need to take a look at what Dropbox and other online storage services, such as Google Drive and OneDrive, are actually designed for. The main purpose of these services is to have quick access to files wherever you are and also easily share files, be it to co-workers or your friends and family.

We use these services here at VSL, making use of Dropbox and Microsoft Teams for collaboration on our general day-to-day tasks, such as sharing files in online meetings. However, there are a few reasons why they aren’t the best solution for backing up your data.

 

Priorities

At the top of our list is security. With cybercrime forecast to stretch into the trillions of pounds worth of damage to companies worldwide by 2021, it is incredibly important to firstly, have your data backed up and second of all, secure. One of the primary focuses for data backup services, like Datahive, is safeguarding all client data. The data you upload and store on Dropbox is not encrypted on the client side (That’s your side!) unless you have encrypted it before uploading. Yes, they are encrypted on their end, so if hackers manage to get into their servers then it should still be protected should they get hold of the data. However, if they get access to your account then all of your files are there for them to see, completely unprotected.

If you were to use Datahive, for example, as your data backup service, the data would be encrypted before you send it off, generating an encryption key that only you will have access to. Some backup providers keep hold of these and say it is in case you forget. We think this is a potential security risk and think you’d be much better off being the only person with access to this key.

 

Efficiency

Another reason Dropbox may not be the best solution is that it requires regular input from the user. Making sure you’re adding files into the correct folder to ensure they stay synced up, or even having to upload to them directly. With online backup services, you can select every folder on your computer should you wish to, be it your documents, photos, videos or even your desktop. Set it once and then you can leave it to backup automatically in the background with no further input. Don’t give yourself extra tasks to do! You’re busy enough as it is!

 

Conclusion

Overall, Dropbox is great for storing non-sensitive files and quickly sharing files with colleagues, but it shouldn’t be used by itself when considering options for data backup to the cloud. In fact, should you wish to use Dropbox still, you can do what we do and select the sync folder to backup automatically with Datahive too, so you should never lose a file again!

Globally, data centres hold over 1,500 exabytes of data. That’s 1,500,000 petabytes. 1,500,000,000 terabytes. 1,500,000,000,000 gigabytes. To put that into perspective, the average computer hard drive is around 1 terabyte these days, so it’s roughly equivalent to 1.5 billion computers worth of data.

That’s a lot of data to keep protected, so how do they go about ensuring that it is all secure? Well for starters, not all of them do. The most secure data centres are ISO 27001 certified. This accreditation is a sign that their Information Security Management Systems (ISMS) are in line with the highest standards and it covers all legal, physical and technical control risk management.

Without going too much into the finer details in this blog post, ISO 27001 covers all of the following in 12 main headings:

  1. Risk assessment
  2. Security policy
  3. Organization of information security
  4. Asset management
  5. Human resources security
  6. Physical and environmental security
  7. Communications and operations management
  8. Access control
  9. Information systems acquisition, development and maintenance
  10. Information security incident management
  11. Business continuity management
  12. Compliance

In terms of physical safety, all data in ISO 27001 data centres have manned security checkpoints and are externally patrolled 24/7. Sensitive areas of the data centres are completely isolated, requiring both card and fingerprint scans to allow authorised personnel entry. It might sound like I’m describing a building from Mission Impossible, but I don’t think even Ethan Hunt could break in here!

On top of the security equipment and personnel, the data also needs to be kept safe from other factors, such as power cuts. To combat this, the centres also have automatic power failover and full equipment failover, meaning power and servers, etc. are switched over to backup systems in the case of any faults.

To reduce the risk of fires, oxygen levels are kept between 12% and 15% to ensure the environment is still breathable for humans, but fires don’t have enough oxygen to propagate. Coupling this with VESDA early warning smoke detection, risk from fire damage is greatly reduced. But still, what if there is a catastrophic event and the data gets destroyed here? Well, not to worry, as all data is backed up separately in case of damage or hard drive faults.

So, that’s the physical protection dealt with. What about the cyber protection? Obviously it wouldn’t be the best idea to share all of the security details here, as that would give hackers specific things to aim for. However, we can say that the scope includes corporate policies and practices, IP network information security, anti-virus software and continued monitoring. One example is ensuring software and firmware is always updated to the latest version.

For more information, check out Datahive and Veeam to see how we can securely backup your data.

It’s probably a good time to change your password.

Hacked

In January 2019 hackers have leaked and distributed a list of nearly 773 million unique email addresses and 22 million unique passwords in a folder labeled “Collection #1” on MEGA, a popular cloud hosting service.

These details can be used for credential stuffing, which is an automated process that tests these stolen credentials across multiple different websites, such as social media accounts or marketplaces like eBay or Amazon. Once a hacker gains access to an account they take as much information as they can, be it personally identifiable information, private documents, images, videos or debit/credit card numbers.

Although this isn’t the biggest online data breach in history (That currently sits with Yahoo at 3 billion user accounts), it is certainly hugely significant, containing over 87GB of personal information. The breach contains details from several data breaches since 2008 amalgamated into one big folder, so they could have come one of hundreds of websites.

You can check on Have I Been Pwned to see if your email address is included in this breach, or any others over the years the site has been running. “Have I Been Pwned” is a site ran by security expert, Troy Hunt. It doesn’t store any data you enter, so don’t worry if you have any concerns over the security of this site.

According to Troy, over 82% of the email addresses had been seen in previous breaches. 18% is still around 140 million new addresses, so if you’ve checked before, it’s probably worth checking again!

You can also use it to see if your password has been leaked anywhere, even if it isn't linked to your account. It even had some of my old passwords on there, although thankfully I had the sense to change my passwords on anything with sensitive information years ago. I also tested this with the password "Hell0!" and received this result:

pwned password

So, what should you do if your account has been compromised?

The best thing to do is to change the passwords for all your accounts across the net. Also, make sure it isn’t one you’ve used anywhere else before and don’t use the same passwords across different accounts, even if it’s a strong one. If one password gets leaked, then the hackers could access all your accounts.

We recommend using a password manager to keep track of multiple, difficult to remember passwords. Dashlane and 1Password are great paid examples with lots of features, but there are also free alternatives such as LogMeOnce (if you can cope with how horrible their whole website is!)

Of course it’s always best to have all your business data backed up in case of data loss. Credential stuffing isn’t the only way people are getting into your accounts and of course hackers aren’t the only threat to your data. Check out Datahive Cloud Backup for more information on how we can help with data disaster recovery.

Cyber threats on the rise!

Protecting yourself and your company online is an increasingly important task in today's day and age. To make it tougher, the requirements for online security are ever changing.

There will always be plenty of advice available on how to protect yourself, it can be a minefield. We hope this email makes things a little easier to digest.

shutterstock 9833917

About Us

VSL Net is a division of Lane Telecommunications Inc. VSL are an experienced, ISO 9001 accredited Cloud services provider  offering innovative backup and email business solutions supported by traditional service to a loyal direct customer base and a large reseller channel.

VSL Net is an ISO9001 accredited company. Since our certification in 2013 the standard has provided the tools and guidance for us to implement a structure which has enhanced our quality management. Through continual monitoring across all operations and measurement against predefined standards, we consistently exceeded our published service level agreements.

The primary recipients of this consistency has been our customers who come to expect and enjoy the high standards we set ourselves and are not surprised when we exceed their expectations.

EMEA

VSL Net U.K.

Europe, Middle East & Africa

+ 44 (0)845 258 1500

+44 (0) 1256 301555

info@vsl-net.com

America & Asia

VSL Cloud U.S.A.

10 Lanidex Plaza West Ste 213
Parsippany, NJ 07054

+1 973 526-2979

+1 973 526-2988

info@vsl-cloud.com

 

Asia Pacific

+65 6353 0555

+65 6353 7448

info@vsl-net.com

Newsletter Optin

Sign up to our newsletter for the latest in backup and data protection solutions. No spam - we promise!

 

Sign Up Here