How to Build a Leadership of Champions

We use the label “leader” to describe a lot of people in our worlds. Politicians, athletes, CEOs and spiritual beings. We give the title without any real thought to the true meaning of the word. What does it take to make a great leader? I think we have an answer to this question when we look at Mark Dantonio, the coach of the Michigan State Spartan’s football team.

I attended MSU in the early 80′s. From that time forward, I got used to rooting for a team that wasn’t very good. Every once in a while, they would pull out a win, ruin someone else’s bowl chances and amaze their fans. But most of the time, well, they lost. It was something we just got used to. Until Mark Dantonio.

Here is a man who believes in his players. Who empowers them to believe in themselves. He lets them take chances, like faking a punt, knowing full well that they might fail. And when they fail, they learn from it.

At the end of the 2012 season team banquet, Coach Dantonio told the group “you will be the ones.” He knew it then; he believed in them then. He even went to Pasadena in May of last year and created a video telling the team it was where they were going. He believed back then that his team would be going to the Rose Bowl.

When interviewed by ESPN, Coach Dantonio said:

“I felt like they were destined for greatness, but we’ve got to do the work. It’s not our God-given ability. It’s an attitude and a culture. What separated last year’s team from this year’s team, quite honestly, were inches. We’re just finding the inches this year.”

There’s so much in that message. You don’t see blame, anger or frustration. You see determination, commitment and belief.

As I watched the Spartans win the Rose Bowl I was moved by this man, this quiet leader. Because there is so much we can learn from him.

Expectations Are Mandatory

There is no doubt that Coach Dantonio had very clear and specific expectations of his players. He built a leadership team around him that understood these expectations and agreed with them. Everyone was working in the same direction. And because he had expectations of the players, they had expectations of themselves.

So many times an organizational leader will become disillusioned and frustrated with his people. When you look closely you see that it’s because he isn’t communicating his expectations in a clear and consistent manner. There’s no foundation of belief behind those expectations. So, people go through the motions and everyone ends up dissatisfied.

Communicate Consistently

It’s not enough to know where you want to go and what you expect of others. You have to communicate those things clearly and often. A leader doesn’t just expect everyone to know these things. A leader understands that it is their responsibility to say it out loud - a lot. The consistency of messaging is the way you ensure that others know you are serious and that you mean what you say.

I see so many business owners who don’t communicate. Then when their staff isn’t performing up to expectations they get mad. “They should know” is what I hear all the time. Well, guess what - they don’t.

However, when a leader is reinforcing a vision, expectations, beliefs over and over again, people believe them. They see that the leader means what she says. They make the commitment to come along at that point.

Take a Chance

Good leaders empower their people to take chances and make decisions that might not work out. They realize this is the way most people learn and that most mistakes aren’t life threatening. When you let someone try something and fail, you are telling them in big, bold letters that you believe in them. You know they want to succeed and will learn from their experiences.

It all starts with the leader. This individual has to get right in their head. They have to like their “players” and believe in them. I think it starts with believing that the employee/player wants to be successful. When you start with that premise, everything you do is built around it and your attitude is more positive and constructive.

Believe that your players are going to win the Rose Bowl. Empower them to excel, try things and learn. Communicate on a regular basis about where you see the organization going, what their role is and how everything is going. Honest and open dialogue does wonders for the strength of an organization.

If you want people to follow you - believe that they are going to be successful in the journey.

Spartans Photo via Shutterstock



GoDaddy and Microsoft Announce One-Stop Email and Office Apps

If you are a GoDaddy customer, you now can sign up for a special version of Microsoft email and office software such as documents and spreadsheets;  have everything available for online and offline use; and have one company to call if you need support.  Oh, and you can get consolidated billing instead of bills from both companies â€" and set it up without having to deal with technical issues such as looking up MX records.

It’s part of a strategic partnership announced today by GoDaddy and Microsoft, for the small business market.  By partnering together, the two companies say they’ve made it seamless for the business owner or manager.  You do not need an IT administrator and you don’t need to jump back and forth from one provider to another. 

A “Unique” Email and Office Apps Offering

The new offering, according to GoDaddy senior vice president Steven Aldrich, is a unique version of Microsoft’s Office 365.  It is not available in the special configurations anywhere else but GoDaddy, and is designed to meet the unique needs of small businesses. Also, the consolidated setup, billing and support reduces complexity over other solutions on the market today, he says.

Three tiers of the Office 365 offering are available.  The lowest tier, which starts at $3.99 per user per month (i.e., less than $50 per year for one person), is just for email, calendar and contacts.  Two higher tiers layer on added email storage, cloud file storage using Microsoft SkyDrive Pro, Lync video conferencing, online versions of office apps such as Microsoft Excel and PowerPoint, and even desktop versions of Microsoft Office for MACs and PCs.  The mid-tier is $8.99 per user, and the highest tier is $12.49 per user, monthly.

GoDaddy, which today has 12 million customers across the globe, worked with Microsoft to tailor the offering with micro-businesses in mind â€" those with 5 employees and under.  However, according to Aldrich, you’re not limited to five.  You can opt for as many as 25 users under each service tier.  And if your organization has some users who need higher tier levels than others (say, some need full office apps but others only need email), you can mix and match to add up to 75 users total, 25 per tier.

All email addresses will have your business’s own custom domain name associated with them â€" such as sarah@mycompanydomain.com.

John Case, corporate vice president of Microsoft Office, noted that Office 365 is “the fastest-growing Microsoft product in history.”  Office 365 is the cloud equivalent of Microsoft’s famous desktop Office software.

The special Office 365 offering by GoDaddy is currently available in the United States and Canada. It will be rolled globally in the next 3 months.

Overall, Aldrich says, GoDaddy wants to make “the business of doing business easy” on you.   He added, “If you went to buy email from another company, you’d need to know your MX records, and other technical information. You’d have to look details up in one control panel.  Then you would have to enter that information into another setup panel on the email site. If you pick our Email Essentials offering, you just enter your username and password and click the set-up button.  GoDaddy and Microsoft have done the work to make it all happen seamlessly.”  

He also pointed out that the Office 365 offering by GoDaddy features streamlined admin panels (example pictured below) designed for the small business person, not an IT administrator.

Office 365 GoDaddy admin panel

Existing Workspace Customers Still Supported

GoDaddy customers who use the company’s existing Workspace email offering will be able to use that service indefinitely.  GoDaddy will continue to support it.  Eventually GoDaddy plans to phase it out, although no date has been set.  Says Aldrich, “We will take the time to plan an orderly migration at some future point, but we haven’t even started that planning process yet.”

GoDaddy for the past two years has been working on a product strategy that goes well beyond providing domain names, what the company was originally known for.

The Microsoft arrangement is the culmination of product design activities and partnership explorations that started over a year ago.  Says GoDaddy’s Aldrich, “We talked with existing GoDaddy customers, as well as small businesses that do not use GoDaddy today.  We discovered three needs. Small businesses wanted email and apps to be available both online and offline. The offerings needed to be a product line small businesses were already familiar with.  And the solutions needed to be easy to implement.”

Aldrich added that GoDaddy looked at various email and office offerings on the market.  It negotiated with Microsoft because the Redmond, Wash. company’s product offered the best fit, and the two tailored it even further.  GoDaddy says it will be responsible for providing  24/7 support via its 2,500 customer care agents. They are located domestically in Arizona and Iowa.  There’s also a customer care center in India to serve the Indian market.

Image credits: GoDaddy



Advantages and Disadvantages of Comment Plugins

If you run a small business blog, one of the most important areas is the comment section. Interaction and audience participation plays a big role in the success of your blog, with direct comments as well as social media sharing.

But should you switch from your blog’s native comment platform to a third-party plugin system?

Popular third-party comment hosting services like Disqus and Livefyre come with a lot of additional features. They vary from platform to platform, but some of the most common features include:

  • Real-time commenting systems that show both posted and updated comments in real time.
  • Threaded comments, which groups discussions within the comment area into nested threads, so it’s easier to follow different conversations.
  • Notification tools for both commenters and administrators.
  • Social media integration that lets users sign in through various social network profiles.
  • Like systems similar to Facebook that lets readers like comments.
  • Smartphone compatibility for most platforms.
  • Anti-spam technology with varying degrees of effectiveness.

But are these comment systems better for your blog or more trouble than they’re worth? Let’s explore.

Advantages of Comment Plugins

There are quite a few pros for both readers and bloggers when it comes to third-party comments. Readers can choose whether or not they’d like to receive notifications when a post they’re participating on gets new comments, or replies to their comments. They can also reply to comment notifications right from their inbox.

Logging into commenting systems like Disqus and Livefyre is often a simple matter of clicking on whatever social media network the reader is currently logged into. Typically, readers also have the option of signing in as a guest by entering a name, email and/or URL. Multiple login options can be an advantage for these systems.

For bloggers and administrators, the pros are often more options for displaying and managing comments. The big third-party systems allow you to display links when a post is shared on social media, usually in an area beneath the comments. You’ll also have more choices on what order to display comments. For example, Livefyre can sort by oldest or newest, and Disqus lets you sort by newest/oldest, most popular or best rated comments.

For behind-the-scenes control, third party comment systems let you blacklist spam or unwanted users and commenters. In some cases, you can blacklist specific words you want left out of the comments (such as profanity for a family-focused blog). You can also stop conversations that take a wrong turn by closing threads for comments, which still leaves the previous comments displayed.

Disadvantages of Comment Plugins

The major cons of third-party comment systems have to do with familiarity, and changing platforms. One problem that surfaces is that frequent blog readers prefer to use their Google, WordPress or Blogger profiles to comment, because they’re automatically signed in. You may lose some commenters this way.

Another common issue is importing or exporting comments with varying platforms. For example, adding the Disqus comment system to a Blogger-based site requires you to export your blog template and upload it through Disqus, so the template can be modified with the right code.

Other problems include shifting to WordPress, which can involve transferring all of your comments between one or more platforms before the third-party system can be used. Changing your domain name can also result in some complicated comment migration, and sometimes loss of comments.

There’s also an issue with spam comments, in that while automated spam is usually filtered out well, third-party comment systems typically have no way to catch spam comments with links that are entered manually.

When considering the advantages against the disadvantages, for the most part, third-party comment systems have a lot to offer for small business bloggers.

Are you using a comment plugin system?

Comment Concept Photo via Shutterstock

More in:

Tax Season Is In 3 Months. Is Your Accounting Firm Using Technology for Better Client Service

Tax season is in 3 months. Accounting firms who are leveraging technology to the fullest will find that their overall communication with clients is smoother. I’d dare say that better communication will also be an ASSET and selling point for your company.

Being able to have clients digitally sign documents, collaborate remotely and synchronize files is good for you (the accounting firm) and good for your clients.

As I discussed with Jim Blasingame last week, clients and customers EXPECT their communication with you to be as smooth as possible.

When implementing communication technology in your business be sure to keep security at the forefront.

Train your staff and employees in how to use technology.

Leverage your vendor’s support solutions to ensure that you’re using the most upgraded technology and using it the right way.

Here’s a video from Citrix sharing how one of their customers uses file sharing and digital signatures in their business. Check it out here or below.



Second Microsoft hack by Syrian Electronic Army

January 13, 2014

The Syrian Electronic Army has hacked Microsoft's social media accounts for the second time in two weeks.

The hacker group reportedly took over the @MSFTnews and @XboxSupport Twitter accounts, as well as the firm's TechNet blog over the weekend.

The group subsequently retweeted an update from the @Official_SEA16 account, which accused Microsoft of monitoring users' account and selling this data on to American intelligence agencies and various governments, while another tweet simply said that the “Syrian Electronic Army was here”.

Fortunately, Microsoft was able to quickly wrestle back access to its Twitter account shortly afterwards and also shut down the TechNet blog “for maintenance”.

This attack isn't the first time Microsoft has been compromised on social media accounts, as the Syrian Electronic Army was able to gain access to Microsoft's Skype social media accounts just ten days ago.

The group has also successfully hacked Anonymous, Al-Jazeera, the BBC, the Daily Telegraph, the Financial Times, the Guardian, the Human Rights Watch and the National Public Radio, all while using “fairly rudimentary phishing techniques” according to independent cyber security expert Graham Cluley.

“There's no sign of the Syrian Electronic Army slowing down in its campaign of phishing attacks, designed to embarrass organisations and media outlets,” he blogged.

“Educate your staff about phishing attacks, and consider implementing two-factor authentication to better control access to your social media accounts.”

Reacting to the news, Kenneth Geers, senior global threat analyst at FireEye, told SCMagazineUK.com that this is the latest sign that spear-phishing attacks can be difficult to defend against.

“Most attacks like this can incorporate some element of spear-phishing, either against the target company or a vulnerable third party,” said Geers. “Defending against such attacks is maddening, because for defenders, there is too much ground to cover. They are forced to defend an entire corporate infrastructure, while attackers simply have to find one open door or window to crawl through.”



Four Simple Steps for Better Customer Communication After the Sale

Guest post by, Mark Wilson CEO of TermSync, a cloud-based customer portal

Communicate with customers every step of the way

No matter what step of the process a customer is in, proactive communication is key. Don’t wait for a customer to come to you with a question or complaint. Instead, send a friendly post-sale email to ensure the right items were delivered on time and without any damages. Also check with them to make sure the right charges were reflected on their invoice. Nothing’s more frustrating than noticing you’ve been overcharged and then having to sit on the phone trying to get things sorted out. Both you and your customers are busy, so being proactive with instances like these saves everyone time.  Doing it through automated emails is an easy way to save you and your customers time while still accomplishing the results.

In addition, you may discover issues you didn’t already know about.  Often an invoice is left unpaid because the invoice is incorrect or the customer never received it at all. And as frustrating as it might be, customers typically won’t reach out to tell you unless there’s something drastically wrong with the order. Instead, they’ll wait until you call looking for the payment, which is usually several weeks later. Sending some type of follow-up message after the order and invoice helps prevent these delays in payments and allows you to hear about and resolve issues earlier on.

Place priority on post-sale metrics

While the marketing, sales, and account management departments all have systems in place to help track customer interactions, the post-sale process is typically left on its own with few tools to measure satisfaction levels. Every manager - no matter the industry or company size - expects their staff to respond to customers in a timely and respectable manner. However, few hold their employees accountable by tracking to see if they’re actually following through. Here are two easy metrics managers should start tracking:

Customer Response Time: In most B2B industries, the typical best-practice is for employees to respond to customer questions and complaints within one business day.  However, without tracking response time, and therefore holding employees accountable for responding within the set timeframe, the chances of it actually happening are slim. Too often things slip through the cracks.  But if your staff knows you track it, things will “magically” start getting done in a more timely manner.

Customer Satisfaction: Too often, companies assume a customer is satisfied just because they pay the invoice and didn’t raise any objections. Unfortunately, this is often far from the truth. The fact is that most customers will contact you regarding big problems but they will often let little annoyances go because they don’t want to spend time on the phone. This makes it crucial that companies ask customers how their service levels were before and after the sale. You don’t want to annoy your customers with long surveys.  Instead, a few quick, easy questions will help you keep track of who is happy and who needs more attention.  

Share post-sale metrics with customers

After you start tracking post-sale metrics, like customer response time and customer satisfaction, start sharing them with your customers. The fact that you take the time to track your response time and customer satisfaction shows customers you care more about just closing the sale. Ideally, these metrics will be measured by a third party agency or software.  This provides more credibility to your customers.

Hold employees accountable

Too often, managers ask their staff to respond to customer inquiries in a timely fashion, but do little to ensure their staff is actually doing so - a big mistake on management’s part. Employees quickly realize what metrics management tracks and what tasks take priority, so if you’re not tracking response time your team most likely knows this and will push tasks related to responding to customer questions farther down their to-do list. But if you start tracking response time and start sharing it with customers, employees will notice these tasks’ priority and make more of an effort to improve their response time and customer satisfaction.

About Mark:

Mark Wilson is the Chief Executive Officer of TermSync, a cloud-based customer portal. Over Mark’s career, he has always focused on process improvements as a way of not only reducing costs but also increasing efficiency and improving internal and external relationships. After seeing first-hand, the amount of corporate waste that can be attributed to outdated post-sale processes, Mark realized a significant need in the market was not being addressed.  Building on this knowledge and his prior successful startup experience, he formed TermSync.

 



UK government campaign to educate SMBs on cyber threat

January 13, 2014

The British government has launched a new campaign which aims to educate consumers and SMEs on information security.

The new “Cyber Streetwise” scheme encompasses an independent website, which offers practical advice on everything from enforcing strong passwords and securing wireless networks to managing user privileges and personally-owned devices.

The campaign comes after the government's recent National Cyber Security Consumer Tracker, which found that most people didn't take the necessary precautions to protect themselves online.

This bears particular importance to small-and-medium-sized enterprises (SMEs), which have been increasingly targeted by hackers over the last year.

Speaking shortly after the announcement, Sophos' global head of security research James Lyne suggested that the campaign could help these firms get their security up to scratch.

"Consumers and SMEs alike are finding new ways to interact online, including via a greater range of devices, but with this enhanced technology comes risk,” said Lyne.

“SophosLabs finds more than 30,000 new infected websites distributing malware every day and, contrary to popular belief, the majority - around 80 percent - are legitimate small business websites that have been hacked. It's therefore vital that small businesses in particular get the basics of security right.

SCMagazineUK.com spoke to a number of info security experts on hearing the news, and found that the reaction was overwhelmingly positive.

“Cyber Streetwise is another push towards getting SMEs to understand the threats that come from cyber attacks - the challenge, as ever, is to get mind-share within the executives of these companies and to get them to take action,” said Dr Guy Bunker, SVP of products at Clearswift.

Bunker went on to add that education is paramount to reducing cyber risks, something which Boldon James CEO Martin Sugden was keen to touch upon.

“The Government has identified that one of the key aspects to cyber security is empowering your employees - helping them to protect themselves and manage your data securely,” said Sugden. “Ultimately, the responsibility for cyber security will always remain with the business, and by educating employees on the best data security practices, SMEs can ensure that their employees are another resource in protecting a company's assets.”

Brian Honan, security analyst at BH Consulting, told SCMagazineUK.com that he hopes the initiative is a wake up call to the SMEs who presume that their data is safe.

“Many small businesses do not consider themselves a likely target for criminals”, he said. “However, what these companies fail to realise is that the data on their networks can be worth a lot of money to criminals.

“If a company stores and processes information on their customers this has value; if they process credit card information this data also has value to criminals, indeed the companies own intellectual property (especially if it is in the high tech sector) could be worth stealing and selling to competitors elsewhere.”

Honan went onto suggest that ransomware and extortion scams are increasingly common in the SME world.

“We have seen criminals break into a company's network and then modify the backup software on the server to keep running every night but not to backup any data. After a number of weeks the criminals return and encrypt the disks on the server and demand a ransom of several thousand pounds to make the data available to the company again.

“When the company tries to restore data from their backups they then discover the backups have not been working as expected and they have no data to restore. The company is then left with the choice of paying the ransom or losing all their data.”



61% Of All Website Traffic Are Bots - How This Impacts Small Businesses

These days, you may be getting more non-human visitors to your website than human visitors â€" and you may not even be aware of it.  And those non-humans visiting your site may be there to do it harm.

If the idea of non-human visitors conjures up an image of Arnold Schwarzenegger as the Terminator coming to take down your site â€" it’s not. These non-human visitors are “bots.”

A recent report by Incapsula says that bot visits to sites are now up to 61.5% of total website traffic. This is a lot, so it pays to know what these bots are and what they are potentially up to.

A bot is a small robot-like software app that roams the Internet, jumping from site to site.  There are good bots and bad bots.

A good bot is sent out by another site (say, Google) to collect information or to perform a specific task, and it jumps from site to site via the links on each site.

The good kind are typically search engine bots that index your site, such as the GoogleBot. This kind of bot traffic makes up 31% of that 61.5% of bot traffic.  You can pretty much trust and forget these good bots. They will do their business and then quickly be on their way. However, still keep one eye on them, because some bad bots have been known to disguise themselves as GoogleBots.

It’s the other 30.5% â€" the bad bots â€" that you need to be concerned about. Here’s where you start to enter a murky side of the Internet â€" bots that could potentially do your website and business harm.

Scrapers are bots that will kick in your website door and steal all of your content. That content is then passed back to the scraper owner, who passes it off as his own content (and probably tries to profit off it by putting advertisements on his page).  Maybe this article will end up being scraped? It’s impossible to tell in advance, which is why you should monitor mentions of your site and brand name, by regularly searching Google to see what pops up anywhere else online.  By monitoring, you may be able to get your stolen content taken down.

Spammers are also another type of entity using bad bots.   If you run a blog, for instance, you should be monitoring your comments daily. Otherwise, your pages will quickly get filled with spam such as links to drugs, get-rich-quick schemes, and other dodgy links. It’s like having walk-in visitors come into your store, and deposit trash on your floor and leave.  You certainly wouldn’t want to allow that to happen, and you wouldn’t leave the trash there.  If you are using WordPress for your site, a spam blocker called Askimet will block 99.9% of your spam (see diagram above for Akismet works). But nothing is perfect in life, so still check your comments section religiously.

The bad bots you should really be concerned about are used by hackers. Some people love nothing more than to break into a site, take it down, desecrate it, destroy the files, and change the login details so you can’t get it back.  Bad bots may be designed to let in hackers.  You can help protect yourself against this by backing up your site daily, locking out IP addresses after a certain number of failed logins, and even employing Google Authenticator to provide a second layer of protection.  Another thing you can do is use a service that blocks bad bots from doing their thing, before they have a chance to trash your site.

Having a website is a must today, but the world has some unpleasant individuals so stay on the alert!

Image: Incapsula



Job Creation Varies by Small Business Size

job creation varies

Source: Created from data from the ADP Employment Report

Economists often talk about small businesses as if they were all the same size. But “small businesses,” which comprise 99.7 percent of all companies, include everything from single-person companies to 499-employee firms. Treating them as homogeneous doesn’t make a whole lot of sense.

Nowhere does this apply more than to the decision to add workers. The founder of a micro enterprise often makes the choice to add a second employee for very different reasons than the founder of a medium-sized company makes the decision to her hundredth worker.

Given the varied reasons that the owners of different sized small businesses have for adding additional workers, it’s not surprising that hiring patterns weren’t the same at the smallest and largest small businesses during the Great Recession and the not-so-great recovery that followed.

The figure above shows employment as a percentage of November 2007 levels from December 2007 (when the Great Recession began) through November 2013 (the latest month data are available) for establishments with between 1 and 19, 20 to 49, and 50 and 499 employees, using data from ADP Employment Report - a monthly measure of private non-farm employment generated from ADP’s payroll clients that the payroll firm produces in conjunction with Moody’s Analytics.

Among the three sizes of establishments, only those with between 1 and 19 workers currently employ more people now than they did in November 2007. Businesses with between 20 and 49 workers are at 97 percent of their November 2007 levels, while establishments with between 50 and 499 employees are at 99 percent of their pre-recession levels.

As the figure shows, the biggest group of small businesses suffered the largest drop in employment during the downturn. Between the start of the Great Recession and December 2009, establishments with between 50 and 499 employees shed 3.8 million workers, or 9 percent of their November 2007 workforce. By contrast, establishments with between 20 and 49 employees cut 1.3 million workers between the beginning of the downturn and their low point in employment (in March 2010), a drop of 7 percent of their labor force. Establishments with between 1 and 19 workers trimmed 3 percent of their employment between November 2007 and their employment nadir (in December 2010).

The picture shows that when it comes to explaining job creation, observers should avoid talking about small businesses as if they are homogeneous. Small establishments of different sizes vary greatly in how many jobs they cut during downturns and how many they add during recoveries.



Pass the hash - again

January 13, 2014

2014 could be set to become the year of PTH suggests Calum MacLeod, VP of EMEA at Lieberman Software Corporation

Many moons ago, in an age of innocence, “Pass The Hash” had a whole other meaning -  something you did at the back of the school on a Friday night.  Now it seems that “Pass The Hash” is back in vogue again - not just in Colorado; the IT version has resurfaced after first appearing some 15 years ago.

Suddenly it seems as if it's the latest exploit about to be unleashed on the corporate landscape. Within a week or two you'll be having the inside sales departments calling to ask if you have ‘PTH' problems. Come April we can expect to see every vendor in the security space having ‘PTH' solutions at tradeshows. Of course this will be followed by the PTH User Groups sponsored by vendors desperately trying to save you from PTH attacks. APTs will have become a distant memory as that was all solved in 2013. 2014 - The year of PTH!

What is it?

Unfortunately it is not as interesting as the original, and it certainly is not going to give you a mellow feeling.

A "pass the hash" (PTH) attack can happen when just the password hash is sufficient to authenticate a user to a system.  This is more of an issue on older windows systems such as XP and 2003. Because of the way in which administrative accounts were set up and stored on a system, it means that very often the local administrator account is vulnerable. And because it is used for many administrative tasks such backups, patching, installing software, etc, it becomes a security risk. If one of the machines is compromised, the local hashes can be dumped out of the Security Account Manager (SAM) database which is present on servers running Windows Server 2003. The SAM stores user accounts for users on the local computer, so if an attacker has now gained administrative access to that machine, other machines on the networks become easy targets.

Newer versions of Windows are less vulnerable because of the way in which a machine acts when added to a domain, but it still carries risk. See: “Still Passing the Hash 15 Years Later”, and many thanks to the authors for providing much of my “research”!

Where does it leave us?

Contrary to the claims of certain vendors, PTH is neither new, nor solved by simply changing administrative passwords.  Unless by administrative passwords you mean, administrators, service accounts, scheduled tasks, and all the other accounts in a system likely to be using the Administrative password. Simply changing your administrator user password is not going to protect you. It may give you the original PTH high, but you can be sure that one of these days you are going to wake up with a terrible headache, and discover that changing your admin accounts didn't offer lasting satisfaction.

Ultimately you need to have a complete inventory of everything from your registry onwards. And it's no good having last week's inventory!

Constantly vigilant

Vigilance was key in the original PTH scenario. Someone had to be constantly on the lookout for “hackers”, be they teachers, parents or the law. And the same applies with today's PTH. Organisations need continuous monitoring of the complete Windows environment, and dynamically discover every location throughout the environment that an account is referenced by a Windows service, task, COM/DCOM object, or AT account.

Discovering where the accounts are used is half the battle. And snapshots in time are not going to do it. You can't manage what you don't know, and unless you are checking continuously you will get caught. I know from past experience!! And of course should you decide to change the passwords regularly, don't start some process to change passwords by creating yet another password on that system so that you can logon on to change the passwords. Ah yes, you're saying to yourself, this doesn't make any sense. And you'd be right, it doesn't. But that's another story.

Is there a moral?

You could say that PTH has never been good for anyone, and both variants can be life changing, not necessarily for the better. Pass The Hash in IT terms has been around for close to 15 years, and exploits were available several years ago, so it's not a new vulnerability, but it is something that you should be aware of. Taking proper precautions such as ensuring that passwords are changed regularly will help. It is also important to ensure that services and scheduled tasks are not using the same passwords across your infrastructure. For example segment your environment in such a way that a breach can be contained, and always be vigilant. Now please “Pass the Hash”

Contributed by Calum MacLeod, VP of EMEA at Lieberman Software Corporation



Subscribe to: Posts (Atom)