Title: The Power of Passkeys: Elevating Security Beyond Passwords and Passphrases

Title: The Power of Passkeys: Elevating Security Beyond Passwords and Passphrases

In today’s digital landscape, safeguarding sensitive information is paramount. With cyber threats evolving at an alarming rate, the traditional methods of securing accounts with passwords or passphrases are no longer sufficient. Enter passkeys—a revolutionary approach to authentication that offers enhanced security and convenience. In this blog post, we’ll delve into the benefits of passkeys and why they represent the future of authentication.

What Are Passkeys?

Before we dive into their benefits, let’s clarify what passkeys are. Passkeys are cryptographic keys used for authentication purposes. Unlike traditional passwords or passphrases, which typically consist of alphanumeric characters and are prone to being compromised through brute force attacks or phishing schemes, passkeys are generated using advanced encryption algorithms.

Enhanced Security

One of the primary benefits of passkeys is their superior security. Since passkeys are cryptographic keys, they are much harder to crack compared to passwords or passphrases. Traditional authentication methods rely on storing passwords on servers, which can be vulnerable to breaches. In contrast, passkeys are stored locally on the user’s device and are never transmitted over the network, significantly reducing the risk of interception by malicious actors.

Additionally, passkeys can be combined with other authentication factors, such as biometrics or hardware tokens, further fortifying security. This multi-factor authentication approach adds an extra layer of protection, making it exponentially more difficult for unauthorized individuals to gain access to sensitive accounts.

Convenience and User Experience

Beyond security, passkeys offer unparalleled convenience and a seamless user experience. With traditional passwords or passphrases, users often struggle to remember complex combinations of characters, leading to frequent password resets and frustration. Passkeys, on the other hand, can be generated and managed automatically by password managers or authentication apps, eliminating the need for users to memorize lengthy strings of characters.

Moreover, passkeys can be easily integrated into various devices and platforms, allowing for frictionless authentication across multiple services. Whether logging into a website, accessing a mobile application, or unlocking a smart device, passkeys streamline the authentication process, saving users time and hassle.

Resistance to Phishing Attacks

Phishing attacks, where malicious actors attempt to trick users into revealing their credentials, are a prevalent threat in today’s digital landscape. Traditional passwords and passphrases are susceptible to phishing attacks, as users may inadvertently disclose their login information to fraudulent websites or emails.

Passkeys mitigate this risk by providing cryptographic proof of identity, making them immune to phishing attacks. Since passkeys are generated locally and never transmitted over the network, even if a user falls victim to a phishing scam, their passkey remains secure, preventing unauthorized access to their accounts.

Future-Proof Authentication

As cyber threats continue to evolve, it’s essential to adopt authentication methods that can adapt to emerging security challenges. Passkeys represent a future-proof solution to authentication, leveraging cutting-edge encryption technologies to safeguard user data effectively.

By embracing passkeys, organizations can enhance security, improve user experience, and mitigate the risks associated with traditional passwords and passphrases. As the digital landscape continues to evolve, passkeys will undoubtedly play a crucial role in shaping the future of authentication.

Seamless Integration with Password Managers

One of the key advantages of passkeys is their compatibility with password management tools such as 1Password and Keeper. These password managers not only help users generate and store complex passkeys securely but also facilitate their seamless integration across multiple devices and platforms.

Password managers alleviate the burden of managing passkeys manually by securely storing them in an encrypted vault. This means that users can access their passkeys whenever they need them, whether they’re logging into a website on their laptop or accessing an app on their smartphone.

Moreover, password managers like 1Password and Keeper offer robust synchronization features, allowing users to access their passkeys on multiple devices simultaneously. This means that whether you’re at home, in the office, or on the go, you can leverage your passkeys to authenticate securely across all your devices with ease.

By leveraging password managers, users can harness the power of passkeys without worrying about the complexities of managing them manually. With features like automatic synchronization and secure storage, password managers enhance the usability and accessibility of passkeys, making them an even more compelling alternative to traditional passwords and passphrases.

In summary, the integration of passkeys with password managers like 1Password and Keeper further enhances their convenience and usability, allowing users to leverage advanced authentication methods seamlessly across all their devices. This combination of security and convenience positions passkeys as a superior solution for modern authentication needs.

In conclusion, passkeys offer a myriad of benefits over traditional passwords and passphrases, including enhanced security, convenience, resistance to phishing attacks, and future-proof authentication. As the need for robust cybersecurity measures intensifies, passkeys stand out as a compelling solution for protecting sensitive information in an increasingly digital world.

Safeguarding Your Business: Understanding and Preventing Business Email Compromise (BEC)

In today’s digital age, businesses face a myriad of cybersecurity threats, and one of the most prevalent and damaging is Business Email Compromise (BEC). BEC attacks have become increasingly sophisticated, targeting businesses of all sizes and industries. Understanding the causes, techniques, and prevention methods of BEC is crucial for safeguarding your organization’s sensitive information and financial assets.

Causes of Business Email Compromise (BEC)

BEC attacks often exploit vulnerabilities within an organization’s email systems, processes, or human behavior. Some common causes include:

  1. Phishing Attacks: Cybercriminals send convincing emails impersonating trusted individuals or organizations, tricking employees into disclosing sensitive information or performing fraudulent transactions.
  2. Weak Authentication: Inadequate email security measures, such as weak passwords or lack of multi-factor authentication, make it easier for hackers to gain unauthorized access to email accounts.
  3. Social Engineering: Attackers research their targets and craft personalized messages to deceive employees into taking actions that compromise security, such as wire transfers or divulging login credentials.
  4. Lack of Employee Training: Insufficient cybersecurity awareness training leaves employees ill-equipped to recognize and respond to suspicious emails or requests, making them more susceptible to BEC scams.

Techniques Used in BEC Attacks

BEC attackers employ various tactics to achieve their objectives, including:

  1. Email Spoofing: Falsifying email headers to make messages appear as though they originate from a trusted source, such as a company executive or business partner.
  2. Domain Impersonation: Registering domains similar to legitimate ones (e.g., replacing letters with visually similar characters) to impersonate trusted entities and deceive recipients.
  3. Invoice Manipulation: Intercepting legitimate invoices and modifying payment details to redirect funds to attacker-controlled accounts.
  4. CEO Fraud: Impersonating high-ranking executives to request urgent wire transfers or sensitive information from lower-level employees.

How to Spot BEC Attacks

Recognizing the signs of a BEC attack is crucial for mitigating its impact. Some common indicators include:

  1. Unsolicited Requests for Sensitive Information: Be wary of emails requesting confidential information, especially if they come from unfamiliar or suspicious sources.
  2. Urgent or Unusual Requests: Exercise caution when receiving requests for immediate action or unusual transactions, particularly if they deviate from established procedures.
  3. Inconsistencies in Email Addresses or Content: Check for subtle discrepancies in sender email addresses, domain names, or language that may indicate impersonation or spoofing.
  4. Unusual Changes in Payment Instructions: Verify any unexpected changes to payment details or instructions through trusted channels before proceeding with transactions.

Preventing BEC Attacks

Mitigating the risk of BEC requires a multi-layered approach to cybersecurity. Here are some best practices for prevention:

  1. Employee Training and Awareness: Educate employees about BEC risks, common tactics, and how to identify and report suspicious emails or requests.
  2. Implement Email Authentication Protocols: Utilize technologies such as DMARC (Domain-based Message Authentication, Reporting, and Conformance) to detect and prevent email spoofing and domain impersonation.
  3. Enforce Strong Authentication Measures: Require employees to use complex passwords and implement multi-factor authentication to secure email accounts against unauthorized access.
  4. Establish Verification Procedures: Implement robust verification processes for validating payment requests, particularly for large transactions or changes to payment details.

How EvL Consulting with Proofpoint Essentials Can Help

Partnering with a trusted cybersecurity provider like EvL Consulting, leveraging solutions such as Proofpoint Essentials, can significantly enhance your organization’s defense against BEC attacks. Proofpoint Essentials offers advanced email security features, including:

  1. Email Authentication: Protect against email spoofing and domain impersonation using DMARC authentication to validate email senders’ identities.
  2. Threat Intelligence: Utilize real-time threat intelligence to detect and block malicious emails, including those associated with BEC campaigns.
  3. Content Filtering: Employ advanced content filtering to identify and quarantine suspicious emails containing phishing attempts or fraudulent content.
  4. User Training and Awareness: Access comprehensive training resources to educate employees on cybersecurity best practices and empower them to recognize and report BEC threats effectively.

By combining industry-leading technology with expert guidance from EvL Consulting, small and medium businesses can fortify their defenses against BEC attacks and safeguard their critical assets and sensitive information.

In conclusion, the threat of Business Email Compromise is a persistent and evolving challenge for organizations worldwide. By understanding the causes, techniques, and prevention strategies associated with BEC attacks, businesses can proactively mitigate risks and protect themselves from financial losses and reputational damage. Partnering with trusted cybersecurity experts and leveraging robust email security solutions is essential for staying ahead of cyber threats and maintaining a secure and resilient business environment.

Why URL link defense is so important

Why URL link defense is so important

Receiving phising emails is scary enough. Is it actually a genuine email? Is that link pointing to something to something that actually does what the email tells me?

Unexpected emails may show up at any given moment in time. The timing itself is often an indicator of something fishy. (pun intended).

I received an email from a Chinese shipping company telling me that I have 6 outstanding emails which I need to review on their portal. That already is very peculiar as I’ve never dealt with that company but given the fact I had ordered something on Ebay from a chinese seller it could’ve been a genuine request.

My emails go via Proofpoint and they already flagged the message a potentially malicious and kept it quarantined for me to review first. I released the email on purpose so it ended up in my mail box. The links that are created in those emails are modified by Proofpoint so that clicks on those links will be checked and if found malicious, the access will be blocked.

I used a separate, isolated, computer to click on that link and see what happened. As expected, the url defense mechanism of Proofpoint successfully blocked the page.

This also works a-synchronously. What do I mean by that??
If an email is sent and goes through the Proofpoint system, it may be that this site has not been checked yet or has been checked as being a non-problematic site. Many malicious actors use this technique to bypass the training algorithms of existing spam checkers and security solutions. Only after a while, they will load malicious software on these sites. As any email will not have been classified as spam or malicious, they will then still sit in your inbox with that same link that has now become a dangerous gateway to hackers and scammers.

As Proofpoint has changed the link to first pass their systems, they can always flag the site as malicious and still block it, as happened in my case above, even though it did not block or quarantine the email in the first place.

This is a very powerful security mechanism to have in place and I would recommend this to enable at all times.

Contact us for more info.

Kind regards

Erwin van Londen

Enhancing Credential Management Across Enterprises: EvL Consulting Partners with Keeper


In an age of escalating cyber threats, safeguarding your organization’s sensitive data is no longer optional—it’s imperative. We’re thrilled to unveil an extraordinary partnership that marries unbeatable affordability with top-tier security. EvL Consulting has joined forces with Keeper, a trailblazer in password and identity management, to introduce a game-changing Managed Service Provider (MSP) solution. This collaboration empowers businesses to bolster their credential management practices without breaking the bank, all while ensuring unyielding data security.


A Budget-Friendly Approach to Credential Management

At EvL Consulting, we understand that every business, regardless of size, deserves access to premium cybersecurity solutions. Our partnership with Keeper reflects this commitment by delivering enterprise-level security that remains accessible to organizations of all scales.

Balancing Security and Affordability

Here’s why enterprises should seize the opportunity to enhance their credential management practices through the EvL Consulting and Keeper partnership:

  1. Cost-Efficient Solutions: The cornerstone of this partnership lies in providing cost-efficient yet powerful security solutions. EvL Consulting and Keeper have collaborated to offer budget-friendly packages that cater to your organization’s financial constraints without compromising on the effectiveness of the security measures.
  2. Cutting-Edge Encryption Without the Premium Price Tag: Keeper’s cutting-edge zero-knowledge security architecture, renowned for its efficacy, is now available at a price point that doesn’t strain your budget. This robust encryption ensures that sensitive data remains inaccessible to unauthorized users, safeguarding your organization’s integrity.
  3. Affordable Multi-Factor Authentication (MFA): The integration of MFA, a potent defense against unauthorized access, is seamlessly woven into the credential management process. This additional layer of security ensures that your organization remains protected without incurring exorbitant costs.
  4. Streamlined Implementation: Keeper’s user-friendly interface and straightforward implementation process reduce the need for extensive training and support, saving both time and money.
  5. Scalable Solutions: As your organization grows, the partnership offers scalable solutions that evolve with you. This flexibility ensures that your security measures remain robust and aligned with your changing needs.

Empowering Your Organization Responsibly

As stewards of your organization’s digital well-being, EvL Consulting and Keeper recognize the need for a balanced approach. The EvL Consulting and Keeper partnership empowers businesses to fortify their credential management practices responsibly, ensuring that security remains paramount while staying mindful of your financial realities.

In an era where data breaches can have dire consequences, it’s time to take a pragmatic and budget-conscious approach to security. Elevate your organization’s credential management with the winning combination of EvL Consulting’s expertise and Keeper’s advanced technology, all within a budget that makes sense for you. Safeguard your digital assets, protect your reputation, and secure your future without sacrificing your bottom line. Partner with us today and embrace a more secure and affordable tomorrow.

Contact us for more info.

The Anatomy of a Strong Password: Fortifying Your Digital Security

In an increasingly interconnected world, safeguarding our digital lives has become paramount. One of the fundamental pillars of online security is the strength of our passwords. In this article, we will explore the characteristics of a robust password, the importance of techniques such as PBKDF2, hashing, and salt, and the advantages of using a password manager to enhance our digital defense.

  1. Length and Complexity:
    A strong password should be long and complex, combining uppercase and lowercase letters, numbers, and special characters. Longer passwords are harder to crack through brute-force attacks, as the number of possible combinations increases exponentially.
  2. Unique and Random:
    Avoid using common or predictable passwords, such as “123456” or “password.” These passwords are easily guessed and can be cracked in seconds. Instead, create unique and random combinations that are unrelated to personal information, such as birthdays or pet names.
  3. Avoid Dictionary Words:
    Password-cracking algorithms often include dictionary attacks that try thousands of common words. Using dictionary words makes it easier for attackers to guess your password. Instead, consider using passphrases – a series of random words – that are easy for you to remember but difficult for others to guess.
  4. Password-Based Key Derivation Function 2 (PBKDF2):
    PBKDF2 is a cryptographic algorithm designed to protect passwords against brute-force attacks. It uses a process called key stretching, which slows down the password hashing process, making it more time-consuming for attackers. PBKDF2 incorporates multiple iterations, increasing the computational cost of each attempt.
  5. Hashing:
    When you create an account or set a password, websites and applications do not store the actual password but rather its hash value. Hashing is a one-way process that converts your password into an unreadable string of characters. This way, even if a data breach occurs, attackers won’t have direct access to your password.
  6. Salt:
    To further strengthen password security, a salt is added before hashing. A salt is a random value that is unique for each user, making the same password appear differently in the database. Salting adds an additional layer of complexity, thwarting precomputed hash tables or rainbow tables used by attackers.
  7. Two-Factor (or Multifactor) Authentication (2FA/MFA):
    While not directly related to passwords, enabling 2FA adds an extra layer of security to your accounts. It requires a second verification method, such as a temporary code sent to your mobile device, in addition to your password. This ensures that even if your password is compromised, an attacker still needs physical access to your secondary authentication method.

Benefits of Using a Password Manager:

  1. Enhanced Security:
    Password managers generate and store complex, unique passwords for each of your accounts. This eliminates the need to remember multiple passwords, reducing the likelihood of weak or reused passwords. By having a strong master password for the password manager itself, you only need to remember one secure passphrase.
  2. Convenience and Efficiency:
    Password managers streamline the login process by automatically filling in your credentials across websites and applications. This saves time and effort, especially when managing numerous accounts. You no longer need to struggle with forgotten passwords or resort to less secure practices like writing them down.
  3. Encrypted Storage:
    Password managers encrypt your passwords and store them in a secure vault. This means that even if an attacker gains access to your password manager’s data, they would still need the master password to decrypt and access your credentials.
  4. Cross-Device Synchronization:
    Modern password managers offer synchronization across multiple devices, such as smartphones, tablets, and computers. This ensures that your passwords are readily available wherever you need them, without compromising security.

In an era of increasing cybersecurity threats, protecting our digital identities and accounts is of utmost importance. By adhering to the characteristics of a strong password, leveraging techniques like PBKDF2, hashing, and salt, and embracing the use of a password manager, we can fortify our defenses and minimize the risks associated with online security breaches. Remember, a strong password is the first line of defense in safeguarding your valuable digital assets.

Multifactor Authentication Demystified

Multifactor Authentication Demystified

Multifactor authentication (MFA) is an essential security measure that adds another layer of protection to user accounts and systems. There are several methods used for MFA, including SMS, push notifications, phone apps, and hardware tokens. Each of these methods has its own set of pros and cons. However, hardware tokens offer distinct security benefits over the other options.

SMS-based MFA involves sending a one-time password (OTP) to a user’s mobile phone. One advantage of this method is its simplicity and widespread availability, as most people have mobile phones capable of receiving text messages. However, SMS-based MFA has drawbacks. It relies on the security of the mobile network and can be vulnerable to SIM swapping attacks or interception of SMS messages.

Push notifications leverage smartphone applications to deliver authentication prompts. This method offers convenience, as users can simply tap a button on their device to approve or deny access. Push notifications are generally more secure than SMS, as they are not reliant on the phone number or SMS infrastructure. However, they may be susceptible to device compromise, such as malware or phishing attacks. As with SMS, push notifications can become subject to abuse as a result of malicious actors sending an SMS or push notification storm. That would lead to notification fatigue, and it would only take a single mistake, tapping OK instead of Deny, for a malicious actor obtaining access to the account.

Phone apps, such as authenticator apps, generate OTPs that are time-based and tied to a specific user account. They provide a higher level of security compared to SMS or push notifications, as they are not susceptible to interception. However, phone apps still rely on the security of the user’s smartphone. If the device is lost, stolen, or compromised, the security of the MFA method may be compromised as well.

Hardware tokens are physical devices, often in the form of a key fob or a smart card, that generate OTPs or have built-in cryptographic capabilities. Hardware tokens offer the highest level of security among the mentioned options. They are not dependent on the security of a mobile phone or computer, making them immune to malware or phishing attacks targeting these devices. Additionally, hardware tokens are typically resistant to tampering or cloning attempts, providing a high level of assurance. However, hardware tokens can be more costly to deploy and manage compared to other methods.

In summary, while each MFA method has its own advantages and disadvantages, hardware tokens offer distinct security benefits. They provide an extra layer of protection by removing reliance on potentially compromised devices and are resistant to various attack vectors. However, the choice of MFA method should consider factors such as cost, user convenience, and the specific security requirements of the system being protected.

Kind regards

Cybersecurity is Virtual Combat but very real

Cybersecurity is Virtual Combat but very real

I’ve spent 6 years in the army, and the most important thing any soldier relies on is training. Be drilled to the core of your bones ensures that in highly stressful situations, and you do not get more stressful than in combat, you do not act impulsively or irrationally. As it is instinctively ingrained into your brain, you can very quickly draw on your knowledge to make correct decisions. It also ensures that you can rely on your mates and they can rely on you so that the whole of the organisation runs effectively with the least chance of casualties.

Cyber defence is not much different from an operational perspective. Although we’re not talking of immediate life and death here, the survival of a company could well rely on your responses of a cyberattack. Not being prepared is the most stressing issue for any CISO (Chief Information Security Officer) in any organisation.

Continue reading

Avoid endangering your customers?

Getting emails which contain all sorts of malware, viruses and other nasty content is bad enough as it is. It significantly hinders productivity, can infect many parts of the organisation and will, in most cases, be a very costly exercise to recover from, both financially and from a reputational aspect.

Now imagine that this has a flow-on effect on your customers, where malware is propagating itself via email to your customers by harvesting contact details from various parts of your infrastructure. Whether this is a contact list in your Outlook, a spreadsheet that got exported from your CRM solution or any other source this software can get its hands on.

Continue reading