How Do I Sign Maryland Banking Presentation

How to industry sign banking maryland presentation secure

hello again as you know I'm Eli the computer guy over here for everyman IT and today's class is user account security theory so uh so you may hear that name and you may wonder why I am going to waste thirty minutes talking about user account security uh it seems pretty simple you have a user name you have a password that's the theory that that's all there is to talk about you may understand that there's a little bit of a you know password complexity you can make a passwords expire that type of thing but you may not think that user account security is very complicated or it or it's that much of it of a deal well the thing is over the years it has become more and more important especially for IT professionals especially for people that are going to be implementing the systems for their clients now when I started in the in the IT field you know back in the 90s really for user account security you only had to worry about two things you had to worry about user accounts on local computers so if somebody wanted to log in to a local computer you had to understand how the how the security worked on that and if the company had a domain controller you had to understand domain controller security issues for user accounts that's really all you had to worry about for user accounts so you had a local computer and you had the domain controller maybe maybe somebody was using yahoo mail or well Gmail wasn't even around back then you know one of those webmail clients but that was maybe and you know frankly everybody nobody thought those things were very secure anyway so so so no really secure crap was stored on those systems but that's all you had to worry about the local computer and the domain controller well now in the age of cloud computing of diversified applications and services user account security is more and more and more important because user account security is what is going to keep your data your documents your pictures your statistics etc secure from hackers and people that may want to do you harm so like I say back in the old day you may log in to your local computer you may log in at the domain controller that's all you had to worry about well now you may log into your local computer and you may log in to your domain controller and you may log in to your statistics account and you may log in to Salesforce and you may log in to some customized web app that somebody developed for you and you may log in to the bank account for your business now instead of worrying about one or two systems that you have to log into you know the average person may be logging into ten or fifteen systems in a given day you know for for the work I do in a given day I probably log into fifteen to twenty different systems that do different things now that there are so many systems out there you really under have to understand how user account security works in order to try to protect those systems from nefarious people that that may try to do harm to your business steal your information etc the thing to understand with all user account security is is that most of it works off the same basic principles so so Windows user account security has the same principles as email accounts as security has the same principles as quickbooks online security they all use the basic same security concepts that try to secure user accounts so if you understand the overall the theory of how you're supposed to try to to to to control user accounts it will make it easier to secure all these different accounts you have all over the web and in your business so today we're going to be talking about usernames so you know Eli Etherton at at Eli the computer guide.com we're going to talk about login name so this is the name that you actually use to log into your account we're going to be talking about passwords and we are going about talk about securing sessions these are the things that come together to form the basis of user account security so so give me a second put a few things together and then we'll dump in dive into this class user account security theory so the first thing that we should talk about is user names and login names because this is a very important component for protecting your systems protecting your web applications from hackers trying to get into them now the first key to using user names or login names to try to protect your systems is to rename default accounts for any of the systems that you have up and running so that this is this is an age-old security practice going way back to the Windows NT and before where when you set up a Windows NT server or a Windows Server any type the first account that is created is the administrator account the administrator account is the administrator account for the entire computer it is the root account for the entire computer it's always created well so the username for the administrator account by default is administrator and then the password is whatever you decide to plug in well back in the day and and how people still do this with with real servers is remember if somebody is trying to log in to a user account they need two pieces of information they need a username and then they need the corresponding password for the username so if they know what the username is they already have half the information they need to hack your server or to hack your accounts so what you can do is rename these default accounts so let's say administrator here now if I want to protect my systems so people try to don't try not to hack the administrator account I may rename the administrator account to Billy Bo Bob so the administrator account is is no longer called the administrator account the administrator account is now called Billy Bob ah so if I as the administrator want to administer the server or administer the service I would log in as Billy Bo Bob and then whatever the password is now hackers are not just going to think off the top of their head that I'm going to have a administrator user account called Billy Bo Bob so what they're going to be doing is they're going to be sitting there plugging in the username administrator and then trying to figure out what password you might have put put in so you do administrator maybe it's a phone number maybe it's the address maybe it's a date of birth but they're going to be trying to log in as the administrator well you rename the administrator to Billy Bo Bob so no matter what password they plug in for the administrator account they will never be able login because the user name is now Billy Bo Bob and they don't realize it so the first thing you can do for user names and login names is simply rename the default user accounts that are created in whatever system that you are using remember this user accounts security we're not just talking about Windows we're not just talking about Linux we're not just talking about Gmail or premiere apps or any of that we're talking about all the different services that you may be logging into so the first thing you can do is rename the default accounts this is an incredibly good idea like I say you just you just come up with a new name and I don't unless you put it out there on a bulletin board service no hacker is going to be able to figure this out now the next thing to realize with user account security as I talked about user name and login name I suppose the login name should actually be login username now what do I mean by this well what you should realize is when you log in to a computer you know it says give me your username and give me your password so you put in you know whatever username here Billy Bo Bob right now when you create this login name many times this will be the default username that is presented to the rest of the world so if you create an account let's say at hotmail and you create a login name of Billy Bo Bob then your email address let's say at hotmail will be Billy Bo Bob at hotmail.com so your your login username and your username become the same thing by default now what is the problem here the problem here is now if somebody is trying to hack your account one they know what service you're using hotmail so they know what service to try to hack and then because this is the default option they also know what your username is so they know I'm going to now hack hotmail with the username of Billy Bo Bob and now all I have to do is figure out the password so they know the service you're using they know the username you're using and now they're going to try to figure out what kind of password you're using you know using whatever kind of hacking tools they use well just because this is the default setting does not mean that's what you always have to do especially in the windows world and a lot of the server worlds you can have a different login username and username so what you can do is you can create a login username of X 1 3 2 Z X I don't know B and this corresponds to elide Etherton at eli the computer guy com so now this is going to be different upon whatever application whatever server or service you are using but you can create a login username that has nothing to do with the username that the rest of the world is going to see so again let's say somebody is trying to hack my accounts they're going to go down and they're going to see this UI dot Etherton so they are going to assume this is my login username so what they're going to do is they're going to you try to use this login username with whatever password they think will get them into the system well if my login username is actually x13 to zxb well then they're never going to be able to get into the account because you know because that's not my actual username so the important thing is this is this is a especially like I used to do this a lot with a Windows Exchange servers so somebody can log in with one name but then their email address that gets sent out to the rest of the world will look entirely different so the login username and the username that the rest of the world is going to see do not have to be the same thing again this is a very good way to secure your systems now finally so we talked about renaming default accounts very big deal and we've talked about creating different login names versus user names again very big deal with that last part it will all depend upon the systems or services that are you are using like I say in Windows you can do it and Linux you can do it you know if you're using Google Apps I don't know if you can do it they're all depends upon whatever service you're using but it is something to look at your login name can be different than the world than name given out to the rest of the world now the last thing that's very important is whether or not the username will show up in the login box when an application first opens up so whether it is a is a desktop computer and when it first boots up you come to Windows login screen the question is will the person's login name be in the box already filled out so again whether it's a win computer whether it's your bank account of service whether it's you know QuickBooks etc you know you do not want your user name showing up automatically because of remember if a hacker has this username then he has half the information to try to hack your account so the last way you try to secure your accounts using your username is don't have your username displayed automatically when a login box pops up again in Windows you can go into the settings and make that happen with with any of the web services out there you can just uncheck a box or whatever for whether the login name will show up but realize you know some an office cleaner could be coming through the office turn on your computer and see what the login is there again somebody trying to hack or break in if they can pull up this username they have half the information to try to hack into your account so this is the first part for user account security theory is securing the username and the login username for your accounts so the next thing that we need to talk about is password security theory now this is something you know if you type if you read any security book they're gonna go on about this for a long long time so we're not gonna waste a lot of time on password security theory because you've probably already heard it before but we will go over to make sure you really understand what is going on now the first thing that we need to talk about when we're talking about password security theory is password complexity basically this is a very incredibly stupidly simple concept the idea is the more complex you or your users make your passwords the less chance there is that some hacker out there is going to be able to guess what your password is you know if you make your password then the name of your dog and it's an all lowercase somebody can probably figure it out so if you make it the name of your wife and all lowercase somebody can probably figure it out the easier it is for you to remember the easier it is to be hacked one of the other problems with very simple passwords is the simpler your password is the easier it is for people to remember now me especially as a technician you know I would go to a lot of people's offices I would hear a lot of passwords and a lot of people were surprised that a year after the last time I had been to their office I still remembered their password well the reason was is because their password was so darn simple it was pretty easy to remember so the simpler you make the password you know the more chance there is that that you know somebody in the office will overhear what your password is somebody in the office will be a big guess what your password is remember when you're dealing with hackers everybody's always worried about about all these people on the internet trying to come in and destroy your server and hack you from China the reality is the person most likely to do the most amount of damage to your business is a fellow employee employees are the ones that cause the most havoc on all computer systems in businesses it's it's it's just how it is whether it is an irate employee that is about to get fired so they decide to try to delete as much crap as possible whether it is somebody competing with another employee so they want to make themselves look good or the other person look bad so they believe all the other person's email just remember that the person most likely to be the people that you have to worry about are actually your employees I'm not I'm not not trying to be pessimistic on this it's it's just kind of like one of those fact of life things so the simpler you make your password the more chance there is that your fellow office workers are actually going to remember what your password is would be able to guess it and then just do all kinds of nasty damage to you so the first thing when you're thinking about password complexity is that your password should be at least 8 characters long this is just kind of like the standard 8 to 20 characters long is is what people use and security the problem is with 20 characters 20 characters was probably the most secure password that you're ever going to need but you're also actually gonna have to remember that this massive thing so that can be a real pain it button 8 is usually good then with those 8 characters you should put in lowercase letters uppercase letters and numbers at the minimum so you you mix up what's in that password now what most people do is let's say you know Billy Billy Bo Bob won this is what most people use for passwords so they come up with a name in their head they make the first letter uppercase because you need an uppercase and then they put a 1 at the end now of course this is more secure than just having all lower cases but not that much more secure because people can probably guess what this is if you're going to use something simple try to mix up where the capital letters and all that are so instead of making the the first letter in your password capital maybe you do B I and then you do L then lowercase L uppercase Y B let's say o and then do one be something like that so you mix up the upper and lowercase letters and where the number sits in this password that will make it harder for people to try to figure out or remem like I said if you do uppercase B this this ri ht here is what everybody does this is what 98% of the population does and it's incredibly easy to hack because if you can figure out what this part of the password is then all you do is you make the first letter uppercase and you put a 1 at the end and you're done you've hacked the account whereas if you do something like this this is just a mess all the way around so this is something that you should be looking at with password complexity and like I say whenever I have anybody do passwords most of the time I tell them don't make the first letter the capital if you're gonna put a capital in there I don't know make the B over here the capital mix it up don't don't make it the first thing and don't put one at the end everybody puts one at the end so that's the first thing when dealing with with password security eight eight to twenty characters mix it up and you should be good now the next thing is that you should have a system for routinely changing the password for your accounts now I was in one of the security seminars and the guy the head of the seminar said approximately 90 percent of the population uses the exact same password for all of their service and computer accounts so the password they use on Gmail is the past where they use on the domain controller is a place where they use for for QuickBooks etc you do not want this every single account that you use should have its own password so QuickBooks Quick Books should have a password gmail should have its own password you know etc etc because if somebody can figure out what password you use for QuickBooks and you use the same one for Gmail and you use the same one yeah down the line then they can now hack all of those accounts very easily if you use a different password for every single service you use then even if a hacker can compromised one account they're not compromising every darn account you have this is something that's very important and then with that that every account you should have should have a different password you should change your passwords fairly regularly I would say every 30 days the reason is is because you know if you keep passwords around longer than 30 days the chance is that somebody is going to guess it figure out what it is hack your account etc exponentially go up if if you change your password every 30 days worst case scenario they can get into your account for 30 days and then you change your password and now they no longer can get into your account the big thing and this is what what you know when I talk about security there's a difference between what people think security is about and what the real world security is about now the reason why it's important to try to shut hackers out of your accounts is because many times hackers are not trying to damage or disrupt your systems you may not realize the hacker has compromised your QuickBooks or your Gmail etc they may be just sitting there and reading all of your emails let's say you have a competitor I know here in Baltimore I had a lot of clients that have had nasty evil competitors so the competitors if they could hack into their competitors email account they may not want to delete anything they may not want to screw with anything they just want to get all the contact information they just want to read every single email that goes through you know if you're bidding on contracts they're bidding on a contract you're bidding on a contract well if you can if you can read the CEOs email of your competitor and see what he's sending back and forth then you may be able to lowball the bid so you can see hey look my competitor has just said that they're gonna submit a bid for a million dollars so I'm gonna submit a bid for nine hundred and seventy-five thousand dollars see that is the kind of thing that can happen when hackers get into your account remember hacking is not always about damaging systems a lot of times it's about seeing what's going on it's about siphoning information information technology you know good or bad so what you want to do is again make sure every single service account you use has a different password and then change it like I say every 30 days if you can't get every 30 days when you do change it you know all the hackers if they've got it into your accounts will get shut out of your accounts this as a pretty important thing so that's the the basic concept of password security we talked about password complexity again and that's something that almost everybody talks about you know eight characters long use uppercase use lowercase use numbers etc the main thing I would tell you is just don't make the first letter the only capital and a password that's what everybody does and don't just put a one at the end that's what ever does but he does throw some of that stuff in the middle the next thing as I said again and again and again use different passwords for all your accounts and I would say change them every 30 days this is a really important thing you know if you need a book I have a little book for all of my passwords that's not necessarily a bad thing you know you have a little book or if you have something in your wallet to keep track of all these passwords because you know if you get 20 passwords a lot passwords to remember especially you're changing it every 30 days do that but but that would that will be secure that that will keep your account secure as long as nobody steals your password book I guess now the last thing that we need to talk about he's securing your accounts through session security so so what is session so sessions are the connections between your computer and whatever server is providing you the service this may be the domain controllers in a Windows environment this may be they be the Gmail server this may be QuickBooks it's may be you know any any one of those services out there but the main thing to understand is whether you were using Windows whether you're using Linux whether you're using QuickBooks etc you can put in session security to try to protect your accounts from being in hacked and it's very important to do now one of the first things that you can do to try to protect your accounts is one of the easiest things that you can normally do is you can have time of day security what this means is that you have whatever user accounts only available you can only log in to them during certain times of the day this is a very useful thing within Windows servers Windows domain controllers you can do this pretty easily and depending on what other software you're doing you should be able to do it all so basically within like a Windows server you can say I want my administrative staff to be able to log into their accounts between 8 a.m. and 6 p.m. if they're logged into their accounts past 6 p.m. they will be automatically logged off their accounts it'll be be forced logged off so why you do this is you if you have administrative staff or if you have hourly staff they are not going to be doing work at midnight they should never be doing work at midnight but somebody that might be trying to do work at midnight is a hacker so what you do is you set it up so the only time the user account is available to be logged in is during normal business hours if it's after these business hours nobody can try to log into the account that way it's secures the account from somebody at midnight or one o'clock in the morning or 10 o'clock etc trying to hack into the systems this is very useful like I say you know the hackers aren't always from China it might be the cleaning crew so you a cleaning crew coming in at 10 p.m. every night they have access to all the local computers they have access to all the systems so well you know they decide that hey maybe if they they steal a little bit of information they can sell it to - to your competitor well they go in they try to log in no matter what username or password they use they will not be a belong in the systems because the systems have been locked by time of day so time of day is a very important thing for trying to secure user accounts using using sessions the next thing that you should look at and this is very big for Web Services is length of session what this is is how long will the session stay open if there is inactivity so you know somebody sits down to let's say QuickBooks in there they're typing in invoices and all that now let's say they get up and they go to the bathroom now if somebody stops typing in you know to an application you do want that application to be available for awhile but the question is how long do you want it to be available now what happens with secure software is when you stop you know typing in when you stop interacting with with the application it will log you off after a certain period of time it might be 10 minutes it might be 30 minutes etc the reason is is because if you don't do that let's say you know again the accountant is sitting there typing all the information into QuickBooks let's say he gets up he decides to go to the bathroom he doesn't walk his computer doesn't log off because he figures he'll be back well on the way back from the bathroom he runs into somebody he needs to talk to well that person has an invoice he needs to work on that had buh-buh-buh-buh-buh suddenly he has a lot of stuff to do all of a sudden the entire day has gone by he hasn't realized you know wow he used so much time he goes grabs his coat and he leaves now if the session the length of session is not set to automatically log off and now that QuickBooks account is sitting open for anybody in the world to go into and you know look at accounts create checks to do whatever it is they want to do so what you need to worried about he's controlling the length of session what you're going to have to decide is depending on on what what your users your clients are doing you know do you put it at ten minutes you put it on thirty minutes you put it at sixty minutes this is a very common thing like I say within web applications if you're dealing with Windows you know you can go to the settings where for password control you know have the screen saver come up after 30 minutes you don't require a password that's how how you can deal with this the other thing to remember with a length of session is even if the application is closed so let's say you you have let say Gmail you have Gmail open right you're reading Gmail you go I'm done with Gmail and you closed Gmail so you actually close the Gmail the Gmail application that does not necessarily mean the session is closed so you close the Gmail application you walk away to go to the bathroom have lunch etc well what can happen is if the length of session isn't set to terminate that session after a length of time secretary can come in hacker can come in anybody can come in they can go to your computer they can reopen Gmail and all they have to do is go to like gmail.com and then your email account is sitting right in front of them why because the session itself was never closed you closed the window but you did not close the session so that's another reason though the length of the session can be can be very important now one of the things you can do especially when you're doing Web Apps is you can also discriminate based on location of this session again within the Windows domain world you can do this using organizational units and kinds of stuff but mainly with web applications let's say you create a web application that you want all of your employees to be able to get to now your employees all live let's say they're live around here and they live in Maryland so you want them to be able to get to that web application well the thing is if you put it up on the web most people think well then that means if people are in California you know Cal people from California try to hack into your web application people from Tennessee can try to hack into your web application people from China can try to hack into your web application well one thing you can do is you can secure your web application by geographic location so you can say within the web application if it's set up I only want Internet users coming from Maryland to be able to access this web application you can even restrict this further into things like IP addresses depending on how much control you have of your your web app to say I only want this series of IP addresses to be able to gain access to this web application so this is a good way to secure the session so the session is the communication between the computer and the server what happens is when the computer connects the server the server is gonna say hey where are you the computer is then going to say where it's at so if it says Maryland then the server will say oh ok here's the web application if the computer says Texas the server will say session cannot be completed you're in the wrong location so this is a way that you can secure your web applications again even if they're up on the web even you know if they're sitting at a data center I don't know in the middle of Russia still you can say in that data center in the middle of Russia I only want users who reside in Maryland to be able to access this account so this is one of the ways that you can secure the sessions now the final way you can secure your sessions is through a token of some kind this is becoming more token more important in the web world you know more and more people trying to access these web applications is you can have something on the computer to denote to the server that the computer should have access again to the web application this might be one of those little little Donne goals or though those like those little USB keys you plug into the computer so you may plug that into the computer the computer you computer will talk to the server the server will say give me information off that little USB dongle then if that dongle is there the computer will then allow this client to have access to the services this is something that gets used nowadays so that can be very useful because that means only the people that have that little USB key or dongle are able to get onto your system so these are the different ways that you can secure your user accounts using sessions again one that the easiest best ways is through time of day basically you say people with these use your accounts can log in at business hours if it's after business hours they can't log in but that's kind of like a no-brainer I mean really everybody in the world should do that if everybody did that the world would be a lot more secure for computers then it's the length of session again a very important thing sessions should time out if users are not interacting with the computer or the application you have to decide based upon your users how long that should be is it 10 minutes is it 20 minutes is in an hour is it 5 minutes I can't tell you but if the user isn't playing with the session they they should be locked out they should be logged off of that session the next thing with that length of session that becomes very important is remember the session is different than the window that you use to interact with the server so you can close like I say you can close your Gmail window but the session is still active so if somebody comes back to your computer and opens up another window to Gmail they will be looking at your email account because although you close the window you did not close the session that's one of the important things with sessions that they always try to tell you that you should know is whether you're using online banking whether you're using online QuickBooks but they're using Gmail Hotmail whatever always click that little log off button that log off button manually kills the session itself like I say the session is the thing that you have to worry about for security here because if that session is still open somebody can just reopen a window and start accessing whatever you had open up beforehand so that's the basic concept of using sessions for security so that was a class on user account security theory uh like I said I hope you got something out of this nowadays user account security theory is more important than it has ever been the past like I say you know years ago when I started in the computer industry you had the local compute login information and you had the domain controller login information so whether you used Windows domain controllers or Usenet where domain controllers those were the only things that you had to worry about now in modern business and modern life you know the average business user may have 10 20 30 different accounts that they have to log into on any given day to get their job done you know Google accounts QuickBooks accounts you know a hosted email hosted Outlook accounts all these things are now hosted and so each one of them has its own usernames has its own password has its own sessions so the better you understand the concepts behind securing these user accounts the better you will do at looking at these services that you're using and trying to secure them like I say you know why this is a theory class versus me sitting down in an actual computer and showing you how to do it is the options really depend on what service you're using you know Gmail has security options that hosted outlook doesn't have QuickBooks has security options that you know a custom application may not have it's all really depends on whatever product it is you have purchased and you are using we talked about the user name and login name and how they are different and that's very important if you can make a login username different than the username shown to the world that really can secure your systems because like I say when the login information it has two parts it has a username and it has a password if the people don't know if the hackers have no idea what the username is it makes their life twice as difficult so you know and they may be using like I say eli dot Etherton to try to log in when really it's XYZ x bv e for so they're gonna sit there for years trying to use eli Etherton and it's it's it's not going to work for them we talked about password complexity you know you should have at least eight digits or eight characters in a password uppercase lowercase and numbers the main thing that I will warn you and I will tell you is what 9899 probably about a hundred percent of population does is they they come up with a really simple password and then they make the first letter uppercase and they make the last letter or less glass character one that's what everybody does don't do that make it very least make one of the middle characters the uppercase character and make the the last number five four six or something you know you guys just do something different than everybody does don't use your dog's name your wife night wife's name your cat's name etc people really do do that and it's a bad thing remember the simpler your password is the more likely it is that people are going to remember it and remember your enemy is most likely not the hacker in China your enemy is most likely the person sitting right beside you that would really like your job they really want to pay raise so if they can prove that you're a complete idiot they might get promoted to your position it's a sad but but it's true the next thing is to remember to change your passwords routinely again I would say to change your passwords about every thirty days the reason is again you know everybody thinks hackers are there just to destroy and wreak havoc a lot of times hackers get into accounts simply to collect information you know they're doing data mining just like you know the IT industry does so like I say a competitor hacks into your email account and now they're seeing all the information going between you know your employees and you know project managers etc you know if you were competing on a bid they may see that you're gonna put in the bid at a million dollars so they'll bit put in the bid at nine hundred and eighty thousand dollars and they win the bid and you have you know how did they do that well the reason was it because they could just sit there and read all of your information you know if you're getting new accounts etc the final thing with passwords is use different passwords for all of your accounts again those fifteen the thirty accounts all should have different passwords the reason is is because if somebody can guess the password for one account and it's the same for all your accounts now not only have you compromised QuickBooks but you've compromised outlook you've compromised your bank account you've compromised yada yada yada this this can be a real problem and again the problem gets more it gets worse because a lot of times people use the same password both for their business account and both and their personal accounts so so let's say your your office environment is very very very secure no viruses know hackers etc but you go home and you know you're using the computer that your teenage son was was looking at porn at a little while ago well it's got viruses and malware and all that crap well that computer at home can now try to collect all your user name and password information send it off to the hackers and now the hackers can try to use that information to compromise your business system so all of your accounts should have different passwords I know it's a pain in the butt if I say I have a little book it's not a bad thing to do the final way to secure user accounts is through session security so session security is a communication between the client computer and the server so you know whether this is a domain controller or whether this is email server where there's a QuickBooks server you're seeing your computer your computer Troy this goes to talk to the server that that's a start of the session and you can secure that session so that people can't access services that they're not supposed to be able to access the first way you can do this is time of day this is really the easiest way to secure user accounts is basically you say this user account can only be accessed during our business hours so again if the cleaning crew tries to come in or some Chinese hacker tries to hack the account at midnight well they did at midnight the account is disabled so no matter what they do they will not be able to hack that account the next thing that's very important is limiting the length of sessions the time out variable so how long will the session stay open if somebody is not interacting with it so you know you've probably seen this with Windows computers where after 10 minutes or 20 minutes or 30 minutes you'll get a screen saver and when you hit a key to get out of the screensaver it'll ask you for your login information again that's basically a timeout of the session this is very important also because remember just because you closed a web browser window does not mean you've closed the session so you can say you know I'm done with your email I'm done with QuickBooks I don't look at this anymore you click the X on the browser that closes the browser you go home for the day you know the cleaning person comes in your competitor comes in etc sits at a computer reopens Gmail and the computer doesn't even ask you for your login credentials because this session is still open so that that's the thing is make sure that session times out you know after a reasonable amount of time the other thing always to tell all all of your clients your users is always to hit the little log off button in whatever web application that they are using that web that log off button manually terminates the session so somebody can't hack into the session later the next thing you can do is you can do a location fill train for sessions so this is the you know if you're dealing with web applications etc you can say I only want users that are in Maryland to be able to access these web services if somebody tries to hack the account from California Texas etc they are not going to be able to get into the web service because they're simply filtered out the server will look at where they're located where their internet look of connection is located I'll say you're in Texas I'm not going to deal with you or one a more secure way or the most secure way is you can actually restrict based on IP addresses so let's say you give all of your employees static IP addresses for their homes you plug those static IP addresses into that web application and when somebody tries to log into the web application it'll look at the IP address that the client has it'll go okay this IP address Mac is you're allowed to log in or it'll say this IP address it does not match and it'll just kill the session won't even allow anybody to try to get into it the final way you can try to secure sessions is again through through these little tokens or dongles you know you plug in a little USB thumbdrive security device into your computer the server will ask for information off of that little little USB key if you the key there is there it'll allow the session happen if it is not there it will not allow the session to happen so so these are the ways that you can secure your user accounts through sessions again this is very well I say it's very important you know think about what I'm talking about because again we're not we're not just dealing with you know Windows local computers or Windows domain controllers we're dealing with you know domain controllers and Gmail and hosted Outlook and hosted you know as your even even Windows Microsoft is putting all of their services online so so with all these services going online you have to be more and more secure about how your user accounts are secured you know again back in the good old days you know when I started out really you really weren't worried about hackers from China hacking local computers the only thing that you had to worry about was somebody in the office you know hacking computers now if you're using G you know Jude Google premier apps to do all of your your documents if you're using all these hosted services that means now people in China can try to hack in and get all of your documents so you're dealing with a much more risky environment from a security standpoint than you did a few years ago so understanding user account security like I say is really important so so that was a class user account security theory as you know I'm Eli the computer guy over here for every man I to comm and look forward to seeing over the next class