In the last edition of Cyber Summer, we reviewed social engineering and the many ways a hacker can manipulate information out of an individual. This weeks topic is safe passwords and security. Passwords are your first line of defense. If a hacker can’t access your information due to a strong password, that’s more than half the battle.
Q: Are security questions a safe way of protecting my online account?
A: Security questions are a great way to recover your lost password, but sometimes they can be a vector for an attacker. Avoid choosing security questions that people can find out like; Mothers maiden name, father’s maiden name, first school, or any other information someone can find out by searching your facebook/twitter/etc. If they can find out this information, they can change your password just like you could. Pick security questions that only you, or a close group of trustworthy friends, would know the answer to.
Q: What makes a password secure?
A: Passwords become more secure once you apply additional factors like numbers, characters, or even length. This is because password cracking algorithms will often try to brute force guess dictionary words to start. Each additional letter, number, or character you add, causes the number of possible passwords for them to guess to increase exponentially, especially with numbers or symbols. I recommend including as many additional capital letters, symbols, and numbers as you can remember.
On top of a secure password, you should also implement a dual-factor authentication. This is the process we have all been through where after attempting to log in, a code is delivered to a personal device via SMS or email that needs to be input in order to access the account. This process adds an additional layer of security in the login process to ensure that the identity of the person logging in matches that of the account owner/creator.
Q: If I’m not supposed to duplicate passwords what is the easiest way to remember all of them?
A: If you can’t remember your passwords, I would recommend using a secure password storage software. You only need to use one password to login to your software and then it will allow you to paste any login information instantly to the site you need. Passwords can now be extremely complex if there is no need to remember all of them (etc: $d5%@J@$J!k1kwq). It’s important that you pick a secure software that encrypts the data so that no one can access the password software. For me personally, I like to use LastPass for my workplace. This software encrypts my passwords and allows them to be pasted into any login field it has access to. It will show up as a key in the top right of your screen. Clicking this will bring a drop-down of the logins saved.
If you don’t want to trust alternative software to keep track of everything, there are recommendations for passwords. You should try and make your password a phrase. To clarify, instead of a password being goldfish99, make it iL0veg0ldf1$h99 or ilovegoldfishsince1999. The more characters and symbols, the better.
Q: What are some ways to make my building more secure?
A: Physical security is just as important as digital security when it comes to protecting your data. Data centers should always be locked up and only accessible to the proper personnel. It is recommended by NIST that you install key cards with unique identifiers. This will tie an individual to each door access and when the RFID card is used. It is also recommended that you install camera systems, along with DVR backups of the recordings. Any break-ins that bypass the door, will be properly captured on video. If someone is able to get into your building and access your secure systems, this method will also catch the individual on tape. If you have proper logging software in place, you can trace back actions to certain computers.
Besides keeping your hardware secure, you still need to secure your most important asset; your employees. Proper user training on password management and identifying insider threats can substantially decrease the chances of your business falling victim to a cyber attack. Setting up policies that your employees understand regarding day to day computer use is key in making sure everyone understands what they need to know. If your IT staff is not properly outfitted to train the rest of the staff on cyber issues or isn’t confident in many of the most modern topics, it might be beneficial to bring in a third-party for annual training on new threats, and safer procedures. Even the most experienced staff could use a refresher on safe practices.
This is the 4th part of an 8-part series. To learn more about cybersecurity and safe practices, check out the links below:
Phishing
Safe Internet Browsing
Social Engineering
Safe Passwords and Security
IoT + BYOD
Rogue Access Points
Penetration Testing
What to Do After a Data Breach
Next week, we’ll be discussing the topic of IoT and BYOD. Submit your questions to info@hvtdc.org and tune into our social channels every Friday for the next update to our Cyber Summer Series!