Given my occupation as an Information Security professional, I figure I should post a blurb on the tail end of October, which happens to be National Cyber Security Awareness Month.
Cyber Security has become all-encompassing in daily life thanks to how integrated Internet connectivity has become in everyone’s lifestyle. Whether it is shopping (e-commerce), communication (email), entertainment (streaming video), or social (media), a large majority of individuals are connected in some way or another to the Internet.
Whether through work or through personal life, I continuously come across instances of individuals that get compromised in some way or another by way of Internet (or Cyber) connectivity. The most common issue at hand is user accounts being compromised (or often dubbed incorrectly as being ‘hacked’).
While not 100% effective, these mitigations will keep you in the upper 97% percentile of Cyber Security.
- Use a good passphrase. Note that I did not say password. The term passphrase infers a long string of words as opposed to the term password, which implies just a word. Thinking passphrase as opposed to password will instill the use of more secure secret strings. Once you have that mantra instilled in your mind, then apply it. Gone are the days of using your pet’s name combined with your birthdate (e.g. daisy031090), or a generic word with 123 appended to the end (e.g. secret123). 20 character random strings are certainly secure (no one will be able to guess Az36P6Vbm*v!^9ZYV*@H), but random strings are difficult to remember. So think sentences. Try using a passphrase that is a song lyric. For example, nevergonnagiveyouup is a 19 character passphrase that is pretty simple to remember and is not easily dictionary attacked. That same password is exponentially more difficult to guess, crack, or brute-force by simply modifying and adding some characters to match some common required password complexity policies. For instance, Nevergonnagiveyouup.2018 is 24 characters long, has four character classes: 1) uppercase letter, 2) lowercase letter, 3) number, and 4) non-alphanumeric.
- Change your passphrase regularly. While I am guilty of not doing this on 99% of my accounts, changing your passphrase regularly will help prevent accounts from being compromised. While it prevents constant access (assuming someone obtained your password), it limits brute-force or guessing since by the time an attacker guesses your password, it has already changed to something else.
- Use Multi-factor authentication whenever available. This is one of the top mitigators of account compromises. Multi-factor (sometimes called two-factor) authentication requires something you know and something you have to login to your account. The most common two-factor authentication is having a username and password (something you know) along with a token (something you have) that is typically time-based and one-time use. For instance, Google has multi-factor authentication available for Google accounts, that requires a Time-Based One-Time Password (TOTP) that is a 6-digit code that is generated using the Google Authenticator app. Some services will send a six-digit (or longer) code to your phone via SMS as the second-factor token. While SMS codes are less secure (and proven to be exploitable through SIM hijacking), this is better than nothing since SMS interception does require significantly more work to execute on a victim. Many online banking, social media, and e-commerce sites use multi-factor or two-factor authentication in some form.There is absolutely no reason why you should not have multi-factor or two-factor authentication enabled on any service that offers it. Facebook, Instagram, Twitter, Amazon, BofA, Chase, Google, and countless other services provide multi-factor (or two-factor) authentication for their users.
- Do not use the same passphrase for more than one account. I have personally investigated incidents where a person’s username/password for one service was compromised, and the password was used by that person with their email address on various other Internet sites (e.g. Amazon, Facebook). Using unique passphrases on all accounts means that if one account passphrase is compromised, the attacker cannot use that password to access your other services/accounts.
- Use a password management tool. This will make #1, #2, and #4 above much easier to do. Password managers such as LastPass and 1Password basically store all your username/password pairs in a secure vault. When you need to login to a given service, you log into your password management tool, which then autofills your credentials on your behalf on a given website. Use multi-factor authentication on your password manager to keep your vault secure.
This are my basic tips for Cyber Security. The methods of mitigation above have been available for several years now, and yet most people still do not follow these best practices.
Images in this post were provided by the National Cyber Security Alliance via https://staysafeonline.org.