Category Archives: security

10 Tips to Make a Secure Password

secure passwordHaving received a funny but rude post about passwords (email me at glyn@cmx.co.uk if you don’t mind and want to laugh) It reminded me that I haven’t published anything about passwords recently.
 
Regardless of whether you’re using a client PC, a server, a tablet, a smartphone, or any other digital device to access information, choosing strong passwords for the programs and services you use is essential. While a weak password may not always be the primary cause of IT services getting hacked, it can contribute greatly to the scope and severity of a hacking attempt.

To help you make the most secure passwords possible – both for administrators and for end-users – I’ve assembled ten bits of advice that should improve the strength and effectiveness of your passwords. Each of these suggestions don’t provide enough security on their own, so I’d strongly suggest adopting as many of these tips and techniques as possible.
 
There are several third-party applications that can help you automate and enforce password policies or allows users to reset their own passwords, like ManageEngine’s ADSelfService Plus and Specops Software’s Password Reset tool.
 
1. Adopt a password change policy
One of the best defenses against stolen passwords is to frequently change the passwords being used. There’s always a balance between security on one hand and usability on the other, so forcing passwords changes too often can lead to an excessive burden on users. Who wants to be forced to change their passwords every few weeks? Enforcing password changes every six months provides a good balance between frequency and security.
 

2. Use caps and special characters
Passwords that consist solely of traditional text characters can be easier to guess and hack by attackers. For example, a password like “waffle” can be easier for an attacker to guess using brute force methods, but something like “waff!E” would be much more difficult and time consuming to crack.
 
3. Avoid common words
It’s a tired old joke in IT circles: Many users adopt some of the most obvious and most insecure words for their passwords, ranging from the ubiquitous “password” to using their first names, name of their company, or the brand name of the monitor they were staring at when they came up with the password. A password policy that doesn’t allow users to use common, easily guessed words like “password” can help improve security substantially.
 
4. Develop a nonsense phrase
Some of the best passwords are based on nonsensical phrases that only make sense to the user that created them. For example, if the user has a dog named Ranger that likes to catch Frisbees, creating a password like “dograngerfrisbee” will be easy for the user to remember, but hard for attackers to easily crack using brute force methods or by guessing.
 
5. Enforce a minimum password length
In addition to comically simple passwords like “password” and “beer,” another common problem with many passwords are that they’re simply too short. “ABC” and “123” may be easy to remember, but they’re equally as easy for attackers to compromise. Enforcing a minimum password length of at least eight characters is yet another way to increase the complexity of assigned passwords.
 
6. Don’t share passwords
In this era of shared cloud services, sharing a common password can be an security Achilles heel into any organization. The marketing department may be using a SurveyMonkey account to generate web surveys, but multiple users use that one account. We’ve all seen sticky notes with passwords affixed to monitors, so work with your HR department to make sure that users know the importance of keeping passwords limited to only people that needs access. If a passer-by can easily spot and use a password in a public place, you have to assume that someone with more malevolent intent could see it as well.

    

7. Create unique passwords for each service
One of the ways that password breaches can become exponentially more damaging is if users are employing the same password on multiple services. If an attacker gains access to one service – say the corporate Facebook account – then he or she could potentially reuse that username and password combination on dozens of other cloud services.
 
8. Use a password management service
Sometimes the best approach to password complexity issues is to use a password management services like KeePass, Kaspersky Password Manager, or LastPass.
All of these password managers follow the same basic idea: Rather than having to remember all of those individual passwords, the password manager does that for you, automatically filling passwords in when needed. The only password you need to remember is the one to the password manager itself.
 
9. Adopt two-factor authentication
Outside of following all the steps described above, sometimes the most secure approach is to adopt two-factor authentication in conjunction with strong passwords. This requires users to enter a code generated by a separate application or device in order to login. These can take the form of something like RSA’s SecurID two-factor authentication token – a small hardware device that randomly generates an authentication code – to a software application, such as the two-factor authentication app that you can configure for Google Mail.
 
10. Use a biometric fingerprint scanner
Biometric hardware has advanced significantly in the past few decades, so authentication methods which once seemed like science fiction – the ability to scan fingerprints, analyse typing patterns, or recognize a users facial features – are now a reality. One of the most widely used biometric devices is a fingerprint scanner, which does exactly what the name implies: The user swipes her fingertip across the scanner to have her fingerprint read and to gain access. Major PC hardware vendors such as Dell, HP, Toshiba, and Lenovo offer laptops with integrated fingertip scanners, and several vendors 
sell stand-alone scanners that can be connected to any PC.

 

 
 

 

93% of large organisations had a security breach last year

A new survey commissioned by the UK Government’s Department for Business, Innovation s (BIS) has revealed the scale of cyber attacks on UK companies.The 2013 Information Security Breaches Survey, which collected data from 1,402 respondents, presented results for large organisations (in excess of 250 employees) and small firms (less than 50 members of staff).

One of the key findings of the report was the level of attacks sustained by businesses – with breaches reaching record levels. The survey discovered that 93% of large organisations experienced a security breach last year, a figure that is broadly in line with 2012 reports. Smaller businesses, however, saw a marked increase in the number of attacks levied against them. Some 87% of smaller firms reported experiencing a data breach last year, which is up significantly from 76% the previous year.




An average of 113 security breaches
The number of security breaches within each of the affected companies also showed a sharp increase too. Larger companies experienced an average of 113 breaches and smaller firms reported 17 such incidents, an increase across the board of almost 50% year on year.

It’s not only the number of breaches that have increased amongst survey respondents though – the financial impact has also risen. The survey concluded that the worst security breaches were costing large companies an average of £450,000 – £850,000 each. Smaller businesses typically experienced losses of between £35,000 – £65,000.

The survey determined that the attacks faced by businesses over the last year came from both outside and inside the organisation.

A whopping 78% of large organisations reported attacks from outsiders over the last year with 39% of those incidents being denial of service attacks. Smaller companies fared slightly better in both regards with 63% reporting outside attacks. The number of smaller firms which experienced a DoS attack was 23%.

The survey respondents did not just experience random attacks though – 14% percent of larger businesses reported the theft of confidential data or intellectual property by external attackers, while 9% of smaller firms experienced such losses too.

36% of the worst breaches down to human error
Insider threats also pose a risk to organisations though. The survey found that technology, people and processes were to blame in several cases. Of the worst security breaches during the year, 36% were attributed to human error. Alarmingly, an additional 10% of the reported security breaches were pinned on staff and their misuse of systems.

On a more positive note the survey discovered that attitudes towards information security are generally good and continually improving too.

The survey found that 76% of larger organisations believe that senior management place a high level of priority on information security. Interestingly, smaller firms were better, with 83% placing a strong emphasis on security.

It should be noted that while the vast majority of larger companies now have a written security policy in place, most respondents indicated that staff understanding of the policy is still relatively poor, in turn leading to twice the number of internal security breaches than in organisations where employees had a good understanding of the policy.

Another contributory factor with regards to internal breaches could be a lack of staff training. Survey respondents indicated that many large organisations only prioritised training after a breach. At the time of induction 10% of new staff were given no security training whatsoever and 42% of large firms failed to employ any kind of ongoing training in terms of security awareness.

Given the level of security incidents experienced by firms of all sizes it is not surprising to learn that many of those surveyed expected security spending to either stay the same in the coming year or to increase.

Larger organisations expect to spend more next year in customer data protection and compliance, but just how much a business spends on security seems to be highly dependent upon the outlook of senior members of the management team.

The survey ends by saying that the majority of firms believe that the number of breaches next year is likely to be higher. As per this year, attacks are expected in every industry though the public sector and financial services showed more concern than other sectors.

Dealing with security breaches
Respondents’ replies would suggest that the best course of action in dealing with security breaches, which will likely affect most companies this year, is to have a strong set of contingency plans in place. It would also be advisable to have an incident handling plan in place before a breach takes place rather than afterwards.

Likewise, training people in security best practices from day one is a sound investment. Good quality training is likely to minimise the risk of being the next company facing a PR challenge following a high profile security incident.

After all, bad publicity can have a very negative influence upon consumer trust in a business, a fact that has been borne out by another recent survey undertaken by Populus. That survey suggests that around one quarter of UK residents have had their online accounts hacked with a significant number of victims saying they would cease to do business with any entity that had been breached.

Article from Sophos Lee Munson