by Thomas Jefferies
Building a secure environment is a constant balance between usability and protection – additional security controls often add steps to the day-to-day of the very people that the controls are intended to support and protect. That’s why it’s important to recognize and elevate the security controls which provide major benefits at a minimal impact to users.
Moreso, it’s important to note that security doesn’t stop when your employees go home – their online habits and activities outside of the organization can introduce risk into their lives that can be carried into the office.
I’ll be addressing 3 things that everyone can do for themselves that work to protect from the constant threats of the online world. Implementing these practices is quick, relatively easy, cost-effective, and provide high value.
- Stop trying to remember all of your passwords. No, really.
In 40 years of general computing, humanity has succeeded in creating requirements that generate passwords that are nearly impossible for users to remember, but strikingly easy for computers to guess. Password requirements of “8+ characters, upper-case, lower-case, number, symbol” have finally been rebuked by NIST, giving way to the concept of passphrases, sentences made up of multiple words that are easy for users to remember while adding tremendous calculation cost to anyone brute forcing them.
I’m here to tell you that all of that is still wasted effort – life would be so much simpler if you just didn’t have to remember ANY of those passwords, while still allowing them to meet or exceed any changing complexity requirements and still providing you the security you need them to, right?
This is where password managers come in. There are many on the market, products such as 1Password, LastPass, KeePass, and more. The concept is simple – instead of you memorizing 327 unique passwords (because I know everyone follows the best practice guidelines and generates a unique password for every login), instead you memorize the master password for your password vault, and your password manager handles the rest.
Regardless of the specific product, the workflow is simple – purchase the password vault (usually a $30-$60 one-time purchase for individuals), generate a secure master password that you can remember, then enter all of your passwords into the vault (clearing them out of insecure storage locations like Firefox/Chrome/IE’s saved passwords managers in the process). Complete any immediate clean-up that is necessary, such as replacing re-used passwords with unique passwords, and generate secure passwords to replace any passwords that might, in retrospect, not be as secure as you had hoped.
At this point, your passwords will be stored in an encrypted vault and safe from prying eyes. You’ll only ever need to remember the master password for the password vault itself – a single, solitary password. Everything past that will be handled by the application – logins on web browsers, from your phone, etc., all handled seamlessly without you having to remember whether it was “P@ssW0rd123@” or maybe “Pa55W0rD!23@!”.
- Embrace multi-factor authentication. I promise it’s not as bad as it sounds.
Multi-Factor Authentication (MFA) is a remarkably effective mechanism for adding a layer of security beyond just a simple password. Even if you use a password manager and you have a set of 80 character random passwords protecting your logins, all it takes is a single data breach from a site you have a login with and the impacted passwords from the breach have been compromised. MFA closes this gap by requiring a second form of authentication beyond just the username and password and ensuring that even if your password is compromised, your account still remains secure.
MFA struggled in its early days due to the fact that the first forms of it required hardware tokens to be carried with individuals, and passcodes were 6-8 digits that changed so quickly that you barely had time to type them before the next code was active. On top of that, MFA was not integrated with most sign-on providers, so you could be prompted for MFA dozens of times in a single day. Thankfully, technology advancements have turned MFA into a solution for layering protection that is very simple to implement and use.
This isn’t just for the enterprise, either — it is strongly recommended that primary personal e-mail accounts be protected by MFA – as most online vendors allow for password resets via e-mail to the primary e-mail account associated with the login when the password is forgotten, if your personal e-mail address is compromised it can lead to full compromise of hundreds of your logins and accounts. Almost every public e-mail provider allows for MFA to be leveraged, with individual login approvals provided through an application on your phone, leveraging push notification technology to alert you. While 6-8 digit tokens exist as a backup mechanism, the primary mechanism these days is push-based and seamless. The best part is, most e-mail and web service providers offer MFA for free to enhance their users’ security.
Enterprise MFA with single sign-on can be implemented in the same ways as well, providing the same benefits across an entire organization. Let us know if you’d like more information, we’re happy to help.
- Be careful what info you give social media
Social media is a relatively recent, but pervasive, form of communication and collaboration on the internet. It is funded by a desire to gather as much information as possible about its users, which can work directly in opposition to the general security of those users. General guidance for security on these platforms has included things like “don’t post something saying you’re about to go out of town.” Unfortunately, things have gotten a little bit more dangerous in the recent past due to some changes that many social platforms have made that, on their surface, seem harmless.
One of the largest social media platforms recently launched the capability to answer “questions” and build out more profile information about yourself. These questions seem fairly innocuous – things like “What is your favorite food,” or “Where did you grow up,” “What was your first car?” The danger from answering questions like this arises from the fact that many websites use these same questions as the second factor of authentication for password resets. How many times have you set up an account on a website and been asked “What was the name of your first pet?” or “What is the name of your best friend?”
This is particularly dangerous because the general concept of sharing on social media compels individuals to easily share information about themselves, and by themselves, these types of questions seem entirely harmless. This makes it easy for people to answer these questions without a second thought, all while accidentally giving threat actors the information they need to hijack an individual’s accounts.
So, what next?
We believe that everyone should be protected from the most prevalent threats and we are emphatic in our support of security advancement for everyone – companies and individuals alike. If you need help working on your security goals, whether they be architectural, engineering, strategy, or governance, please reach out to learn more.