World Password Day

Did you know that today, May 2nd, is World Password Day?  To mark the event, I thought I’d post a quick update, based on a new approach to password management.

Both the UK National Cyber Security Centre (NCSC) and US National Institute of Standards and Technology (NIST) have published changes to their recommendations for managing passwords in the past two or three years.

  1. Whereas previously we were advised that changing passwords regularly eg every 30 or 60 days was a good thing, they both now suggest only changing them when they are compromised (i.e. if you think someone else might know your password). I have to confess this doesn’t sit easily with me, but I understand their reasoning. We all have so many passwords to remember that changing them less often means we’ll have a better chance of remembering them.
  2. Use a different password for every account, for every website etc. This is more tricky, and both NIST and NCSC suggest using a Password Manager (this is an app for your phone or that you can run from your laptop / desktop) which helps you track and maintain your passwords.
  3. Rather than using long, difficult to remember collections of upper and lower case letters, numbers and symbols, use three unrelated words and make sure the total length is more than 12 or 14 characters (I prefer a minimum of 15). The reasoning for this is simple. Suppose you used P4$$w0rd as your password: it meets all the criteria for complexity, but it’s obviously not secure. A simple to remember phrase like SunnyTreeRoad is not as easy to guess, and is less likely to appear on one of the many lists of known / common passwords.
  4. Enable Two Factor Authentication on your key accounts like email and banking / finance. This means the bad guys would have to have your phone or other source for 2FA as well as your password to get in to your account.

If you’d like to know more, check out the NCSC article here, or the NIST video here. They’re both short and won’t take much time.

Also, if you want to see examples of bad passwords, the NCSC have published details of the most hacked passwords here.

Finally, if you want to see whether your email password has already been hacked, head to https://haveibeenpwned.com/ and sign up. This free service will tell you if your account has ever been compromised, and will also alert you in future if someone hacks it in future,

P is for …

Password

There has been much written about passwords, but for this entry I thought it worth defining what a password actually is. It’s a code, phrase or sequence of letters and numbers which is used to validate that you are who you say you are. It’s often used in conjunction with a username or when you login to a device or system.

You’re advised to keep your password secret, known only to you, because this helps with non-repudiation.

Patching

Pretty much all software has vulnerabilities in it. The more complex the software, the more likely it is to have vulnerabilities. Patches are pieces of code written by software developers to fix those vulnerabilities once the manufacturers become aware of them.

Patching is the process of applying these bespoke pieces of code. Typically patches are given a severity based on the risk the vulnerability contains. Urgent patches should be applied as soon as possible, whereas low risk patches don’t need to be applied so quickly.

When applying patches in a work environment, it is advisable to test the patch on several machines first, before applying it to every device, just in case there are any issues or conflicts which the patch causes with existing software.

Payload

Viruses often contain malware, some of which contains special code to try to compromise a device. This is typically called a payload. Different viruses carry different payloads, and some carry multiple different payloads.

An analogy which might explain this is where you have bomber aircraft, the bombs they carry are referred to as the payload.

Penetration test

A common way of testing web sites and web applications is to run a penetration test. This is where ethical hackers i.e. people with prior permission from an organisation, run tests to see if they can find vulnerabilities, and find out what would happen if those vulnerabilities are exploited.

Typically, the testers will provide a report documenting their findings, and the organisation being tested will then fix any issues found by the testers.

This should be run on a regular basis, because new vulnerabilities, including zero day threats, are constantly being discovered.

There are also physical penetration tests, where people are hired to try to access a business. This is called a red team test.

Phishing

Phishing is a form of attack where the bad guys send email to a list of email addresses (which they’ve often bought on the dark web). The email typically either has an infected attachment or a link to an infected website, or it contains a message asking you to help someone release money from their bank account or some equally ridiculous plea for help.

These messages are indiscriminate and are not targeted at specific individuals. Those which are specifically targeted are known as spear phishing or whaling.

Principle of Least Privilege

A key feature of cyber security is making sure that users only have access to the programs or data they need access to for their job. This is known as the principle of least privilege.

For example, there’s generally no reason why someone working in the accounts department needs access to personnel records, or someone working in HR probably doesn’t need access to files for a specific project. Access would normally be restricted to help protect data.

N is for …

Network

This is an often used phrase, but what exactly is a network? In its simplest form, it is several computers connected to each other. In a single building, these would typically form a Local Area Network (LAN), or if several offices are connected together these would be called a Wide Area Network (WAN).There are several different network components, such as routers, switches and firewalls. These will be explained in the relevant posts on this site.

Non-repudiation

Non-repudiation means that an event or action can be attributed to a person or process and cannot be denied.

This is a cornerstone of information security, but doesn’t attract the same attention as the CIA triad for example. Without it, it would be impossible to prove without doubt who was responsible for something.

One of the reasons you typically have a unique username and password at work is so that audit logs can show what actions were carried out using your account. If you share your password with others, then it is difficult to prove that you were the only one using your account. This can have negative as well as positive connotations, but we’ll look at them when we talk about passwords.

K is for…

Keeping it Simple

OK, so this isn’t strictly a security term, but it is hugely important. Do the simple things well, and you’ll address many of the main issues. In terms of cyber security, this really boils down to:

  • Keep your patching up to date
  • Keep your antivirus signatures up to date
  • Ensure you have good password hygiene
  • Penetration test your internet regularly
  • Ensure your staff have good security awareness training
  • Manage your joiners, movers and leavers process well

If you do only those things, you’ll be in a reasonably good place to start implementing good security practice.

Keylogger

This is either a hardware or software device which, as the name suggests, records all the keys that are pressed and either holds them in memory until the device is collected or sends them across the internet to the person who implanted the code. If you think about what you type on a keyboard, this could include passwords, passphrases, salary details, contract information etc.

Do you have privacy fatigue?

It’s a fact of life these days that we constantly seem to have people giving out dire warnings about being careful what information you share online, who can overhear you giving out your credit card numbers etc. It seems like we’re being warned that there are ears everywhere.

Do you know what? There are.

But these constant messages of your impending doom could also have a negative effect, a sort of “it doesn’t matter what I do, the bad guys will get my data anyway” attitude. This sort of apathy and resignation could be a form of privacy fatigue, and is discussed in this excellent article which my better half kindly shared with me.

It describes how you can tell if you’re suffering from privacy fatigue, and explains what the term means and is based on academic research, which I liked.

There are a couple of points to note about the article though: the sample was quite small – less than 400 people, and the demographic was quite narrow – only people in their 40s and early 50s.

Perhaps the biggest shortcoming in the article as far as I could see was that it didn’t talk about the “so what” aspect of what it had to say (but then it’s in a psychology publication, not a security one so that makes sense). What are the risks of sharing, and why is it important not to become fatigued?

I can still remember the days when mobile phones, smartphones, email, social media and computers didn’t exist. Back then, you wouldn’t dream of standing in the middle of the street and handing out your bank details including statements, or shouting out details of when you were going on holiday. You almost certainly wouldn’t go up to everyone you met and told them where you kept your cheque book and cheque guarantee card (told you I remember a long way back!). Would you have stood on one side of a wall and shouted over it, to whoever might have been listening, who you’re thinking of employing and how much you’re thinking of paying them, or details of a business proposal you’re writing?

I’m guessing that you would agree all of those would be pretty foolish things to do. But effectively, that’s what you’re doing when you drop your guard in respect of privacy.

If you don’t lock down your privacy settings on your social media applications, you’re making every aspect of your life visible to anyone else on the internet.

If you use the same password on multiple websites, you’re making it easier for the bad guys to get access to more of your life.

If you’re talking about confidential things, knowing who else is listening is really important.

Please don’t be complacent. Please be careful. Please don’t get privacy fatigue.

Should we be worried about our MPs security awareness?

Over the weekend a couple of tweets by a UK Member of Parliament (MP) have generated a wave of outrage and comment amongst the security community. Nadine Dorries mentioned that she routinely shares her password with her staff and often has to ask them what it is. (Incidentally, Nadine should make sure all her other accounts don’t use the same password eg her online banking and shopping accounts.) The big question appears to be “is this a big deal”? I think it is, and here’s why.

Earlier this year there was a cyber security attack on MPs by an unknown government – variously reported as Russia or Iran – and a number of MPs fell for phishing attempts. You have to ask now whether it was the MP or a member of their staff: either way it shows that more awareness and better controls are needed.

In the last couple of weeks an MP was accused of viewing pornography on his work PC, a charge which he has denied despite the investigating police officer presenting comments which might indicate it was likely. Nadine Dorries’ comments were (I’m sure) meant to illustrate that just because the MPs credentials had been used to log on to the computer it didn’t necessarily mean that he had accessed the material. And this is the main point, why it’s important for individuals to take ownership of and responsibility for their log on credentials (their user name and password), why they should keep the password secret.

In the staff handbook at Parliament, section 5.8 states clearly that “you must not… share your password”. One of the reasons why we’re advised (told) not to share passwords is to protect us. If any wrongdoing is discovered or suspected using our user name, we are responsible. If someone else has had access to your machine using your details – you are still responsible.

If you have colleagues who you think should have access to your email, give them delegated access, which means they can access it using their own credentials. If they need to access documents etc, put them on a shared network drive where again they use their own credentials. This protects both parties and is more in line with industry best practice.

I’m hoping that the events of the weekend will encourage MPs and their staff to improve their working practice, but I’m not sure it’ll happen because there doesn’t seem to be anyone holding them to account, taking them to task for these flagrant breaches of policy. I’m also hoping that those in charge of systems in Parliament (who I know are very capable and knowledgeable) will get the backing they need to bring working practices more in line with the rest of industry. Finally, I’m also hoping that all passwords will be reset over the next day or two.

Episode 4 – Passwords

I’ve posted several articles about passwords on here, including this one on password hygiene, this one on passwords in general and this one on common passwords. I thought I’d do a brief podcast to provide a précis, so here it is!

EasyCyber Episode 4

If you like the podcast, why not subscribe to my You Tube channel so you can get new releases as they come out. Also, please do let me have any questions / comments. For example, are there any topics I haven’t covered yet which you would like more information on?

Episode 1 – What is Cyber?

This is very exciting! This is the first podcast I’ve ever made with video. I’ve even thrown in a couple of edits, see if you can spot them! It’s a quick introduction to the site, and I talk about why I’m doing this and what I hope to achieve. I hope you like it!

The podcast expands a bit on the topics covered in this post.

Oh – and it’s on my very own YouTube channel. I’m very excited about it!

EasyCyber Episode 1