Password Management Tips for Brokers

Page 1

TSX Webinar: Password Management Tips for Brokers Sept. 19, 2017

Presenter & Panelist

Grant Patten Digital Media & User Experience Specialist, CSIO

Steve Borza CEO Bluink Ltd

Today’s Agenda • Definition and stats • Password management tips • Panelist’s section • Resources • Questions

Definition: What Is Password Management?

Password Protection & Management consists of the rules and policies governing how passwords are created, stored and changed in order to ensure that they remain a secure and reliable means of authenticating identity and controlling access.

Password Management – By The Numbers ● 10.9% of respondents say they never change their passwords. (Digital Guardian survey, 2017) ● 17.7% reuse the same password for multiple accounts.

● 38.6% write their passwords down on a piece of paper. ● >50% of people use the top 25 most common passwords, with 17% of all users having "123456" as their protective code. (Keeper, 2017) ● 63% of confirmed data breaches involved weak, stolen or commonly used default passwords. (Verizon’s 2016 DBIR)

Ashley Madison hack in 2015

● Most of the hacked passwords were weak, common and overly simplistic such as “123456”, “password”, “DEFAULT”, and “qwerty”. ● ~3.7 million Ashley Madison accounts remained secure, likely because they had strong passwords or passphrases with long strings of upper- and lower-case letters, numbers and symbols.

Password Management No-no â—? Some employees resort to writing such passwords on a Post-It note stuck to their monitor, undermining the very security the password was meant to provide.

Password Management Tip â—? Consider making it a brokerage-wide practice to require a unique, strong passphrase or random word combination for each user of each system.

https://howsecureismypassword.net ● This password assessment tool – developed by an independent IT security analyst – tells you that a password such as “1234” would be cracked instantly by any novice hacker.

Password Management Software â—? Password management software can be useful for tracking usernames and passwords to multiple accounts, but one must follow best practices in the use of such software.

Broker Testimonial – James Archer James Archer, President, Knight Archer Insurance:

“Our brokerage has a cybersecurity policy in place for employees; we have specific policies regarding email and web browser usage. One of the key initiatives we’ve undertaken for cybersecurity is to implement regular updating of passwords and standards around password strength.”

Wi-Fi Hotspots � A study by Kaspersky Lab in 2016 found that out of more than 31 million Wi-Fi hotspots around the world, 28% are unsecured and pose a risk to users’ data. (Entering passwords into any website while using public Wi-Fi can result in that password being intercepted.)

Technical guidelines re: password management ● Change default account passwords ● Implement strict controls for system-level and shared service account passwords ● Do not use the same password for multiple administration accounts

Technical guidelines re: password management ● Production account passwords must not be used in non-production (testing) environments ● Password fields must display only masked characters as the user types in their password, where technically feasible ● Do not allow passwords to be transmitted in plain-text

Article: Toronto Star (Aug. 2017)

https://www.thestar.com/news/gta/2017/08/08/forget-those-annoying-online-password-tips-says-manwho-invented-them.html

Poll Question

How do you primarily remember your passwords/passphrases/PINs?

Password Management 101 and Beyond Steve Borza - CEO sborza@bluink.ca www.bluink.ca

© Bluink Ltd. 2017

Problem • Over 1.5 billion login credentials hacked or stolen • Email compromise through phishing • 63% of data breaches due to compromised passwords - $6.5M average cost/breach • Cyberattacks cost business $400 billion/year

© Bluink Ltd. 2017

Why Were They Cracked? Top 10 Passwords in Use 1. 2. 3. 4. 5.

123456 123456789 qwerty 12345678 111111

6. 1234567890 7. password 8. 123123 9. 987654321 10. qwertyuiop

These passwords are cracked in seconds by dictionary-based cracking tools

© Bluink Ltd. 2017

What’s a Dictionary Attack? • Free online hacker tools that have millions of known passwords plus dictionary lists • • • • •

Brutus RainbowCrack Cain and Able John the Ripper L0phtCrack

• Brute force cracking runs possible combinations of characters and lengths. – Much longer / less likely. © Bluink Ltd. 2017

Have You Been Breached?

https://haveibeenpwned.com © Bluink Ltd. 2017

Password Best Practices 1. Use a variety of characters •

(numbers, uppercase, lowercase, and special characters ( < , / ! # $ ))

2. Avoid single dictionary terms 3. Use long passwords ( 8 characters minimum) 4. Use a different password for each account 5. Use a password manager

Š Bluink Ltd. 2017

Good GoodPasswords Password K=tcz47.5PK/

=6Kc)SkNQ1

cB-pGD:29$0 .sQ*PA^M0Qg

FQsb@Qt5hQ

Yf?dnQH)G-%r nnioX8N^_Nog

QV*zw6MUn%VU

Dogbathousedrain Hard to remember, tough to type! © Bluink Ltd. 2017

Top 5 Password Managers 1. LastPass - Browser & apps, free to $2/month 2. DashLane - Browser based, free to $40/year

3. KeePass - Application, free 4. 1Password - Browser & apps, $3–$5 /month 5. Bluink Key - Mobile app, free + USB key $29.99

© Bluink Ltd. 2017

Phishing Attacks E-mails from banks, FedEx, Google, Apple are popular phishing targets • • •

Right click to look at “from” address If in doubt, delete! Go to site directly from browser, not from email if you are concerned

© Bluink Ltd. 2017

Phishing Attacks

Looks like CIBC Check the “click here” address as well

Not CIBC… http://www.kon-go.com/images/ canadian/imperial/bankofcommerce

© Bluink Ltd. 2017

Beyond Passwords • 2-Factor Authentication • One time passwords (OTP) and push 2FA • Fast IDentity Online Universal 2nd Factor (FIDO U2F) public key authentication

• Federated Identity • Sign-on through an Identity Provider

© Bluink Ltd. 2017

Bluink Phone-as-a-Token Solutions

Bluink Key

Bluink Identity

Local Password Manager and 2FA

Federated Identity from Your Phone

Š Bluink Ltd. 2017

Demo

© Bluink Ltd. 2017

Steve Borza - CEO

sborza@bluink.ca

www.bluink.ca © Bluink Ltd. 2017

Learn More at CSIO.com

Members Section gives access to: • CSIO Forms

• TSX Webinars (accredited)

Educational Resources: •Infosheets, Articles, White papers •Videos •Twitter: @CSIO •Email: info@csio.com

CSIO Infosheets & Video Series

Thank you for attending our Talk, Share, eXchange!

Recording of the webinar (and slides) can be found here: https://www.csio.com/news-events/tsx-webinars Next TSX: Future Forward: What’s New in Emerging Technologies?, Nov. 9 CSIO.com

Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.