4 minute read
LET THEM STEAL YOUR CHEESE: ‘LEVEL UP’ YOUR PASSWORD GAME
By Richard Fleeman, Fortreum, LLC
If you are over 40 years old, you have probably played some variation of the game Mouse Trap. As a child, it was a favorite of mine. I loved the mechanics of setting up the game board and attempting to entrap my family or friends to take their cheese. When I look back, I have fond memories of playing that entertaining game of trap setting and cheese thieving. As I look forward, I draw a comparison to common day cybercriminals. I can only imagine the grins when the traps they set yield another victim whose cheese has just been stolen.
If you pause for a moment and reflect on the latest news articles of the most recent data breach, I am sure you will think about the barrage of text messages and emails that hit your phone and inbox daily. Cybercriminals prey on the technical naivete and emotional nature of humans, cleverly crafting their traps to be sprung. I have been in the information technology and security industry for over 25 years, and one thing that is a constant is that these criminals are ruthless and will never stop trying to steal your cheese.
Because we all live in this real-life game of Mouse Trap, we have no choice but to level up our approach and do what is in our power to defend our cheese. If we make things more difficult for these criminals, it accomplishes two things, First, it limits the risk and potential damages of something if and when it occurs. Second, it makes us less appealing prey. Criminals prey on easy targets; they simply want quick wins and big rewards.
As I mentioned in my last article on 2023 trends, breaches are happening at an increased velocity. In CrowdStrike’s 2023 Global Threat Report, we see malware-less attacks have increased to 71%. Why is this important to understand? It is because these breaches or attacks were successful often with valid credentials. As we continue to use various online services, our digital footprint continues to expand at a rapid pace. I want to arm you with some tools, tips, and tricks to make your cheese a bit more difficult to steal.
Let’s take some time to break down the recommendations in my last article for both password management and multifactor authentication since they go hand in hand.
• Do not use shared passwords. A shared password is the actual same password used for multiple accounts that you have. In the security industry, we refer to this as “password reuse”. When using the same password for different applications and websites, the risk is if one website is compromised, attackers can use those same login credentials to try and gain access to other websites you might have access to. This is especially dangerous if your email accounts are compromised.
• Do not use shared accounts. When using shared accounts in your business, you lose individual accountability and chances of account compromise increase due to the nature of sharing. The action here is to ensure every person has their own login to any system or application you use as part of your business.
• Use unique and complex passwords. Incorporate the use of unique and complex passwords. Each account should have a unique password that is considered complex. Regarding complexity,
I generally try to use passwords that are at least 16 characters in length and use a combination of letters, numbers, and symbols. These passwords usually look like gibberish, but that is the point. They help protect you from dictionary-based attacks that are employed to “crack” passwords on accounts.
• Regularly update passwords. Rotate your passwords on a set interval. Depending on the criticality of the data or system used, you can define your own policy. The industry standard is a 90-day password rotation for highly sensitive accounts. You may put less-sensitive accounts on a yearly rotation, etc.
• Enable multifactor authentication (MFA). Get into the practice of enabling this functionality on all accounts that are mission-critical or sensitive in nature (i.e., financial accounts, email accounts, etc.) For example, multifactor authentication can consist of a username and password combination (something you know) with either an SMS, email, or One Time Password (OTP) code (something you have). If you really want to go crazy, you can look at using a hardware key such as a YubiKey (literally something you have).
• Educate your employees. Take time to share this information with your employees. They should be educated on the importance of good password etiquette and the risks associated with poor password management.
The recommendations above are a layered approach making it more difficult for someone to compromise your livelihood. The more of these recommendations you leverage, the more it increases the difficulty of compromise and inversely, the more it decreases risk to your business. This might seem overwhelming on top of managing your day-to-day business. I get it, and this is where my recommendation for a password manager in my last article comes into play. The advantages of using a password manager are numerous and can help you achieve all of the above in one centralized location protected by one password or passphrase. A good password manager will have desktop, mobile, and browser integrations to simplify the process of practicing good password hygiene. Right now, my personal recommendation is 1Password (https://www.1password.com) for ease of use, functionality, and the variety of integrations it offers with my mobile phone, PC, and web browsers.
I would encourage you to start putting some of these into practice in both your business and personal lives. Cybercrimes continue an upward trend, and these are some simple practices that will help protect you and your business.
Sources https://www.crowdstrike.com/global-threat-report/
Richard Fleeman is a Director at Fortreum, LLC and is responsible for supporting a wide variety of customers in both the public and private sectors. Richard’s team provides offensive security services including network penetration testing, application penetration testing, and social engineering services. Richard has over 25 years of information technology and information security experience including application and network security assessments, security architecture design and implementation, incident response, vulnerability management, con fi guration management, as well as business continuity and disaster recovery planning. Before joining Fortreum, Richard was responsible for running a variety of teams focused on both compliance and offensive-based vulnerability management services. Richard maintains the following certifications: Certified Information Systems Auditor (CISA), Certified Information Systems Security Professional (CISSP), GIAC Penetration Tester (GPEN), and Offensive Security Wireless Professional (OSWP).
