Stopping cyberattacks requires diligent behavior. One of the themes of this year’s National Cyber Security Awareness Month, or NCSAM, is that all computer users should take steps to Secure IT.
That means shaking up the passphrase protocol by using not just strong passwords but strong and unique passphrases.
Consumers and corporate computer users alike should double login protection through multifactor authentication, and everyone should embrace safe online shopping practices.
It is easy these days to connect with people and make new friends, but everyone should play a little hard to get with strangers online, according to the National Cyber Security Alliance. Users should watch for phishing scams, which often involve social engineering techniques as much as direct brute force hacking attacks.
“National Cyber Security Month is an opportunity to elevate people’s awareness and to increase the caution with which they interact with technology,” said Bob Noel, vice president of strategic relationships at cybersecurity vendor Plixer.
“It’s very important for everyone to second-guess and question whether the email they are opening, link they are clicking on, or answers they are providing are originating from a valid source,” he told TechNewsWorld. “Training people to question the authenticity of digital communications prior to engaging with them can and should be the goal.”
Positive Online Experience
The point of NCSAM isn’t so much to deter individuals from going online or even from using a computer, but rather to ensure that they do so safely.
“The security of a consumer’s digital identity is paramount for a positive online experience,” said Justin Fox, director of DevOps engineering at NuData Security, a Mastercard company.
“Organizations often remind us to use unique passwords of varying complexity for each product or service we use online,” he told TechNewsWorld.
“Employees need to be aware of social engineering tactics used to compromise accounts through the employees’ access privileges, such as an attacker calling in to reset a password through an employee and tricking the employee into accepting the attacker as the account owner,” said Fox.
“Awareness needs to be a goal for all people at all levels,” said Plixer’s Noel.
“Bad actors have become incredibly skilled at social engineering and can use social media posts and publicly available information to appear credible,” he pointed out.
“Everyone should constantly have their radar up, questioning the authenticity of digital communications,” Noel said. “That which seems obvious to some may not be so clear to others. Nobody knowingly or willingly becomes compromised. The key goal of raising awareness is to encourage people to question everything. It may take a bit more time, but when unsure, people can and should reach out via another channel to validate whether or not the communication they received is real.”
Beyond Static Authentication
One problem with cyberattacks today is that they aren’t just about hijacking a single computer via a virus. Today’s attacks can cripple a company or even a city. Atlanta and Baltimore are just two examples of large municipalities that spent weeks in limbo and millions of dollars in recovery.
Meanwhile, data breaches have hit major retailers, including Target, costing the companies large sums of money and harming their reputations. The cyberattacks on the federal government’s Office of Personnel Management compromised millions of government workers and contractors.
Unique passwords and better security can help, but they go only so far.
“This helps to control the ‘blast radius’ and overall impact of a data breach but misses the underlying problem: Static authentication is broken,” said NuData’s Fox.
“To fix how you authenticate consumers requires executive buy-in as a first step, but then the new authentication strategy has to be cascaded down to each team, all the way to the consumer,” he suggested.
The answer is not necessarily using SMS or tokens, although second factors are generally an improvement Fox added.
“SMS solutions rely on vulnerable infrastructure, and tokens increase consumer friction; and the consumer experience is extremely important to running a successful business,” he explained.
“Data breaches cause brand damage regardless of whether the data breach is a result of consumer password hygiene or service provider mishap,” Fox noted. “In the later scenario, monetary fines and other penalties may follow.”
In the future, there could be more advanced technologies — such as passive biometrics, which organizations already are adopting — to “Secure IT.”
“Passive biometrics leverages information about your patterns to recognize how you type, how you browse, how you interact with your device,” said Fox.
“Many passive biometric solutions are powered by machine learning models that adapt to become increasingly accurate.”
Secure IT – Strong Passwords
For now, however, a simpler solution could be to utilize unique passwords or, when possible, passphrases. It’s important to avoid passwords that could be guessed easily — such as a birthday or favorite sports team or movie.
“Many people default to their personal information for their passwords, such as dates of birth of family, nicknames, addresses,” noted Ralph Russo, director of the School of Professional Advancement Information Technology Program at Tulane University in New Orleans.
“Unfortunately, these can be guessed or deciphered through inadvertent leakage of this info. People also use simple dictionary words in passwords, e.g. ‘Brooklyn’ or ‘Yankees,’ and all of these are easily hacked,” Russo told TechNewsWorld.
Strong passwords are those that are lengthy, and the longer the better. Moreover, they don’t include straight “dictionary” words, which can be guessed.
“Straight dictionary passwords can be cracked by brute-force ‘guessing’ tools that use established word lists, including dictionaries, and try each word in the list — thousands of times a minute — against your password,” explained Russo.
“The best passwords are long and can be created by inserting and substituting characters and numbers into a long phrase,” he suggested. “An example of this could be d0n7f3ar7her3ap3r$ instead of Don’tFearTheReaper.”
Users should consider using a password keeper — such as LastPass, 1Password, dashlane or similar program — to store all the passwords, and then autofill into a browser and forms, advised Russo.
These tools allow users to create distinct, super complex passwords for each site while remembering only a single password — the one for the keeper itself. However, that isn’t perfect either.
“The downside is that all of your eggs are in this one basket, and an intrusion into your keeper system could spell disaster,” said Russo.
Secure IT – Multifactor Authentication
Email, a banking website, or even eBay can be better protected when an individual opts for multifactor authentication.
“Mutlifactor authentication is the process of using two or more methods of authenticating, or logging into, apps,” said Russo.
Typically, this is accomplished by requiring users to enter not only something they know — their username and password — but also a pin or key sent to something they have — for example, their mobile phone.
“A malicious actor would not only need to have the user’s username and password — they would also need access to the user’s cellphone to be able to get unauthorized access,” Russo pointed out.
Mutlifactor authentication usually can be set up in less than a minute, but it can increase security substantially on sites that contain personal information. While texting a one-time code is now the standard method of multifactor authentication, there are other methods to keep users safe, and their use likely will increase.
“Always use it on key applications including banking, Social Security, online payments, finance/investment, password keepers and social media,” said Russo. “There are a myriad of ways to accomplish multifactor authentication, including biometrics — e.g. facial recognition, fingerprint — or a random key generating device or app that the user has possession of, and more complex methods can be employed to meet the need involved.”