In light of the ever more frequent online breaches, we should talk again about picking a good password. People continue to pick and use poor passwords to protect their valuable information. You might not think your password is important or sought after by hackers, but it really is the only thing between the entire world and your personal online accounts.
If you have a password of eight random letters, there are about 200 billion possible password combinations. If a hacking program like Hashcat had to try them all, it would be done in about 4 minutes. If you add mixed casing and numbers into the mix, you increase the number of possible passwords and by increasing the length to 12 characters we can catapult the number of password possibilities to about 4 sextillion. When talking about the number of possibilities which are now available to users, it would take Hashcat an estimated lifetime to work through all the possible combinations.
However, this math does not take the human factor into account. You want to select a combination of characters that you can remember and isn’t too difficult to enter a few times each day. The password also has to work within the limits imposed by the website or application where you created the password. People wanting to crack your password are also aware of those limitations. In fact, there are extensive lists of common password terms available on the internet, sorted by their popularity. The password cracking programs will just try those more common words and their common iterations first, and that will allow for increased odds of success in a much shorter time.
Continue reading “Please Select a Better Password”
People continue to pick and use poor passwords to protect their valuable information. You might not think your password is important or sought after by hackers, but it is really the only thing between the entire world and your personal online accounts. If you have a password of eight random letters, there are about 200 billion possible password combinations. If a hacking program like Hashcat had to try them all, it would be done in about 4 minutes. If you add mixed casing and digits into the mix, you increase the number of possible passwords and by increasing the length to 12 characters we can catapult the number of password possibilities to about 4 sextillion. When talking about the number of possibilities which are now available to users, it would take Hashcat an estimated lifetime to work through all the possible combinations.
However, this math does not take the human factor into account. You want to select a combination of characters that you can remember and isn’t too difficult to enter a few times each day. The password also has to work within the limits imposed by the website or application when you created the password. People wanting to crack your password are aware of those limitations. In fact, there are extensive lists of common password terms available on the internet, sorted by their popularity. The password cracking programs will just try those more common words and their common alterations first, and that will allow for increased odds of success in a shorter time.
Continue reading “Selecting a Better Password”
For most companies, maintaining a large IT presence implies large capital expenditures and a non-trivial amount of accounting and record-keeping to track depreciation, tax considerations, and so forth. When you purchase the hardware and the software, they become yours (in every sense of the word) and your long-term responsibility. The traditional model of enterprise computing is a capital-intensive function that requires expensive data centers (electricity, air conditioning, servers, networks, storage, etc.) and operations staff (hardware swaps, networks, backups, OS updates, upgrades, etc.) to keep it all running effectively. With an on-premises data center, you must plan and provision for maximum utilization, which is financially inefficient.
The appeal of cloud computing includes the ability of enterprises to pay for only what they use. If demand decreases and you no longer need the assigned capacity, you can turn off systems and you are no longer charged for those systems. Since the cloud is a subscription-based model, it is an “operating expense” model. Computing becomes a service for which businesses are billed a monthly charge that is metered by actual usage. The more (compute, network, and storage resources) that you use the more expensive your monthly bill. The less you use, the less you will be charged.
Another way to save money is cloud operations frees your enterprises of the costly tasks of system backups, routine network maintenance, software patches, etc. because you cloud provider can handle these tasks.
Most IT organizations find wide variations in system utilization. Some applications are seasonal and other applications run for a short period of time before being shut down. You might have other applications that are simply unpredictable and you can’t apply a cost saving model.
Building your server infrastructure in a cloud environment can save your business money and allow for greater innovations for less money.
There are a few things you can do to make your internet experience a little safer. This isn’t everything you can or should do, but these two things will enhance your everyday security without it taking a lot of effort to complete.
Disable your wireless router’s remote administration feature
This can be a very effective measure to prevent a hacker from taking over your wireless network. Many wireless routers have a setting that allows you to administer the router via a wireless connection or over the internet. This means that you can access all of the routers security settings and other features without having to be on a computer that is plugged into the router using an Ethernet cable. While this seems very convenient for being able to administer the router remotely, it provides another point of entry for the hacker to get to your security settings and change them to something a little more hacker friendly. While many people never change the factory default admin passwords to their wireless router, which makes things even easier for the hacker, you should also change the default admin password.
Beware of “Free” Wi-Fi
If you use public hotspots you are an easy target for man-in-the-middle and session hijacking attacks. Hackers can use simple tools to perform “man-in-the-middle” attacks where they can insert themselves into the wireless connection between you and the host of the free connection. Once they have successfully inserted themselves into the connection, they can harvest your transmissions, picking up the network packets that contain account passwords, e-mail, back account information, etc. It is recommended that you use a commercial VPN service provider to protect all of your traffic when you are using free Wi-Fi networks. Costs for these commercial services start at a few dollars a month, but you can always try a free service to see how you like it. A secure VPN provides an additional layer of security that is extremely difficult to defeat unless the hacker is extremely determined.
A determined hacked can probably defeat your basic efforts to secure a wireless signal, but 99% of the time you just have to be a difficult target. When you are attacked by a bear, you don’t have to be the fastest runner, just fast than the friends around you. A similar thing can be said for Wi-Fi security. You don’t have to be the most secure user on the network, you just have to be more secure than those people around you at the time.
There are things that employees do that can present serious treats to corporate security, and you might not even realize that these simple things can undermine your security efforts. If you are responsible for security at your company, you need to start investigating these issues as simple ways to improve the corporate security at your place of business by educating your team about these risks.
- BYOD – Bring Your Own Device is something that almost everyone does today, even at places that specifically ban this process. With smart watches, personal cell phones, cheap tablets, etc. it is almost impossible to keep employees from brings their own devices into the workplace. Many companies don’t even have format policies around what devices are allowed or what systems these devices are banded from being connected to in their environment. The risk is an employee brings an infected device into the office and connects that device to one of your corporate assets like a laptop or server. The infected device is then able to bypass the typical network security and attack that device, potentially stealing corporate secrets or customer data. Education and formal policies are the best security against this type of dangerous behavior, as well as updating your security profile to detect rogue devices.
- Social Media – A post on social media may seem harmless to most people, but if the post includes information about a new business project, issues with a new business system, how many servers recently we re infected with a virus, etc. these posts can be used by your business completion to gain an advantage or even used as a source of technical information for international hackers to target your business for a cyber attack. Education is your best weapon against this type of issue.
- Poor Technical Security – Your technical team has to always be thinking of system security. This includes assuming responsibility for securing the business systems from both internal and external attacks. The obvious security measures include strong perimeter security through firewalls and intrusion detection, but not so obvious steps around keeping systems updated with security patches, education around recent security threats, and monitoring vendor sites for announcements about newly discovered vulnerabilities. Make sure the technical team has formal policies and procedures around periodic security checks, and that there is some oversight into the process to it stays important to the entire team.
- Social Hacking – Hackers and scammers don’t always attack your assets through remotely hacking your computers, sometimes they just hack your employees. It can start as a simple telephone call asking someone in your office to download a vendor update because their system is outdated and causing a data issue. That seemingly harmless update is really a program that installs an backdoor into your system that allows the hacker access into the secure network. A scammer can also call someone in accounting acting as the CEO, requesting an emergency wire transfer to an off-shore account of $50,000. You need to make sure there are policies and procedures in place that will capture these types of unusual events and route them to someone who can ask the correct questions to uncover a scam and block silly mistakes like these.
- Anti-Virus Software – Just because your computer is behind a firewall doesn’t mean it can’t be infected with a virus. Computer viruses can do harmless and annoying things, but they can also do some really serious damage to your corporate computer systems and even shut down your business. While anti-virus software isn’t the most important part of your network security, it is just one part of an overall security infrastructure that will help keep your network secure.
- Weak Passwords – Any secure computer system starts with good passwords. A weak password is useless and puts your entire network at risk. Verify the business systems your company uses require strong passwords, and make sure you educate our team to always avoid weak passwords. This education should extend past internal corporate assets to include personal email accounts, social media sites, and their personal banking accounts.
In the beginning of the internet, you could say and do anything. You were free to search for any topic, view any content you could find, and share just about anything you wanted. You can now see that this extreme freedom is getting more and more compromised as governments look to control more of the information that citizens have access to and what they can share online. Even hackers use the internet to gain knowledge of your physical or virtual location for their own nefarious and harmful purposes. Sometime content available in one part of the world is restricted by your current geographical location.
Virtual Private Networks (VPN) extend your private network across a public network, giving you an opportunity to send and receive information across the public network as if it were a part of your own private network, with appropriate security and a degree of anonymous access.
Each VPN service can perform differently, and not all of them provide the same level of access or security. There are other ways to achieve some or all of these goals besides VPN, but all of them have their downsides. You should consider a VPN solution if you are interested in web anonymity, but they could result in the noticeable loss of browsing or download speed.
One of the most important components to maintaining a reliable and efficient network is keeping the firmware on your network devices updated. You know you need the latest firmware to get the latest security patches, and compliance monitors look for evidence you are performing the updates. These devices usually include managed switches, routers, wireless access points, and intrusion detection systems among other network devices. Just follow the device’s documentation to perform the update, unless the device manufacturer doesn’t provide the proper procedures for upgrading the firmware. An unsuccessful upgrade can not only result in connectivity issues, but might also render the device entirely inoperable. To perform safe upgrades, you should follow patching best practices:
- Back up the device’s current configuration.
- Reset the device to its factory default settings.
- Apply the firmware update per the manufacturers instructions.
- Reset the device to its factory default settings again.
- Restore the device’s configuration settings from the backup you created in Step 1.
- Reboot or restart the device.
- Test everything to make sure the device is configured properly and working correctly.
Tip: While most devices provide a soft reset and a hard reset facility, always perform a hard reset when given the opportunity.
If compliance evidence, you will need to provide screen shots of output logs from the device showing dates, times, and before/after settings. You should also log evidence of testing, which will help prove you tested everything and it was working after the upgrade.