This is the fourth article in our Cybersecurity series:
There is no ‘golden ticket’ utility, software, or policy that can guarantee your digital security. Not Multi-Factor Authentication (MFA), strong passwords, or even being a security expert. But Following these best practices will greatly reduce your risk.
The recommendations in this article are provided in good faith. Following these recommendations, in whole or in part, does not guarantee your survival from the next cyberattack.
In this article we will cover cybersecurity best practices for 3 common cyberattack methods. Within each method there is a ‘History’ and ‘Best Practices’ section. If you aren’t interested in the background information you can head straight to ‘Best Practices’.
The 3 methods covered:
Who doesn’t love creating 16 character passwords with at least 2 uppercase letters 1 number and a special character not including !@#$%. Also; make sure you don’t reuse a password on any other site/service.
I can’t see anyone but I’m guessing everyone's hand is raised.
If we only had to create and remember a few passwords this would be easy but statistics show:
The average person belongs to more than 80 sites/services that require a password
So why are so many places requiring long complex passwords?
Look no further than the National Institue of Standards and Technology special publication 800-63 (NIST sp 800-63).
In 2006 password protected sites and services were growing rapidly. For national security reasons the NIST published guidelines for password creation under sp 800-63. The initial guidelines were: 12+ character complex passwords and change that password every 45 days.
These password guidelines were widely adopted and are still in use today.
After more than a decade of collecting and analyzing password data and security breaches the NIST published an update to sp 800-63. Their analysis showed users were reusing that long complex password across multiple sites. Users were also storing the password near their workstation or in an unsecured application. Both of which impact your cybersecurity readiness.
In that 2017 update they completely reversed course on passwords. The new password guidelines are 8+ characters, not overly complex, not on the breached password list, and change once a year.
We are going to cover password best practices in 3 sections:
1. Find a password manager and start using it everywhere
With a password manager you only have one password to remember. Most password managers offer these helpful services:
2. If you are forced to manually create a password; have a strategy you can follow that is easily remembered
The resulting password from that strategy should meet these criteria:
Password strategy example
That password isn’t on the breached list and according to the Kaspersky password checker it would take 10,000+ centuries to crack with a modern cracking computer.
The best part about that password is; it’s easy to remember.
1. Answering and using 'Identity verification questions' (preferred method)
When creating your account on a website and are asked account recovery ‘identity verification questions’ Don’t answer factually
Statistically, 1 in 5 hackers can correctly guess your factual answer on the first try.
Answering those questions truthfully makes identity verification questions the least secure.
Answering those questions with a strategy makes them the most secure recovery option.
Identity verification questions - answer strategy example
2. SMS (text message) and email recovery methods
Below are some utilities and options that can be used to further secure your personal identity and data:
Operating systems (OS), no matter the manufacturer, have vulnerabilities and an End of Life (EOL) date. An operating system that has reached its EOL is no longer supported by the manufacturer and will not receive patches (critical or maintenance).
If the OS is still supported and a vulnerability is discovered the manufacturer creates and releases a patch to address that vulnerability.
In a previous job I worked with companies of all sizes on a daily basis. Many larger companies utilized a custom-built application, essential to their business, which needed to run on an EOL OS. This is a significant security risk.
End of life operating system matrix. Oddly this matrix is missing Microsoft Windows workstation versions; so here are 3 important Microsoft OS versions and their EOL:
Keep your computer patched and ensure your OS is still supported by the manufacturer.
If you use a company computer updates may be controlled by your IT Department. If you are not certain; ask.
If you use a personal computer to access your company network (VPN, remote software) updating will be your responsibility.
Windows and MAC operating systems by default will check for and install patches.
You should still check weekly to ensure patches have been installed.
If you find that a patch didn’t install you will also find a troubleshooting link to resolve the problem.
To check for patches/updates for Microsoft Windows 10:
To check for patches/updates on a MAC:
The user is the last line of defense in a companies cybersecurity strategy. Using the cybersecurity best practices outlined in this article will increase your chances of surviving the next cyberattack. The largest impact on that survival will be educating your users on the latest social engineering tactics.
Social engineering has been around for a long time (a good autobiography pertaining to this is ‘Ghost in the wires’ by Kevin Mitnick). The defense against social engineering was ‘hoping’ users could spot a fraudulent social engineering attempt, with a handful of vague descriptions.
Training.
We’ve all been told not to interact with fraudulent emails, but what does a fraudulent email look like?
Those are all legitimate methods to determine if an email is a phishing attack. But for most people; by the time they are confronted with a phishing email that information is no longer at the front of their mind.
One quick statistic then we’ll cover what successful testing and training look like.
Over a sample base of 4 million users (information from Knowbe4):
Taking the most utilized attack method and reducing the probability of an attack being successful by nearly 30% is a big deal.
A safe phishing email is sent to users. If a user takes action on the email; they are directed to a landing page that lets them know it was a phishing test email. On that landing page the user is shown an image of the email and the clues that it was a phishing email.
Some phish testing platforms allow training campaigns that track a user's progress through the training process. Analyzing that data can pinpoint users who pose the greatest risk to a company and would benefit from more training.
Effective training needs to be ongoing and evolving just like cybercriminals evolve their game plans over time. Effective training is not one-and-done or quick tips.
Here are a few items that don’t fit into the attack methods above but are still valuable cybersecurity readiness items.
Recently there has been a trend of websites producing a popup asking you to allow notifications. These are called ‘web push’ notifications. Some are legitimate and want to provide useful information. Others are using that popup for general marketing purposes.
Sites using the popup for general marketing typically give that popup space to marketing agencies. Cybercriminals have caught onto this fact and are actively producing ads worthy of a click.
When prompted with the notification dialog use the following as your decision tree:
In the webroot 2020 threat report they talk about email volume increasing by 34%. The increase of emails and working from home where there are more distractions has resulted in successful phishing attempts for cybercriminals.
The phishing success is attributed to users hastily responding to an email without giving consideration to its legitimacy.
A good practice to avoid falling into this trap is to create a ‘Later’ email folder or tag. As emails come in, if they aren’t pertinent to what you’re doing at that time, file them in ‘Later’.
Set aside 30 minutes in the afternoon to respond, report, or delete the emails marked ‘Later’.
My goal for this series was to bring you information in a non-technical way that will have a significant impact on your business and its livelihood.
Following these cybersecurity best practices is akin to putting your seatbelt on when you get in the car; you don’t leave the house planning on getting in an accident but if one happens you are far safer.
Conduct a Cybersecurity Readiness Assessment. If you’re not sure where to turn for this; Agave IT Services has the experience and tools to perform the assessment and provide you a clear picture of your readiness to withstand a cyberattack.
This is the fourth article in our Cybersecurity series:
There is no ‘golden ticket’ utility, software, or policy that can guarantee your digital security. Not Multi-Factor Authentication (MFA), strong passwords, or even being a security expert. But Following these best practices will greatly reduce your risk.
The recommendations in this article are provided in good faith. Following these recommendations, in whole or in part, does not guarantee your survival from the next cyberattack.
In this article we will cover cybersecurity best practices for 3 common cyberattack methods. Within each method there is a ‘History’ and ‘Best Practices’ section. If you aren’t interested in the background information you can head straight to ‘Best Practices’.
The 3 methods covered:
Who doesn’t love creating 16 character passwords with at least 2 uppercase letters 1 number and a special character not including !@#$%. Also; make sure you don’t reuse a password on any other site/service.
I can’t see anyone but I’m guessing everyone's hand is raised.
If we only had to create and remember a few passwords this would be easy but statistics show:
The average person belongs to more than 80 sites/services that require a password
So why are so many places requiring long complex passwords?
Look no further than the National Institue of Standards and Technology special publication 800-63 (NIST sp 800-63).
In 2006 password protected sites and services were growing rapidly. For national security reasons the NIST published guidelines for password creation under sp 800-63. The initial guidelines were: 12+ character complex passwords and change that password every 45 days.
These password guidelines were widely adopted and are still in use today.
After more than a decade of collecting and analyzing password data and security breaches the NIST published an update to sp 800-63. Their analysis showed users were reusing that long complex password across multiple sites. Users were also storing the password near their workstation or in an unsecured application. Both of which impact your cybersecurity readiness.
In that 2017 update they completely reversed course on passwords. The new password guidelines are 8+ characters, not overly complex, not on the breached password list, and change once a year.
We are going to cover password best practices in 3 sections:
1. Find a password manager and start using it everywhere
With a password manager you only have one password to remember. Most password managers offer these helpful services:
2. If you are forced to manually create a password; have a strategy you can follow that is easily remembered
The resulting password from that strategy should meet these criteria:
Password strategy example
That password isn’t on the breached list and according to the Kaspersky password checker it would take 10,000+ centuries to crack with a modern cracking computer.
The best part about that password is; it’s easy to remember.
1. Answering and using 'Identity verification questions' (preferred method)
When creating your account on a website and are asked account recovery ‘identity verification questions’ Don’t answer factually
Statistically, 1 in 5 hackers can correctly guess your factual answer on the first try.
Answering those questions truthfully makes identity verification questions the least secure.
Answering those questions with a strategy makes them the most secure recovery option.
Identity verification questions - answer strategy example
2. SMS (text message) and email recovery methods
Below are some utilities and options that can be used to further secure your personal identity and data:
Operating systems (OS), no matter the manufacturer, have vulnerabilities and an End of Life (EOL) date. An operating system that has reached its EOL is no longer supported by the manufacturer and will not receive patches (critical or maintenance).
If the OS is still supported and a vulnerability is discovered the manufacturer creates and releases a patch to address that vulnerability.
In a previous job I worked with companies of all sizes on a daily basis. Many larger companies utilized a custom-built application, essential to their business, which needed to run on an EOL OS. This is a significant security risk.
End of life operating system matrix. Oddly this matrix is missing Microsoft Windows workstation versions; so here are 3 important Microsoft OS versions and their EOL:
Keep your computer patched and ensure your OS is still supported by the manufacturer.
If you use a company computer updates may be controlled by your IT Department. If you are not certain; ask.
If you use a personal computer to access your company network (VPN, remote software) updating will be your responsibility.
Windows and MAC operating systems by default will check for and install patches.
You should still check weekly to ensure patches have been installed.
If you find that a patch didn’t install you will also find a troubleshooting link to resolve the problem.
To check for patches/updates for Microsoft Windows 10:
To check for patches/updates on a MAC:
The user is the last line of defense in a companies cybersecurity strategy. Using the cybersecurity best practices outlined in this article will increase your chances of surviving the next cyberattack. The largest impact on that survival will be educating your users on the latest social engineering tactics.
Social engineering has been around for a long time (a good autobiography pertaining to this is ‘Ghost in the wires’ by Kevin Mitnick). The defense against social engineering was ‘hoping’ users could spot a fraudulent social engineering attempt, with a handful of vague descriptions.
Training.
We’ve all been told not to interact with fraudulent emails, but what does a fraudulent email look like?
Those are all legitimate methods to determine if an email is a phishing attack. But for most people; by the time they are confronted with a phishing email that information is no longer at the front of their mind.
One quick statistic then we’ll cover what successful testing and training look like.
Over a sample base of 4 million users (information from Knowbe4):
Taking the most utilized attack method and reducing the probability of an attack being successful by nearly 30% is a big deal.
A safe phishing email is sent to users. If a user takes action on the email; they are directed to a landing page that lets them know it was a phishing test email. On that landing page the user is shown an image of the email and the clues that it was a phishing email.
Some phish testing platforms allow training campaigns that track a user's progress through the training process. Analyzing that data can pinpoint users who pose the greatest risk to a company and would benefit from more training.
Effective training needs to be ongoing and evolving just like cybercriminals evolve their game plans over time. Effective training is not one-and-done or quick tips.
Here are a few items that don’t fit into the attack methods above but are still valuable cybersecurity readiness items.
Recently there has been a trend of websites producing a popup asking you to allow notifications. These are called ‘web push’ notifications. Some are legitimate and want to provide useful information. Others are using that popup for general marketing purposes.
Sites using the popup for general marketing typically give that popup space to marketing agencies. Cybercriminals have caught onto this fact and are actively producing ads worthy of a click.
When prompted with the notification dialog use the following as your decision tree:
In the webroot 2020 threat report they talk about email volume increasing by 34%. The increase of emails and working from home where there are more distractions has resulted in successful phishing attempts for cybercriminals.
The phishing success is attributed to users hastily responding to an email without giving consideration to its legitimacy.
A good practice to avoid falling into this trap is to create a ‘Later’ email folder or tag. As emails come in, if they aren’t pertinent to what you’re doing at that time, file them in ‘Later’.
Set aside 30 minutes in the afternoon to respond, report, or delete the emails marked ‘Later’.
My goal for this series was to bring you information in a non-technical way that will have a significant impact on your business and its livelihood.
Following these cybersecurity best practices is akin to putting your seatbelt on when you get in the car; you don’t leave the house planning on getting in an accident but if one happens you are far safer.
Conduct a Cybersecurity Readiness Assessment. If you’re not sure where to turn for this; Agave IT Services has the experience and tools to perform the assessment and provide you a clear picture of your readiness to withstand a cyberattack.
Matthew worked with Agave IT Services as a Brand & Content Consultant through 2020. He managed our company transition from Agave Solutions Inc. to Agave IT Services (dba). From our Logo to our online presence and business operations platform; Matthew created a solid foundation able to support our growth into the future.
We are an IT Services and technology company serving the southwestern United States since 2003. We specialize in supporting, managing, and deploying technologies for the AEC industries' unique requirements. We differ from the typical IT service provider in that we handle ALL your technology needs, freeing you to focus on your core business.
.svg){kind=icon}
.svg){kind=icon}
