mobile logo
week4-password
29
October

Password Hygiene and Security

October 29, 2020
In Company, Industry
By Secure Sense

Many of our daily activities have moved to the internet such as reading our mail, banking, watching movies, and shopping.

But what do all of these activities have in common? 

If you guessed passwords, than you are absolutely correct!

All these accounts we set up require passwords and too often we take shortcuts like re-using passwords or using weak passwords to avoid having to remember multiple, complex passwords. On average, users create 150 password-protected accounts and many users reuse the same password across all accounts – with one study showing that 73% of all passwords are duplicates!  This is not a security best practice, especially if you are inputting personal information on these sites. Most of us know better, but if we’re being honest most of us know we’re also guilty of this security sin. If you’ve ever availed yourself of Google’s password cleanup tool or searched yourself on sites like Have I Been Pwned—or read the news for that matter—you know that the number of sites and services that have been breached and the number of credentials that have been stolen and added to lists sold to scammers and other criminals on the dark web is truly staggering. Chances are good that every one of us has an account for a site or service that has leaked passwords and our names have shown up on one of these lists. For this reason, you need to observe good password hygiene for all of your accounts and there are a number of steps you can take that are easier today than ever—no excuses!

First things first: create a strong password

As mentioned, many of us like to use simple, easy to remember passwords and we likely never change them, because how inconvenient! We also tend to reuse our passwords, or variations of the same password for every account. Unfortunately, this can make you, your credentials, and your personal information highly vulnerable to attackers.

Here are a few do’s and don’ts to creating a strong password:

Do’s

  • Do use at least 10-12 characters (the more the better)
  • Do use a variety of upper and lower-case alpha characters
  • Do use at least one number
  • Do use at least one special character
  • Do use a unique password for every account and device

Don’ts

  • Don’t use common knowledge in your passwords such as your name, birthday, phone number, your pet’s name, etc.
  • Don’t use common words or phrases
  • Don’t use keyboard patterns such as “qwerty”
  • Don’t use a password that is too short
  • Don’t use a common word spelled backwards

If you follow these basic rules to create a strong password, it should be fairly difficult to steal. However, there are some sneaky tactics attackers use to get your passwords that you should always be aware of. So what are they?

Credential stuffing: credential stuffing offers when a company has had a breach and credentials of the users have been stolen. Attackers will use the stolen credentials from that particular account against a users other accounts – hoping to find that the passwords are the same and they can gain access.

Phishing: we’ve touched on phishing a few times this month but due to the high risk of phishing attacks, its very important to be educated on how a phishing attempt can affect the security of your credentials. Often times, attackers will collect your credentials through a phishing attack by simply asking for your username and password for an account, sometimes under the guise that there is a problem with the account. They may also create a login page for you to “login” to your account to collect a prize or deal with an issue.

Password spraying: password spraying is the use of a list of common passwords randomly against a list of usernames. Often times, users are inclined to create passwords that are fairly easy to remember, because most users don’t think they will become a target. However, using a common password such as “123abc” puts you at risk of being victim to password spraying.

Brute Force: brute force is when an attacker “cracks” the user’s credentials. This can be done through the use of a program that runs thousands of passwords (or plain dictionary words) very quickly against the username. This is where password complexity comes into play in making it as hard as possible to crack.

So how do we keep ourselves safe from these attacks?

Always have unique passwords: as we’ve mentioned, your passwords should always be unique for every account and each should have the password criteria we’ve outlined to help keep them out of the hands of attackers. Having a unique password can help protect against common password hacking tactics like credential stuffing and password spraying.

Never give out your credentials via email: phishing attempts may ask you for your password and username because something is “wrong” with your account or they may offer you a prize that requires you to login by clicking a link, however, there will likely never be a legitimate time when you are asked to provide this information over email. Don’t give up your credentials no matter how dire or exciting the situation may seem. If you see an email from a company that you hold an account with and they are asking for this information, always call the organization directly instead.

Use Multi-factor authentication whenever possible: multi-factor authentication is a method that requires the user to provide two or more verification factors to login to your account. Typically, your first verification method is your password and the second method could be a personal security question, a code sent by text message, or even a fingerprint. Having multi-factor authentication can help keep you safe from many of the common attacks mentioned as just acquiring your password won’t be enough for them to get to into your account. Not every account will give you the option for multi-factor authentication, but more and more these days this option is provided, especially for sensitive accounts. Turn it on!

Change passwords regularly: changing your password every few months will help protect you if your password does in fact get compromised. Of course, if you have been notified that one of your passwords has knowingly been compromised, make sure to change it right away. However, if you have been notified via email that your password has been compromised, go directly to the site – do not click on the links in the email or login through the email as this may be a phishing attempt. For many people, this can seem like an onerous task, especially considering how many accounts we all have. This leads us to our final recommendation.

Use a password manager!

Tend to forget all these unique, complex passwords? (That you’ve definitely gone and created after reading this right?) Don’t have time to change your passwords regularly? Use a password manager! There are free to use password managers out there that you can install right into your browser to help you keep your passwords in check, such as LastPass, or, your workplace may provide a password manager software for you to use. You only need to remember one password to login into your password manager that will store all your other passwords for you. Setting up and learning to use a password manager is made extremely easy and in most cases is a very good option to achieve many of the good password hygiene factors we’ve discussed all at once. But wait! “By using a password manager am I theoretically creating a single point of failure to gain access to ALL of my passwords??” you ask. In the end, the benefits of using a password manager far outweigh the potential risk given the controls that password managers put in place, such as MFA and location/device contextualized validation. So long as you’re using these features as intended and not making yourself the true single point of failure by making the mistakes we’ve discussed above, this is a very strong option.

How do I know if my passwords are compromised?

Want to know if any of your accounts have been compromised of shown up on known lists of stolen credentials? There are a variety of options such as  https://haveibeenpwned.com/ that might be eye opening for many users. Simply enter your email address you use to login to your accounts and the site will tell if you if any of your passwords associated with that email have been compromised.

If you have any other questions on how you can stay safe online, don’t hesitate to reach out to us at sales@securesense.ca.

Don’t forget, our weekly quiz will be posted on LinkedIn on Friday! The quiz will cover the blogs this week on Human Disadvantage and Security.

In honour of Cyber Security Awareness Month, we will be sharing insight on the latest cybersecurity news, tips from Secure Sense experts and general security knowledge geared towards keeping you out of the headlines and focused on what matters most, your business. Don’t miss a beat by following along on our TwitterFacebook and LinkedIn Pages.

Read more about password hygiene at the blog:

7 Signs You have a Weak Password

7 Ways Hackers Steal Your Passwords

Secure Sense is the security provider that cares. We are a team of experts with a passion for IT and protecting your organization is what motivates us daily. If you have questions or want to learn more about how we can improve your organization’s security, our services or just want to chat security please give us a shout.

Post Tags:

Related Posts

Effective Patch Management Tools for Your Organization

Welcome back to the...

The Evolution from Password Managers to Privileged Access Management. Which is right for you?

Welcome back to the...

A Secure Sense Competitive Advantage

Welcome back to the Cyber Security Month blog! In last week’s blog, we talked about the importance and value of an MSSP, what sets Secure Sense apart from other MSSP’s and how Secure Sense can help your business. Today, we want to continue the conversation around the competitive advantage of working with Secure Sense and what sets us apart in the world of managed security.

In addition to our dedicated customer success teams and our 24×7 SOC (read more in the previous blog here) Secure Sense’s white glove service stands out in many other ways. Continue reading to find out the secret keyphrase, and our competitive advantage.

Expert engineers/analysts

Our experienced technical team comes from diverse technical backgrounds, representing a wealth of security knowledge. They play an integral role in everything we do at Secure Sense; from evaluating partners to developing services, allowing us to focus entirely on the best products and the highest training certificates.

Our engineers, architects, and analysts are required to ensure they are up-to-date on technical training. In addition to solution technical training, our technical team has focused on training in the following areas:

  • Communication for clearer and more accurate ticket updates​
  • Troubleshooting skillsets have led to fewer escalations internally, and ultimately shorter times to remediate​
  • Critical analysis skills which have measurably improved our ticket responses in providing higher quality responses to tickets.

This training has had a measurable increase in the quality of our services, as well as time to remediate and reduce escalations.

Our SOC has many teams that work with our expert analysts to ensure you receive the most from your service. In addition to our security analyst team, Secure Sense has four other technical teams: the reporting team, the threat intel team, the automation team, and the purple team.​

Automation team:

The Secure Sense automation team reviews customer requests, as well as potential customer controls, and ties those controls in with our managed services for automated systems mitigation, stopping threats in their tracks.​

The team is also responsible for:

  • Automated SIEM log analysis, tied into our Threat intelligence team to streamline the ingestion of IOCs into our managed services.
  • Implementing our vendor vulnerability review and remediation systems allows us to reduce our critical vulnerability remediation windows and provide improved visibility into coverage and reporting.
  • Delivering smart-responses from our SIEM solution, and implementation of Reporting team recommendations and improvements.​
  • Automating reporting and alerting directly into our ServiceNOW portal, providing short response times to customer alerts

Reporting team:

Secure Sense has created a dedicated reporting team to streamline and bring more meaningful data to our customers on a regular basis. This team not only builds custom reports, but also analyzes how our customers are using our services, identifying any particular improvements that we could be making to the services, and providing recommendations to the rest of the managed service teams.​

Our reporting team also builds datasets and analyses based on our customer tickets, as well as managed service systems, to identify new use cases and patterns that we can leverage to improve services internally.​

Threat intel team:

Our internal Threat Intel team reviews various events that have occurred and identifies the relevant TTPs. They provide this intelligence to our purple team which will operationalize it.​

The Secure Sense threat intel team focuses on both systematic collection of IOCs and analysis thereof, as well as individual TTPs that are used to identify new and emerging threats. ​The team looks at those tools, Techniques and procedures that threats are using in the market, and identifies how they could be leveraged against our existing customer base, along with better enhancing our services to detect those TTPs when in use.​​

Purple team:​

Secure Sense’s Purple team reflects the blend of both defensive or blue team skillsets, along with offensive or red team skillsets. The team takes tools, techniques and procedures identified by the threat intel team, analyses our customer’s environments and identifies if we can detect them. ​ With customer collaboration, the Purple team can provide execution packages where we can simulate specific components of a threat, and then validate that we have visibility into that TTP being run in a customer environment.

Professional services

Secure Sense’s implementation and support experts are experienced in a wide variety of Professional Services engagements with specialized tactical teams within our extended technical bench, focused on specific technologies and or products.

In most cases, Professional Services are project-based services that require a skilled engineer or architect for a one-time project or short-term change in your organization; or a senior consultant to provide a wide range of risk advisory services. Project teams will also typically address any ongoing support or maintenance after the initial project is complete.

Our cybersecurity consultant team and senior architects hold a broad range of top industry certifications and credentials, along with many years of experience in the industry. Our methodologies for common engagement types have been developed and refined to reflect the most up-to-date best practices and to scale to projects of any size, including global enterprise enablement.

A few of the engagements we commonly offer include:

  • Cybersecurity Architecture Assessment and Design
  • Solution Implementation Services
  • Health Checks
  • Penetration Testing
  • Vulnerability Assessments
  • Threat and Risk Assessment
  • Enablement & Training
  • Ongoing Support

Secure Sense focuses on continual training and certification among our technical ranks in order to provide the most knowledgeable technical support.

Security training

Secure Sense offers security training and can assist in helping your organization to create its cyber security training program. From general employee awareness training to specific security training for your IT and security staff, Secure Sense can help your organization combat the threats they face on a daily basis. Our team is able to offer:

  • Engaging user awareness training for end-users
  • Technology training for security solutions and products
  • Security Analyst training
  • Threat hunting training
  • Threat simulations to give your internal security teams practice in using internal tools
  • Tabletop exercise development and execution to simulate incidents and incident response

Your Key word is “Purple Team”

Don’t forget! Take this keyword and head to our LinkedIn page here to comment on it for your chance to win one of many prizes this month!

As always, if you’re interested in learning more about Secure Sense’s competitive advantage or any of our services, don’t hesitate to reach out to us at 866-999-7506 or sales@securesense.ca!

Continue reading