Author:
Matthew Craig
Date:
January 26, 2021
Blog Image

This is the fourth article in our Cybersecurity series:

  1. Cybersecurity & Cyberattack Terms
  2. Changes since Work from anywhere became prevalent
  3. The business impact of cyberattacks
  4. Cybersecurity best practices

There is no ‘golden ticket’ utility, software, or policy that can guarantee your digital security. Not Multi-Factor Authentication (MFA), strong passwords, or even being a security expert. But Following these best practices will greatly reduce your risk.

The recommendations in this article are provided in good faith. Following these recommendations, in whole or in part, does not guarantee your survival from the next cyberattack.

In this article we will cover cybersecurity best practices for 3 common cyberattack methods. Within each method there is a ‘History’ and ‘Best Practices’ section. If you aren’t interested in the background information you can head straight to ‘Best Practices’.

The 3 methods covered:

  • Password guessing - Brute force, Hacking, Cracking, Stuffing: <5% of successful attacks
  • System vulnerabilities - Unpatched systems: 20% - 40% of successful attacks
  • Social engineering - Phishing, Smishing, Vishing: 70% - 91% of successful attacks

Phishing attack jammed: Spaceballs 1987
Phishing attack jammed: Spaceballs 1987

Password Guessing

Who doesn’t love creating 16 character passwords with at least 2 uppercase letters 1 number and a special character not including !@#$%. Also; make sure you don’t reuse a password on any other site/service.

I can’t see anyone but I’m guessing everyone's hand is raised.

If we only had to create and remember a few passwords this would be easy but statistics show:

The average person belongs to more than 80 sites/services that require a password

History:

So why are so many places requiring long complex passwords?
Look no further than the National Institue of Standards and Technology special publication 800-63 (NIST sp 800-63).

In 2006 password protected sites and services were growing rapidly. For national security reasons the NIST published guidelines for password creation under sp 800-63. The initial guidelines were: 12+ character complex passwords and change that password every 45 days.

These password guidelines were widely adopted and are still in use today.

After more than a decade of collecting and analyzing password data and security breaches the NIST published an update to sp 800-63. Their analysis showed users were reusing that long complex password across multiple sites. Users were also storing the password near their workstation or in an unsecured application. Both of which impact your cybersecurity readiness.

In that 2017 update they completely reversed course on passwords. The new password guidelines are 8+ characters, not overly complex, not on the breached password list, and change once a year.

Best Practices:

We are going to cover password best practices in 3 sections:

  • Creating/managing passwords
  • Recovering lost passwords
  • Increasing security

Creating/managing passwords

1. Find a password manager and start using it everywhere

With a password manager you only have one password to remember. Most password managers offer these helpful services:

  • Dark web monitoring for breaches that involve your data
  • Plugins for most browsers and operating systems
  • Mobile apps for iOS and Android
  • Easily add your current accounts

2. If you are forced to manually create a password; have a strategy you can follow that is easily remembered

The resulting password from that strategy should meet these criteria:

  • Don’t use the same password on multiple sites
  • 12+ characters
  • Not easily guessable
  • Ideally a passphrase
  • Not on the breached password list - (FYI... ‘I hate passwords’ is on the list 8 times so don’t use that :)
  • Change once a year or when the service has been breached

Password strategy example

  1. my passphrase: ‘I love <random> my kids...:)’
  2. Replace <random> with the number of words in the companies name + the second word in uppercase. If there isn’t a second word use ‘Z’
  3. For ‘Agave IT Services’ my password would be: ‘I love 3IT my kids...:)’
  4. When requested to change your password add a ‘.’ after kids

That password isn’t on the breached list and according to the Kaspersky password checker it would take 10,000+ centuries to crack with a modern cracking computer.

The best part about that password is; it’s easy to remember.

Recovering lost passwords

1. Answering and using 'Identity verification questions' (preferred method)

When creating your account on a website and are asked account recovery ‘identity verification questions’ Don’t answer factually

Statistically, 1 in 5 hackers can correctly guess your factual answer on the first try.
Answering those questions truthfully makes identity verification questions the least secure.
Answering those questions with a strategy makes them the most secure recovery option.

Identity verification questions - answer strategy example

  1. Pick a word. I’m going to use ‘helicopter’
  2. Add a second word based on the question. I’m going to use the 3rd word in the recovery question.
  3. If the recovery question is: Who was your childhood hero? - my answer: ‘helicopter your’

2. SMS (text message) and email recovery methods

  • If you receive a message stating your account has been compromised with a convenient button or link to click for password reset... DON’T CLICK THE BUTTON.
  • If a communication requests you to change your password go directly to the site and login. If you are unable to login, click the sites ‘forgot password’ link and walk through the sites password recovery framework.
  • During the recovery, if you are sent a code, that code should be directly input by you within the website's recovery framework. At no point should you email or text that code to anyone.
  • Never verify your account by providing an old password outside the websites recovery framework.

Increasing security

Below are some utilities and options that can be used to further secure your personal identity and data:

  • Use Multi-Factor Authentication or 2 Factor Authentication (MFA, 2FA) when available (article on MFA, 2FA coming soon).
  • Turn off your browsers built-in password tracker
  • Check your email address to see if it has been compromised. With breaches happening daily it is likely your email will show up in a database someplace. If it does it is time to change your email account password. If it’s your work email you should inform your IT department and change your company login password. Changing your password will not remove your email account from a compromised list but it will remove the threat from that breach if not already exploited.
  • Don’t click unsubscribe in an email from a company you haven’t created an account with.
  • Don’t tell people your password (couldn’t resist this): Jimmy Kimmel video

System Vulnerabilities

Operating systems (OS), no matter the manufacturer, have vulnerabilities and an End of Life (EOL) date. An operating system that has reached its EOL is no longer supported by the manufacturer and will not receive patches (critical or maintenance).

If the OS is still supported and a vulnerability is discovered the manufacturer creates and releases a patch to address that vulnerability.

History:

In a previous job I worked with companies of all sizes on a daily basis. Many larger companies utilized a custom-built application, essential to their business, which needed to run on an EOL OS. This is a significant security risk.

End of life operating system matrix. Oddly this matrix is missing Microsoft Windows workstation versions; so here are 3 important Microsoft OS versions and their EOL:

  • Windows XP - EOL April 2014
  • Windows 7 - EOL January 2020
  • Windows 10 - Projected EOL October 2025

Best Practices:

Keep your computer patched and ensure your OS is still supported by the manufacturer.

If you use a company computer updates may be controlled by your IT Department. If you are not certain; ask.

If you use a personal computer to access your company network (VPN, remote software) updating will be your responsibility.

Windows and MAC operating systems by default will check for and install patches.
You should still check weekly to ensure patches have been installed.

If you find that a patch didn’t install you will also find a troubleshooting link to resolve the problem.

To check for patches/updates for Microsoft Windows 10:

  1. Start  button
  2. Settings
  3. Update & Security
  4. Check for updates

To check for patches/updates on a MAC:

  1. Apple Menu
  2. System Preferences
  3. Software update
  4. Update Now

Social Engineering

The user is the last line of defense in a companies cybersecurity strategy. Using the cybersecurity best practices outlined in this article will increase your chances of surviving the next cyberattack. The largest impact on that survival will be educating your users on the latest social engineering tactics.

History:

Social engineering has been around for a long time (a good autobiography pertaining to this is ‘Ghost in the wires’ by Kevin Mitnick). The defense against social engineering was ‘hoping’ users could spot a fraudulent social engineering attempt, with a handful of vague descriptions.

Best Practices:

Training.

We’ve all been told not to interact with fraudulent emails, but what does a fraudulent email look like?

  • The senders domain should match the company an email pertains to (sender - matthew@live.com, email about your expired Netflix account = phishing)
  • The company name or domain the email pertains to is misspelled - Neflix (incase you don't see the problem; there's no 't')
  • The email may contain an attachment you don’t typically deal with (like an invoice and you aren’t in accounting)
  • If an email contains a button or link; you can hover over it and see if the displayed web address is relevant to the email content

Those are all legitimate methods to determine if an email is a phishing attack. But for most people; by the time they are confronted with a phishing email that information is no longer at the front of their mind.

One quick statistic then we’ll cover what successful testing and training look like.
Over a sample base of 4 million users (information from Knowbe4):

Phishing testing impact: KnowBe4
Phishing testing impact: KnowBe4
  • Initial phishing test sent - 37.9% of people took action on the email
  • After 3 months of phishing tests and training - 14.1%
  • 1 year later - 4.7%

Taking the most utilized attack method and reducing the probability of an attack being successful by nearly 30% is a big deal.

How does phishing testing and training work

A safe phishing email is sent to users. If a user takes action on the email; they are directed to a landing page that lets them know it was a phishing test email. On that landing page the user is shown an image of the email and the clues that it was a phishing email.

Some phish testing platforms allow training campaigns that track a user's progress through the training process. Analyzing that data can pinpoint users who pose the greatest risk to a company and would benefit from more training.

Effective training needs to be ongoing and evolving just like cybercriminals evolve their game plans over time. Effective training is not one-and-done or quick tips.

Additional Cybersecurity Items

Here are a few items that don’t fit into the attack methods above but are still valuable cybersecurity readiness items.

Website notifications:

Recently there has been a trend of websites producing a popup asking you to allow notifications. These are called ‘web push’ notifications. Some are legitimate and want to provide useful information. Others are using that popup for general marketing purposes.

Sites using the popup for general marketing typically give that popup space to marketing agencies. Cybercriminals have caught onto this fact and are actively producing ads worthy of a click.

When prompted with the notification dialog use the following as your decision tree:

  1. If you landed on the site from a search you performed and you don’t really need to be there > Close the entire web browser tab
  2. If you don’t need notifications from the site but want to look around > click the close ‘X’ button in the corner
  3. If there isn’t a close ‘X’ button > click don’t allow’ (or similar)
  4. If you trust the site (not just the content on the site) and you want notifications > click allow

Dealing with increased emails:

In the webroot 2020 threat report they talk about email volume increasing by 34%. The increase of emails and working from home where there are more distractions has resulted in successful phishing attempts for cybercriminals.

The phishing success is attributed to users hastily responding to an email without giving consideration to its legitimacy.

A good practice to avoid falling into this trap is to create a ‘Later’ email folder or tag. As emails come in, if they aren’t pertinent to what you’re doing at that time, file them in ‘Later’.
Set aside 30 minutes in the afternoon to respond, report, or delete the emails marked ‘Later’.

Miscellaneous but important:

  • Most security professionals are recommending companies purchase Cybersecurity Insurance
  • If you have been compromised; a company that I’ve referenced throughout this series is Coveware.com. They help companies who have been compromised deal with a ransom demand and data recovery. They will work with The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) to avoid fines and penalties
  • If you have third-party vendors that have access to your data ensure you are familiar with their security policies and they are enforced
  • Avoid using public Wi-Fi. If you need to connect remotely at a public place utilize a hotspot from your phone. If that isn’t possible use a VPN.

The end....

My goal for this series was to bring you information in a non-technical way that will have a significant impact on your business and its livelihood.

Following these cybersecurity best practices is akin to putting your seatbelt on when you get in the car; you don’t leave the house planning on getting in an accident but if one happens you are far safer.

Next step:

Conduct a Cybersecurity Readiness Assessment. If you’re not sure where to turn for this; Agave IT Services has the experience and tools to perform the assessment and provide you a clear picture of your readiness to withstand a cyberattack.
   

logo
logo

You have a vision
we want to help you get there

Our approach to IT Service is unique. Let's see how we can best serve you!

Cyber Security

Cybersecurity part 4: Cybersecurity best practices

By now you realize you're getting phished daily and it is only a matter of time before one is successful. In this article we will cover best practices that, when followed, will reduce successful phishing by more than 40%.

|
January 25, 2021

This is the fourth article in our Cybersecurity series:

  1. Cybersecurity & Cyberattack Terms
  2. Changes since Work from anywhere became prevalent
  3. The business impact of cyberattacks
  4. Cybersecurity best practices

There is no ‘golden ticket’ utility, software, or policy that can guarantee your digital security. Not Multi-Factor Authentication (MFA), strong passwords, or even being a security expert. But Following these best practices will greatly reduce your risk.

The recommendations in this article are provided in good faith. Following these recommendations, in whole or in part, does not guarantee your survival from the next cyberattack.

In this article we will cover cybersecurity best practices for 3 common cyberattack methods. Within each method there is a ‘History’ and ‘Best Practices’ section. If you aren’t interested in the background information you can head straight to ‘Best Practices’.

The 3 methods covered:

  • Password guessing - Brute force, Hacking, Cracking, Stuffing: <5% of successful attacks
  • System vulnerabilities - Unpatched systems: 20% - 40% of successful attacks
  • Social engineering - Phishing, Smishing, Vishing: 70% - 91% of successful attacks

Phishing attack jammed: Spaceballs 1987
Phishing attack jammed: Spaceballs 1987

Password Guessing

Who doesn’t love creating 16 character passwords with at least 2 uppercase letters 1 number and a special character not including !@#$%. Also; make sure you don’t reuse a password on any other site/service.

I can’t see anyone but I’m guessing everyone's hand is raised.

If we only had to create and remember a few passwords this would be easy but statistics show:

The average person belongs to more than 80 sites/services that require a password

History:

So why are so many places requiring long complex passwords?
Look no further than the National Institue of Standards and Technology special publication 800-63 (NIST sp 800-63).

In 2006 password protected sites and services were growing rapidly. For national security reasons the NIST published guidelines for password creation under sp 800-63. The initial guidelines were: 12+ character complex passwords and change that password every 45 days.

These password guidelines were widely adopted and are still in use today.

After more than a decade of collecting and analyzing password data and security breaches the NIST published an update to sp 800-63. Their analysis showed users were reusing that long complex password across multiple sites. Users were also storing the password near their workstation or in an unsecured application. Both of which impact your cybersecurity readiness.

In that 2017 update they completely reversed course on passwords. The new password guidelines are 8+ characters, not overly complex, not on the breached password list, and change once a year.

Best Practices:

We are going to cover password best practices in 3 sections:

  • Creating/managing passwords
  • Recovering lost passwords
  • Increasing security

Creating/managing passwords

1. Find a password manager and start using it everywhere

With a password manager you only have one password to remember. Most password managers offer these helpful services:

  • Dark web monitoring for breaches that involve your data
  • Plugins for most browsers and operating systems
  • Mobile apps for iOS and Android
  • Easily add your current accounts

2. If you are forced to manually create a password; have a strategy you can follow that is easily remembered

The resulting password from that strategy should meet these criteria:

  • Don’t use the same password on multiple sites
  • 12+ characters
  • Not easily guessable
  • Ideally a passphrase
  • Not on the breached password list - (FYI... ‘I hate passwords’ is on the list 8 times so don’t use that :)
  • Change once a year or when the service has been breached

Password strategy example

  1. my passphrase: ‘I love <random> my kids...:)’
  2. Replace <random> with the number of words in the companies name + the second word in uppercase. If there isn’t a second word use ‘Z’
  3. For ‘Agave IT Services’ my password would be: ‘I love 3IT my kids...:)’
  4. When requested to change your password add a ‘.’ after kids

That password isn’t on the breached list and according to the Kaspersky password checker it would take 10,000+ centuries to crack with a modern cracking computer.

The best part about that password is; it’s easy to remember.

Recovering lost passwords

1. Answering and using 'Identity verification questions' (preferred method)

When creating your account on a website and are asked account recovery ‘identity verification questions’ Don’t answer factually

Statistically, 1 in 5 hackers can correctly guess your factual answer on the first try.
Answering those questions truthfully makes identity verification questions the least secure.
Answering those questions with a strategy makes them the most secure recovery option.

Identity verification questions - answer strategy example

  1. Pick a word. I’m going to use ‘helicopter’
  2. Add a second word based on the question. I’m going to use the 3rd word in the recovery question.
  3. If the recovery question is: Who was your childhood hero? - my answer: ‘helicopter your’

2. SMS (text message) and email recovery methods

  • If you receive a message stating your account has been compromised with a convenient button or link to click for password reset... DON’T CLICK THE BUTTON.
  • If a communication requests you to change your password go directly to the site and login. If you are unable to login, click the sites ‘forgot password’ link and walk through the sites password recovery framework.
  • During the recovery, if you are sent a code, that code should be directly input by you within the website's recovery framework. At no point should you email or text that code to anyone.
  • Never verify your account by providing an old password outside the websites recovery framework.

Increasing security

Below are some utilities and options that can be used to further secure your personal identity and data:

  • Use Multi-Factor Authentication or 2 Factor Authentication (MFA, 2FA) when available (article on MFA, 2FA coming soon).
  • Turn off your browsers built-in password tracker
  • Check your email address to see if it has been compromised. With breaches happening daily it is likely your email will show up in a database someplace. If it does it is time to change your email account password. If it’s your work email you should inform your IT department and change your company login password. Changing your password will not remove your email account from a compromised list but it will remove the threat from that breach if not already exploited.
  • Don’t click unsubscribe in an email from a company you haven’t created an account with.
  • Don’t tell people your password (couldn’t resist this): Jimmy Kimmel video

System Vulnerabilities

Operating systems (OS), no matter the manufacturer, have vulnerabilities and an End of Life (EOL) date. An operating system that has reached its EOL is no longer supported by the manufacturer and will not receive patches (critical or maintenance).

If the OS is still supported and a vulnerability is discovered the manufacturer creates and releases a patch to address that vulnerability.

History:

In a previous job I worked with companies of all sizes on a daily basis. Many larger companies utilized a custom-built application, essential to their business, which needed to run on an EOL OS. This is a significant security risk.

End of life operating system matrix. Oddly this matrix is missing Microsoft Windows workstation versions; so here are 3 important Microsoft OS versions and their EOL:

  • Windows XP - EOL April 2014
  • Windows 7 - EOL January 2020
  • Windows 10 - Projected EOL October 2025

Best Practices:

Keep your computer patched and ensure your OS is still supported by the manufacturer.

If you use a company computer updates may be controlled by your IT Department. If you are not certain; ask.

If you use a personal computer to access your company network (VPN, remote software) updating will be your responsibility.

Windows and MAC operating systems by default will check for and install patches.
You should still check weekly to ensure patches have been installed.

If you find that a patch didn’t install you will also find a troubleshooting link to resolve the problem.

To check for patches/updates for Microsoft Windows 10:

  1. Start  button
  2. Settings
  3. Update & Security
  4. Check for updates

To check for patches/updates on a MAC:

  1. Apple Menu
  2. System Preferences
  3. Software update
  4. Update Now

Social Engineering

The user is the last line of defense in a companies cybersecurity strategy. Using the cybersecurity best practices outlined in this article will increase your chances of surviving the next cyberattack. The largest impact on that survival will be educating your users on the latest social engineering tactics.

History:

Social engineering has been around for a long time (a good autobiography pertaining to this is ‘Ghost in the wires’ by Kevin Mitnick). The defense against social engineering was ‘hoping’ users could spot a fraudulent social engineering attempt, with a handful of vague descriptions.

Best Practices:

Training.

We’ve all been told not to interact with fraudulent emails, but what does a fraudulent email look like?

  • The senders domain should match the company an email pertains to (sender - matthew@live.com, email about your expired Netflix account = phishing)
  • The company name or domain the email pertains to is misspelled - Neflix (incase you don't see the problem; there's no 't')
  • The email may contain an attachment you don’t typically deal with (like an invoice and you aren’t in accounting)
  • If an email contains a button or link; you can hover over it and see if the displayed web address is relevant to the email content

Those are all legitimate methods to determine if an email is a phishing attack. But for most people; by the time they are confronted with a phishing email that information is no longer at the front of their mind.

One quick statistic then we’ll cover what successful testing and training look like.
Over a sample base of 4 million users (information from Knowbe4):

Phishing testing impact: KnowBe4
Phishing testing impact: KnowBe4
  • Initial phishing test sent - 37.9% of people took action on the email
  • After 3 months of phishing tests and training - 14.1%
  • 1 year later - 4.7%

Taking the most utilized attack method and reducing the probability of an attack being successful by nearly 30% is a big deal.

How does phishing testing and training work

A safe phishing email is sent to users. If a user takes action on the email; they are directed to a landing page that lets them know it was a phishing test email. On that landing page the user is shown an image of the email and the clues that it was a phishing email.

Some phish testing platforms allow training campaigns that track a user's progress through the training process. Analyzing that data can pinpoint users who pose the greatest risk to a company and would benefit from more training.

Effective training needs to be ongoing and evolving just like cybercriminals evolve their game plans over time. Effective training is not one-and-done or quick tips.

Additional Cybersecurity Items

Here are a few items that don’t fit into the attack methods above but are still valuable cybersecurity readiness items.

Website notifications:

Recently there has been a trend of websites producing a popup asking you to allow notifications. These are called ‘web push’ notifications. Some are legitimate and want to provide useful information. Others are using that popup for general marketing purposes.

Sites using the popup for general marketing typically give that popup space to marketing agencies. Cybercriminals have caught onto this fact and are actively producing ads worthy of a click.

When prompted with the notification dialog use the following as your decision tree:

  1. If you landed on the site from a search you performed and you don’t really need to be there > Close the entire web browser tab
  2. If you don’t need notifications from the site but want to look around > click the close ‘X’ button in the corner
  3. If there isn’t a close ‘X’ button > click don’t allow’ (or similar)
  4. If you trust the site (not just the content on the site) and you want notifications > click allow

Dealing with increased emails:

In the webroot 2020 threat report they talk about email volume increasing by 34%. The increase of emails and working from home where there are more distractions has resulted in successful phishing attempts for cybercriminals.

The phishing success is attributed to users hastily responding to an email without giving consideration to its legitimacy.

A good practice to avoid falling into this trap is to create a ‘Later’ email folder or tag. As emails come in, if they aren’t pertinent to what you’re doing at that time, file them in ‘Later’.
Set aside 30 minutes in the afternoon to respond, report, or delete the emails marked ‘Later’.

Miscellaneous but important:

  • Most security professionals are recommending companies purchase Cybersecurity Insurance
  • If you have been compromised; a company that I’ve referenced throughout this series is Coveware.com. They help companies who have been compromised deal with a ransom demand and data recovery. They will work with The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) to avoid fines and penalties
  • If you have third-party vendors that have access to your data ensure you are familiar with their security policies and they are enforced
  • Avoid using public Wi-Fi. If you need to connect remotely at a public place utilize a hotspot from your phone. If that isn’t possible use a VPN.

The end....

My goal for this series was to bring you information in a non-technical way that will have a significant impact on your business and its livelihood.

Following these cybersecurity best practices is akin to putting your seatbelt on when you get in the car; you don’t leave the house planning on getting in an accident but if one happens you are far safer.

Next step:

Conduct a Cybersecurity Readiness Assessment. If you’re not sure where to turn for this; Agave IT Services has the experience and tools to perform the assessment and provide you a clear picture of your readiness to withstand a cyberattack.
   

Matthew worked with Agave IT Services as a Brand & Content Consultant through 2020. He managed our company transition from Agave Solutions Inc. to Agave IT Services (dba). From our Logo to our online presence and business operations platform; Matthew created a solid foundation able to support our growth into the future.

You can find
Matthew
on:
LinkedIn icon

Agave IT Services

We are an IT Services and technology company serving the southwestern United States since 2003. We specialize in supporting, managing, and deploying technologies for the AEC industries' unique requirements. We differ from the typical IT service provider in that we handle ALL your technology needs, freeing you to focus on your core business.

You have a vision
we want to help you get there

Our approach to IT Service is unique. Let's see how we can best serve you!
Yes Please!