Whether it is us or our clients, securing our online footprint is becoming increasingly important for us all.
As security professionals you may be an attack vector to your client if you do not maintain basic online security controls. At the very least you should be in a position to provide basic advice to your clients in order to help them stay secure.
Don’t Reuse Passwords
The greatest risk to yourself and your clients is password reuse. This is using the same password across many sites. As soon as one site gest hacked, all your accounts are vulnerable.
You do not need a separate password for every site. You probably do not care about the majority of sites that get hacked. Use a common password for site that you do not care about. You need unique passwords for important accounts – especially your email account as this can be used to reset all your other accounts.
I recommend the use of a password manager for all your passwords. This way you can use a different password for every service. There are three real options for a password manager:
- A notebook works but is the most time consuming and in danger of being physically lost.
- If you are an Apple user for everything the IOS Key chain is good. Google Chrome is less platform specific (i.e you can have on a Windows computer at home and on your phone). This makes life easier than carrying around a notebook which you could lose. Chrome and Keychain are a bit fiddly to get the password if it cannot be automatically entered.
- The easiest and most effective method, , is a Password Manager such as 1Password, but you do have to pay for it. Other Password managers are available, some are better than others. 1Password syncs across all your devices so you can access all your passwords and enter them easily without too much hassle.
Create a strong password using three random words
Passwords that are less than 11 characters can be discovered by an attacker checking every possible combination on a fast computer in a reasonable amount of time. A weak password can be discovered in seconds especially if it is a word or close to a word. The longer or more unusual your password is the harder it is to crack. The best way to make a strong password is to use a sequence of three random words that you can remember. You can add special characters to make it even stronger. Edward Snowden, who had reason to develop strong passwords, recommended “Thatcher is 110% sexy” as a password that you will never forget and no one will crack.
Use Multi Factor Authentication (MFA or 2FA)
You may have heard of multi-factor— or two-factor — authentication (MFA or 2FA) as a way to add a layer of security on top of your accounts. In addition to your username and password, enabling two-factor authentication lets you use a second form of identification, which may block thieves from accessing your information. It’s a second factor to show that you are you — not an intruder — it could be a hardware key, a dedicated phone application, an SMS text message, or your fingerprint.
The are a three broad options for a second factor of authentication:
- SMS (Text messages)
- An App
- A hardware token
SMS is the easiest to set up and is probably enough security for most people but according to this research by google, is the least secure. The research found that a hardware token is the most secure, thwarting 100% of even targeted attacks but it will cost you money (~£50).
The authenticator applications such as those produced by Microsoft and Google are pretty easy to use and are often deploy by businesses; so many users already have them. They can be used for personal accounts as well – generating a unique time sensitive code that helps protect the account.
When you set up 2FA, you will need to think about a back up plan to access the account if you lose your device. Accounts should give you a list of backup codes when you switch on 2FA. When asked for a code you can use one of these, but each code will only work once, so you’ll need to create more when you’ve used them all. Backup codes are really useful if you need to log on without a phone to hand. You will need to store the codes somewhere safe.
Keep your software up to date
Software and app updates contain vital security fixes to help protect your devices from attackers.
Modern software is constantly being updated. Security vulnerabilities are found and fixed on a monthly basis by manufacturers. Cyber criminals and others use the software weakness to attack devices. People will often receive a prompt on the computer, smartphone or tablet to inform you that an update is available. Don’t ignore this message.
Turn on automatic updates where possible – most modern devices will update over wifi when the user is asleep. The few minutes it takes to download and install an update will save you an immense amount of time in the future and protect your devices.
Information can easily be found about how to install these updates from Apple, Microsoft and Google.
Remove unwanted applications
Social Media sites such as Facebook and twitter encourage you to enable “apps” that work their platforms, often demanding privileges to generate messages on your behalf. The typical scenario is that you use them only once or twice and forget about them.
It is the fastest growing attack vector into Microsoft office 365 – something that Microsoft is moving to stop but it is taking time.
It is always good to go through you accounts and disable the apps. Be ruthless – you probably weren’t using them anyway and if you do need them – they are a few clicks to re enable.
Here’s a complete guide for all services to check:
Online Health Check for Protectors
By: Tom Coleman
Tom is the lead instructor for Cyber training in Minerva Elite Performance. He is also an independent Security Architecture Consultant who has worked on various projects including Queen Elizabeth Carrier. Previously, Tom has provided security consultancy to the finance and health sectors and was Chief Information Officer for a tech start up.
In the regular Army Tom was an Infantry Officer and over his 16 year service was seconded to multiple roles in intelligence and security where he built up his information security threat intelligence and asset management experience.
Tom brings his experience of technical security architecture and the C-Suite to mentor potential Information Security professionals to achieve their goals.