14, Aug, 2019
End-User Training - Passwords Are a Pain - But They Are Critical to IT Security
There are only two types of employees when it comes to IT security: major risk employees and minimal risk employees. The only difference is that the minimal risk employees have been trained, have a sense for what is unsafe behavior and take action to protect themselves and the organization.
It might not sound like anything to be proud of, but the minimal risk employee is the ideal end goal: not only do these employees understand, for example, what a phishing attempt is, they report it and communicate back, effectively become security advocates for the entire organization.
So how do we get to a minimal risk IT employee? That’s where end-user security training comes in. This is the first in a series of articles that will help you train your employees on IT security.
Before we move forward I want to set the expectation that the only way to completely secure a network is to close it off. And that just won’t work for anyone trying to communicate outside of the local area network (LAN).
The whole point of the internet is to be an open network, so we must accept that vigilance is, in fact, excellence. Your network will never be bulletproof, but the more advocates you create internally for IT security, the more your risk factor goes down.
Application isolation is a new trend in cybersecurity that grows each day, and the simple idea is that you are segmenting your apps away from one another. This is counterintuitive to the API marketplace phenomenon happening concurrently, which is driving a lot of software as a service (SaaS) purchasing. Most organizations are not forward thinking or strict enough to practice application isolation or closed networks, so there has to be a compromise.
As my favorite saying about IT security goes: You don’t have to be faster than the lion; you just have to be faster than the other guy running away from the lion. Threat actors are notoriously lazy. Hackers are looking for the least trained, lowest common denominator when it comes to end users.
Malware attacks are so rudimentary these days that they are almost designed like drive-bys: they’re not even really targeting you specifically – they’re just spraying maliciousness around and hoping someone gets caught in the crossfire.
If you follow these rules, bad actors will most likely get discouraged and leave you to find an easier mark. Don’t be the sucker that gets hit by stray malware!
Password Strength and Reset
We all hate resetting our passwords every three months. As soon as you start to remember your password by heart, you end up having to reset it.
If you’re one of those IT shops that has decided the annoyance of a reset is not worth the result, I have news for you: you are the slower guy running from the lion.
You can’t afford to not change your password on key systems every three months. It would be like moving into a new house and keeping all the same locks as the previous owner.
So, what needs to be reset every three months?
Passwords to Reset Every Three Months
- Windows login: Obvious and easy to automate – make sure every single user is doing it.
- Email/Office 365: Once again, easy to automate and can tie into your Windows login refresh.
- Hardware, especially routers and firewalls: Many IT admins leave the default “admin” username and the passwords on their routers and firewalls. This is the easiest and most common way for a threat actor to get behind your IP address and start poking around.
- Customer relationship management (CRM): Should be automated by your CRM supplier, but make sure that any software that has an API into it is also following two-factor authentication with a force password reset.
- Marketing automation: Marketo, Hubspot, Constant Contact, etc. Anything that houses customer data needs to comply with General Data Protection Regulation (GDPR) and have strict two-factor authentication on it. I’m isolating this specifically because it’s a growing attack landscape.
In addition to resetting passwords, make sure you are on the latest update of your firmware for routers and firewalls. More threat actors are exposing vulnerabilities in firmware than ever before because while cybersecurity has grown over the past few years, your routers may have been set up before we knew what a distributed denial of service (DDoS attack or ransomware was. Make sure you are addressing legacy systems as a part of your password reset.
Password Do’s and Don’ts for Everyone to Follow
I’ll mention this again later because it’s really important, but don’t make exceptions for anyone on your staff to opt-out of your password policy, ESPECIALLY the executive team.
While executives may gripe about password resets more than any other group at your organization, they are the most frequently targeted group. We’ll talk more about the finance team in another article.
First, the don’ts. Avoid using the following in your passwords:
- Address (home and office)
- Date of birth
- Phone number
- Personal, child or spouse birthday
- Anything about you posted on social media as an interest, including sports teams, hobbies, cars, etc.
Try to avoid using common phrases in your passwords as well, such as these:
- Qwerty (in any form without special characters)
- Sports teams, like Liverpool or Manchester in the United Kingdom or Cowboys or Lakers in the United States
- Swear words – very common, actually. The “f” word ends up getting turned back on you when the hacker is breaking into your account, though.
Now for the do’s. As far as password strength goes, it’s well known in 2019 that you should include the following:
- Upper and lowercase numerals
- Special characters e.g., !@#$%^&*()
- The strongest passwords will have a combination of the following characteristics:
- Long: The longer the password, the harder to crack. While your account may only require 6 to 9 characters, expanding to 12, 16 or more will give you a stronger password.
- Not in the dictionary: Avoid single words or common phrases that can be found in the dictionary or vernacular.
- Character substitutions: Substituting characters for letters is a good practice, but you want to think outside of the box. Don’t substitute zero for the letter O and assume you are safe. A better option would be using the ampersand (&) for O.
- Illogical phrases: While you wouldn’t want to use a common phrase like “ThankYouVeryMuch,” you could string together completely random words like “ThankCheeseBoatsNetwork.”
- Acronyms and abbreviations: Instead of spelling out words, abbreviate them or replace phrases with acronyms that you can remember. Using the example above, “ThankYouVeryMuch” could become “TkYVreM.” Of course, you would add more to it so it’s longer and has a variety of characters.
The Most Common Passwords
Just for fun, here’s a list of the most common passwords in the United States, courtesy of the National Cyber Security Center’s global breach analysis. Show this to your staff and warn them not to use these phrases and keywords. Also, if you have any of these as passwords, you should probably change them right now!
Pro Tip for Password Security
Set your policy on password resets for every 90 days following the guidelines above. Don’t buy SaaS unless it forces password resets and supports two-factor authentication. Be vigilant about the APIs your employees are asking for, and conduct thorough investigations. This is by far the easiest and most impactful thing you can do when it comes to IT security, and it shouldn’t cost you anything.
In my next article, I’ll help you learn how to train end users to identify unsecure or malicious URLs and email domains.