Stopping cyberattacks requires diligent behavior. One of the themes
of this year’s National Cyber Security Awareness Month, or NCSAM, is that
all computer users should take steps to Secure IT.
That means shaking up the passphrase
protocol by using not just strong passwords but strong
and unique passphrases.
Consumers and corporate computer users alike
should double login protection through multifactor authentication, and everyone should embrace safe online shopping practices.
It is easy these days to connect with people and make new
friends, but everyone should play a little hard to get with strangers online, according to the National Cyber Security Alliance. Users should
watch for phishing scams, which often involve social engineering
techniques as much as direct brute force hacking attacks.
“National Cyber Security Month is an opportunity to elevate people’s
awareness and to increase the caution with which they interact with
technology,” said Bob Noel, vice president of strategic relationships
at cybersecurity vendor
Plixer.
“It’s very important for everyone to second-guess and question whether
the email they are opening, link they are clicking on, or answers they
are providing are originating from a valid source,” he told
TechNewsWorld. “Training people to question the authenticity of
digital communications prior to engaging with them can and should be
the goal.”
Positive Online Experience
The point of NCSAM isn’t so much to deter individuals from going
online or even from using a computer, but rather to ensure that they do so
safely.
“The security of a consumer’s digital identity is paramount for a
positive online experience,” said Justin Fox, director of DevOps
engineering at
NuData Security, a Mastercard company.
“Organizations often remind us to use unique passwords of varying
complexity for each product or service we use online,” he told
TechNewsWorld.
“Employees need to be aware of social engineering tactics used to
compromise accounts through the employees’ access privileges, such as
an attacker calling in to reset a password through an employee and
tricking the employee into accepting the attacker as the account
owner,” said Fox.
“Awareness needs to be a goal for all people at all levels,” said Plixer’s Noel.
“Bad actors have become incredibly skilled at social engineering and
can use social media posts and publicly available information to
appear credible,” he pointed out.
“Everyone should constantly have their radar up, questioning the
authenticity of digital communications,” Noel said. “That which
seems obvious to some may not be so clear to others. Nobody knowingly
or willingly becomes compromised. The key goal of raising awareness is
to encourage people to question everything. It may take a bit more
time, but when unsure, people can and should reach out via another
channel to validate whether or not the communication they received is
real.”
Beyond Static Authentication
One problem with cyberattacks today is that they aren’t just about
hijacking a single computer via a virus. Today’s attacks can cripple a
company or even a city. Atlanta and Baltimore are just two examples of
large municipalities that spent weeks in limbo and millions of dollars in
recovery.
Meanwhile, data breaches have hit major retailers, including Target, costing the companies large sums of money and harming their reputations. The cyberattacks on the federal government’s Office of Personnel Management compromised millions of government workers and contractors.
Unique passwords and better security can help, but they go only so far.
“This helps to control the ‘blast radius’ and overall impact of a data
breach but misses the underlying problem: Static authentication is
broken,” said NuData’s Fox.
“To fix how you authenticate consumers requires executive buy-in as a
first step, but then the new authentication strategy has to be
cascaded down to each team, all the way to the consumer,” he suggested.
The answer is not necessarily using SMS or tokens, although second
factors are generally an improvement Fox added.
“SMS solutions rely on vulnerable infrastructure, and tokens increase
consumer friction; and the consumer experience is extremely important
to running a successful business,” he explained.
“Data breaches cause brand damage regardless of whether the data
breach is a result of consumer password hygiene or service provider
mishap,” Fox noted. “In the later scenario, monetary fines and other
penalties may follow.”
Passive Biometrics
In the future, there could be more advanced technologies — such as
passive biometrics, which organizations already are adopting — to “Secure IT.”
“Passive biometrics leverages information about your patterns to
recognize how you type, how you browse, how you interact with your
device,” said Fox.
“Many passive biometric solutions are powered by machine learning
models that adapt to become increasingly accurate.”
Secure IT – Strong Passwords
For now, however, a simpler solution could be to utilize unique
passwords or, when possible, passphrases. It’s important to avoid passwords that
could be guessed easily — such as a birthday or favorite sports team
or movie.
“Many people default to their personal information for their
passwords, such as dates of birth of family, nicknames, addresses,”
noted Ralph Russo, director of the
School of Professional Advancement Information Technology Program at Tulane University in New Orleans.
“Unfortunately, these can be guessed or deciphered through inadvertent
leakage of this info. People also use simple dictionary words in
passwords, e.g. ‘Brooklyn’ or ‘Yankees,’ and all of these are easily
hacked,” Russo told TechNewsWorld.
Strong passwords are those that are lengthy, and the longer the
better. Moreover, they don’t include straight “dictionary” words,
which can be guessed.
“Straight dictionary passwords can be cracked by brute-force
‘guessing’ tools that use established word lists, including
dictionaries, and try each word in the list — thousands of times a
minute — against your password,” explained Russo.
“The best passwords are long and can be created by inserting and
substituting characters and numbers into a long phrase,” he suggested.
“An example of
this could be d0n7f3ar7her3ap3r$ instead of Don’tFearTheReaper.”
Users should consider using a password keeper — such as LastPass,
1Password, dashlane or similar program — to store all the passwords,
and then autofill into a browser and forms, advised Russo.
These tools allow users to create distinct, super complex passwords for each
site while remembering only a single password — the one for the keeper
itself. However, that isn’t perfect either.
“The downside is that all of your eggs are in this one basket, and an
intrusion into your keeper system could spell disaster,” said Russo.
Secure IT – Multifactor Authentication
Email, a banking website, or even eBay can be better protected when an
individual opts for multifactor authentication.
“Mutlifactor authentication is the process of using two or more
methods of authenticating, or logging into, apps,” said Russo.
Typically, this is accomplished by requiring users to enter not only something they know — their username and password — but also a pin or key sent to something they have — for example, their mobile phone.
“A malicious actor would not only need to have the
user’s username and password — they would also need access to the user’s
cellphone to be able to get unauthorized access,” Russo pointed out.
Mutlifactor authentication usually can be set up in less than a minute, but it can increase security substantially on sites that contain personal information. While texting a one-time code is now the standard
method of multifactor authentication, there are other methods to keep users safe, and their use likely will increase.
“Always use it on key applications including banking, Social Security,
online payments, finance/investment, password keepers and social
media,” said Russo. “There are a myriad of ways to accomplish
multifactor authentication, including biometrics — e.g. facial
recognition, fingerprint — or a random key generating device or app
that the user has possession of, and more complex methods can be
employed to meet the need involved.”
Peter Suciu has been an ECT News Network reporter since 2012. His areas of focus include cybersecurity, mobile phones, displays, streaming media, pay TV and autonomous vehicles. He has written and edited for numerous publications and websites, including Newsweek, Wired and FoxNews.com.
Email Peter.