Creating Secure Passwords

Creating Secure Passwords

October is National Cyber Security Awareness month, and we figured we would provide some great tips and tricks on how to create secure passwords.

We use passwords so much these days that it’s second nature. What we don’t realize is that it’s often the first and last line of defense keeping ‘baddies’ out of your email, Twitter, Facebook, financial accounts, and life.

According to one study, 73% of all Americans have fallen victim to some type of Internet crime during their lifetime. Nine million people are victims of identity theft and an estimated 600,000 Facebook accounts are compromised daily.

Here are some great tips and tricks to creating secure passwords.

 

Forget using a password. Use passphrases.

Passwords are dead. The typical password lengths we see at our firm are somewhere between 8-9 characters in length. Unfortunately, it is pretty much the limitations of our minds. Instead, choose a passphrase that allows you to get to 20 or 25 characters in length. It is far more difficult to remember “Dc#GRe3!” than it is “My mother is an amazing and beautiful women!” It is far easier to remember, and at the same time, far more challenging to crack. Don’t forget to include Upper Case, Lower Case, Numbers and Special Characters! (Use them all)

Please avoid: using dates (birthdays, anniversary dates, birthstones, gemstones, kid’s names, friend’s names pet names, nicknames, swear words, or any of the above in a foreign language). Basically avoid anything you can find on your Facebook or Social Media.

It doesn’t hurt to use your favorite lyrics, bible verse, poem, or script to reference upon. I’m sure everyone has “a lovely bunch of coconuts” (Think Merv Griffin and Lion King)

Mix it up.

Don’t use the same password on every single site. Ask yourself this: If I were to loose access to this account, how much trouble would I be in? Typically, that means your financial accounts would come in as number one, with your email accounts a close second. These accounts are the ones you want to avoid using the password on any other site.

If you do online banking especially, it is even more imperative to ensure that that particular password is never used elsewhere.

We must tell lies

I hate those pesky security questions. Essentially it’s the same as if a bad guy can’t get in the front door, they will get in the backdoor. Information to those security questions can be found with a quick Google search.  Especially your high school mascot.

If anything, avoid the question at hand and replace it with something else only you would know. For example, what is your favorite color is one of my personal pet peeves. No matter how hard you try, there will always be a set number of colors and it is as simple as writing a small programming script to guess it. If you are absolutely stuck, add a few adjectives in front to help, like instead of brown, answer with “baby diarrhea brown”. Extremely horribly visual, but it slows the bad guy down.

Like earlier, avoid using anything that can be found on Facebook or Social Media.

Embrace Change

CHANGE THOSE PASSWORDS EVERY THREE TO SIX MONTHS! That includes your WiFi passwords my friends.

Too many passwords?

Use a service like LastPass. Please do not use those password managers found on browsers though. They are extremely easy to get at.  However, remember to use a brilliant secure, one of a kind password for LastPass. If a baddie gets in, they get into EVERYTHING.

Advanced Security: Two Factor Authentication

It never hurts to have it, but with services like Google, Twitter, and Facebook, they will send you a small six digit code as part of their two-factor authentication. While your password may be compromised, having two-factor authentication buys you some additional time to change your password in the event your account is compromised. This excludes the fact if your phone has been compromised by malware.

 

 

Perspectives and thoughts on US Cyber Challenge

Perspectives and thoughts on US Cyber Challenge

The US Cyber Challenge is a camp that pushes students to become cyber security professionals. Being a cyber security enthusiast, I wanted to attend. I had the privilege of attending the Cyber Camp in San Jose this summer on scholarship, and it was one of the best experiences I have had in my life. From tactical attacks to finding friends, I felt like the camp taught me more in one week than I have learned in a year of regular school.

At the camp, I admit I was lost for a bit. After a little walking around and meeting other people with the same passion as me, I was happy knowing there were people I could turn to with questions who I could call friends. Since we were placed in dorms, we were forced to mingle, laugh together, and share what we learned. Living in my own apartment, this was very different to me. I helped people set up machines, and people shared their industry experience, helped me break down barriers, and allowed me to continue improving myself. On the first night, I remember the emphasis on family and the icebreakers to push us closer together. Some people formed coalitions, but the idea is we all became comfortable with each other.

The first day of training arrived and a SANS instructor, Alissa Torres, taught us about Memory Forensics. The topic was very interesting, though I wish the presentation were a little slower, because most of the information went over my head. Of course, if it were slower, then we would be learning for days or weeks. The same applied for the days following Reverse Engineering Malware, Tactical Attacks, and Writing Exploits. I could not keep up with the information overload, but I really enjoyed it. I can understand the idea of what they were all saying and recall some tidbits I thought were important, and that was cool with me because I was learning what I wanted to.

One class I enjoyed was Tactical Attacks by Jim Shewmaker. Why? Because I love the idea of being a red team hacker and breaking into things. I was able to keep up for every little detail, and I used and expanded on my current knowledge of Metasploit and its abilities. I love the fact that while we were soaking in all this information, we had about an hour or two to apply what we learned. I was able to hone my tactical attack skills, which proved useful on capture-the-flag day.

With sponsors from prestigious organizations, such as VISA, Facebook, FireEye, and even the FBI, the camp was able to excel when it came to offering quality instructors and great material. Moreover, I noticed the willingness of the sponsors to talk to us and even offer us jobs. I had a great time discussing the various sectors and mingling with the array of professionals presented to us by the camp and even walked out knowing some amazing connections.

The whole week was a blur. The strenuous training, late nights, and the capture-the-flag competition at the end of the week went by and we could return to our normal lives. By that time, I was so accustomed to the lifestyle that I wish that the camp was a little longer. As they say, all great things come to an end, right? Nope. We carry on the experiences and continue to find ways to improve ourselves. We continue talking to the great friends we made at the camp. I ended up seeing US Cyber Challenge friends at other events, and we are able to high five and mingle as great friends do. US Cyber Challenge left me with one of the best experiences ever. Would I go again? Yes.

How strong is your Password?

In the wake of the League of Legends security incident, we thought it best to remind everyone of some startling statistics about passwords and on how weak some passwords that are being used on a day to day basis.

Remember to use a service like LastPass to help you generate unique passwords or create your own unique PassPhrases (as in a phrase, not a word) for each service you use, with the minimum following complexity:

  • at least Two instances of Upper Case letters
  • at least Two instances of Lower Case letters
  • at least Two instances of Numbers
  • at least Two instances of Special Characters
  • at least 16 characters in length (the longer the better)

PWG_Infographic copy

Clean Desks and CyberSecurity

messy-deskCybersecurity is all about the holistic approach to securing your information and environment from external attackers. Corporations, businesses and non-profits’s security posture is only as strong as their weakest link. Part of that holistic approach includes testing.

Tests and assessments are done to ensure that the security posture of the Organization is resilient to withstand the real attacks when the time comes.

Failing a test, whether it be one that Net Force performs, or whether it is internal, is not about politics, or embarrassing an individual or the Organization.

Example:

During a recent penetration test and security assessment of an Organization, we  noticed a number of sticky notes and pieces of papers attached to keyboards, monitors and under keyboards. After examining several desks, we realized there were a number of usernames and passwords used as part of daily business operations. What blew our minds was this Organization did have a clean desk policy. The policy of clean desks was not enforced even at the highest levels of the Organization!

Why did clean desks matter? The usernames and passwords we found gave anyone access to the normal computing environment, as well as unfettered access to databases with their Client’s social security numbers, names, data of birth, addresses, and driver’s license. Any stranger had complete, unrestricted access to complete identities! Talk about an identity thief’s version of heaven!

Policies (including Clean Desks) are important, but the lack of regular testing  and enforcement illustrates how Policies meant to protect the Organization were merely empty, hollow words.

The (Potential) Cost:

The idea of clean desks is so simple. And yet, when abused by disgruntled employee or criminal, the Organization would have been on the hook for thousands, if not millions of dollars in notifying their Clients that they are potential victims of identity theft. This does not include the Organization paying for their Clients’ credit checks or litigation related to identity theft incident itself!