12 Password Best Practices

With the business world heavily reliant on digitalization in this day and age, the use of technology in your organization is unavoidable. Although technology can undeniably give your business an advantage in increasingly competitive markets, there are many troublesome areas to keep an eye on. This is why interest in cybersecurity has risen in recent years.

Password protection is the best place to start if you want to ramp up your cybersecurity. Setting a password to secure an entity’s data is called password protection. Only those with passwords can access information or accounts once data is password-protected. However, because of the frequent use of passwords, people tend to overlook their significance and make careless mistakes, which could lead to breaches in security.

This makes it imperative for businesses to devise strategies to educate employees about best practices when using passwords.

6 Password “Don’ts”

Protect the confidentiality of your passwords by following these six password “don’ts”:

  1. Don’t write passwords on sticky notes (or in text files)

Although you may feel that writing down passwords improves password protection and makes it more difficult for someone to steal your passwords online, it can make it easier for someone to steal your passwords locally. Many users store their passwords in Outlook notes or Word or Excel files with obvious labeling. This is also not an ideal way to manage passwords, as there are many ways those files could be accessed without your knowledge (phishing is one of the more common). It is much better to use a password manager (see the “Do’s” section below).

  1. Don’t save passwords to your browser

This is because web browsers have traditionally been terrible at protecting passwords and other sensitive information like your name and credit card number. Web browsers can easily be compromised and a wide range of malware, browser extensions and software can extract sensitive data from them. If you’d like to see how exposed you are, type chrome://settings/passwords (or edge:) in your Chrome (or Edge) browser.

  1. Don’t iterate your password (for example, PowerWalker1 to PowerWalker2)

Although this is a common practice among digital users, it is unlikely to protect against sophisticated cyberthreats. Hackers have become far too intelligent and can crack iterated passwords in the blink of an eye.

  1. Don’t use the same password across multiple accounts

If you do so, you are handing cybercriminals a golden opportunity to exploit all your accounts. For example, when LinkedIn was hacked several years ago, millions of passwords were exposed. Many of those passwords are still in use today and can be actively exploited on other sites that use the same username/password combinations.

  1. Don’t capitalize the first letter of your password to meet the “one capitalized letter” requirement

Out of habit, most of us tend to capitalize the first letter of our passwords to conform with the “one capitalized letter” requirement. However, hackers are aware of this, making it easy for them to guess the capitalized letter’s position.

  1. Don’t use “!” to conform with the symbol requirement

However, if you must use it, don’t place it at the end of your password. Placing it anywhere else in the sequence makes your password more secure.

6 Passwords “Do’s”

Protect the confidentiality of your passwords by following these six password “do’s”:

  1. Create long, phrase-based passwords that exchange letters for numbers and symbols

For instance, if you choose “Honey, I shrunk the kids,” write it as “h0ney1$hrunkth3k!d$.” This makes your password harder for hackers to crack.

  1. Change critical passwords every three months

Passwords protecting sensitive data must be handled with caution because there is a lot at stake if they are compromised. If you use a password for a long time, hackers may have enough time to crack it and if it is exposed for whatever reason, your exposed password will be “in the wild” for a longer period. Therefore, make sure you change your critical passwords every three months.

  1. Change less critical passwords every six months

This necessitates determining which password is crucial and which is not. In any case, regardless of their criticality, changing your passwords every few months is a good practice.

  1. Use multifactor authentication

It’s your responsibility to do everything in your power to keep nefarious cybercriminals at bay. One of the best approaches is to barricade them with multiple layers of authentication.

  1. Always use passwords that are longer than eight characters and include numbers, letters and symbols

The more complicated things are for hackers, the better.

  1. Use a password manager

There are many reasons to use a reputable password manager. Here are some of the ones that come to mind:

  • It can relieve the burden of remembering a long list of passwords, freeing up time for more productive tasks.
  • It can generate random passwords of any length for auto-completing in new account sign-up forms.
  • There is some level of built-in phishing protection, as your password manager won’t recognize “micorsoft.com” and input your Microsoft credentials.

Need a password manager? We can help.

Adhering to password best practices requires constant vigilance and effort on your part. As a result, it is best to work with an expert IT provider like us who can help you boost your security and put your mind at ease. Contact us for a no-obligation consultation.

It’s coming from inside the house!

Even if you’ve never seen (or heard of) the 1979 horror classic, When a Stranger Calls, you likely have heard the iconic line, “the call is coming from inside the house”. This line evokes instant fear in the recipient and is the same fear used in a classic email scam.

Fake emails have been around for at least three decades. Even today, it is easy to spoof someone’s email address for sending spam or phishing emails. The trouble stems from how trusting the whole Simple Mail Transport Protocol (SMTP) is. You can essentially set your email address in your email client to be whatever you like and it will tell all your recipients that it came from that email address. Additionally, you can tell the recipient to reply to any other email address and the recipient’s client program will trust that, too.

Here are just a couple of the ways that this simple email spoofing can be used for fraud:

CEO Fraud

CEO fraud preys on an employee’s desire to feel important. It typically appears as an email from the CEO of your company. Often it is an innocent request at first, such as, “Are you still at the office?” to see if you’ll respond. The response always goes to the hacker’s email address, which may or may not appear like the sender’s email. Often, no one notices that the reply is going to a different email address than the sender. Technically, this is accomplished by spoofing the “Mail from:” address and hiding the “Reply to:” address. If the Reply to: address appears similar to the Mail from: address, the fraud is less likely to be detected.

If you reply to the original innocent request, the hacker will then usually ask for a monetary favour with some sense of urgency to prompt a quick response. It could be as complicated and expensive as a wire transfer request, or as low budget as some iTunes gift cards. It can be embarrassing for the recipient and very costly for the company.

For more information on CEO Fraud, check out: https://www.knowbe4.com/ceo-fraud

Bitcoin Extortion Fraud

The bitcoin extortion fraud preys on its victim’s concern about being publicly exposed. This simple email scam involves sending a note to a recipient, using the recipient’s own address as the sender. The body of the email then goes on to say that you’ve been hacked and the hacker has complete access to your computer and all your contacts.

It continues that he has been recording you watching adult content on your PC. The only way to prevent the hacker from sending this recording to all of your contacts is for you to pay a certain amount of bitcoin to the hacker’s private wallet.

A variation of this scam is that the hacker includes a password of yours as “proof” that they’ve compromised your account. This password is invariably a real one that you recognize and is particularly dangerous if you happen to use the same password on many sites. The source of the password is almost always from a breach of a popular web service, such as LinkedIn or Yahoo. There have been dozens more over the last few years alone.

Protect Yourself

How can you protect you and your company from these attacks? The simple answer is training. While there are technical solutions that attempt to spot and prevent these types of emails from coming in, the reality is that the tactics are changing all the time and rely on unsuspecting users to fall victim. Proper training can harden you and your users to these attacks and help you spot future creative social engineering exploits. If something looks suspicious, it definitely warrants a closer inspection and a pause for thought.

Please call me if you’d like further information or would like to discuss training. It is much less expensive than you think.

Ransomware Alert – What you should know

EXECUTIVE SUMMARY:

Yet unknown cyber criminals have taken an NSA zero-day threat and weaponized a ransomware strain so that it replicates across networks without user intervention. There is a 2-month old Microsoft patch that urgently needs to be applied if you have not done that already. For older obsolete systems, such as Windows XP, the patch was just realized this weekend.

I have written about ransomware in the past. For more information, see this link: Ransomware 101

Please contact us if you’d like more information or have any concerns.

WHAT YOU CAN DO ABOUT IT:
I have said this before: be very careful when you get an email with an attachment you did not ask for. If there is a .zip file in the attachment, do not click on it but delete the whole email. Remember: “When in doubt, throw it out!” If it was truly important, the sender will contact you by other means and can always resend the email.

Claritech has checked our list of supported devices and are actively patching the handful that were not up to date as they come online. If you are not under a current Claritech support plan, we urge you to either patch your systems yourself or contact us as soon as possible.

Whether or not you are a current Claritech customer, please contact us if you have any concerns or would like more information and a free vulnerability assessment.

BACKGROUND:
You may have seen the news this weekend. Criminal hackers have released a new strain of ransomware that spreads itself automatically across all workstations in a network, causing a global epidemic. If you or a co-worker are not paying attention and accidentally open one of these phishing email attachments, you might infect not only your own workstation, but it could automatically spread to those around you.

Hundreds of Thousands Machines Infected Worldwide
FedEx Corp, Renault, Nissan, Russian banks, gas stations in China, and Spanish telecommunications firm Telefonica which reported 85% of their systems being down as a result of a cyberattack earlier today, and ironically the Russian Interior ministry had 1,000 machines encrypted. Even the German Railways were infected.

Dozens of hospitals in the UK were shut down. Cybersecurity experts have long used the phrase “where bits and bytes meet flesh and blood,” which signifies a cyberattack in which someone is physically harmed. This monster has infected hundreds of thousands of systems in more than 150 countries. Monday morning when people get back to work, these numbers will only go up.

Ransomware 101

Poster06Ransomware is a major Internet security challenge. This article explains how hackers use it to extort money from their victims and how we can protect ourselves.

What is ransomware?

In a nutshell, ransomware is malicious software that is installed on your PC through the typical virus installation methods:

  • Through hacked or malicious web-sites via browser flaws or social engineering;
  • Through emails with malicious attachments or links to malicious sites;
  • Through compromised downloads, such as “free” software or videos/images hosted on suspicious web sites;
  • Via the local network from other infected computers through operating system flaws;
  • From compromised USB keys or CDs.

The difference between ransomware and other viruses is that, once established, your files become encrypted and inaccessible and held for ransom by an anonymous hacker. This applies to network as well as local files. Essentially any files that your local PC has access to can be compromised.

What can I do if I become a victim?

There are really only four choices available once you become infected with ransomware, in order of preference:

  1. Recover from backup – this is the preferred recovery method;
  2. Attempt to decrypt your files using tools and services available online;
  3. Start over and live without the encrypted files;
  4. Pay the ransom.

If you think of ransomware as a nasty virus or a hard drive crash that destroys all of your files, you’re on the right track. The positive thing (if you look at it positively) about ransomware is that the anonymous hacker offers the fourth option to recover your files: pay the ransom. Normally when your files are destroyed, this isn’t an option.

How can I protect myself?

As scary as ransomware can appear, protection is not that difficult. Here are some ideas to get you started:

  1. Backups – backups have always been the best way to protect electronic data. If you’re not doing online and local backups of all your data, what are you waiting for? Talk to us.
  2. Updates – your applications, antivirus and operating system software should always be kept up to date. Many viruses succeed by exploiting flaws that have been discovered and patched long ago.
  3. Practice safe web-browsing – stay away from the sketchy sites and do not download “free” software.
  4. Training – we offer security awareness training and a free phishing test to determine your organization’s vulnerability to ransomware. The essence of the training is this:

Never trust unexpected attachments or links in email, even if you know the sender. This is worth repeating and in all caps: NEVER TRUST UNEXPECTED ATTACHMENTS OR LINKS IN EMAIL, EVEN IF YOU KNOW THE SENDER