Every time I think about doing a monthly roundoup of security issues I’m reminded of how good Bruce’s is.
Here’s this month’s web version of it. Good Hunting.
Usernames and passwords. They’ve been around a long time. They work, sorta. They work better with a password manager that helps you make strong passwords unique to each of your logins.
But usernames and passwords have many problems. You could easily watch someone type their password in a coffee shop. I was on a commercial flight not long ago, and an executive from a MAJOR bank logged into their system in the row in front of me holding their smartphone at eye level for the whole plane to see.
“2 factor” is a concept that has been around for a long time, and is much more straightforward than the marketing fluff may make it seem. The idea is to add a second method of authentication to your existing login. So in the case of a username and password login system, having something physical that you also have to authenticate with as another layer of security. Sometimes the second factor can be who you are. Your fingerprint is an example.
While not foolproof, adding more layers does make unauthorized access to your accounts more difficult.
And that’s a foundation of security: make it more expensive to steal than the information is worth.
It’s very common to see text messages be used as a second-factor authentication, but we highly recommend at least an Authenticator app like LastPass, or Google Authenticator. If you really want to step up your game, a physical device like a Yubikey is an excellent and affordable choice.
In our research adding hardware 2-factor authentication dramatically reduces the chance of employees being phished.
Inside baseball (metaphor) : It usually refers to a detail-oriented approach to the minutiae of a subject, which in turn requires such a specific knowledge about what is being discussed that the nuances are not understood or appreciated by outsiders.
Security professionals are a detail-oriented bunch. It goes with the territory, but as the person making the financial decisions, it’s important to know the high-level concepts when they are making a case for why you should spend more money on security.
This brings us to Red Teams and Blue Teams.
It’s pretty simple. These are the basics. There are nuances and not every strategy follows these concepts exactly.
An external team that tries to infiltrate, Phish, and tests your security program. Sometimes referred to as penetration testing, but that’s a more specific set of tasks. The red team may use social engineering, network attacks, vulnerability attacks and the like to defeat your security. It’s important to note that this isn’t just merely testing how strong the wall is you’ve built. Often your security is weakest inside that wall you’ve spent so much time building.
The (often) internal security team that defends against the Red Team. But also the real attackers. Depending on the organization, this may be a separate team from your regular security team or made up of some of those members. The primary goal of this is to assume you’re ALWAYS being attacked and defend against this by refining security processes.
Remember that security doesn’t mean just building a bigger wall. Security is a process that needs constant attention and starts from the inside out.
Step one to breaking into any system and causing havoc is reconnaissance. An attacker will gather as much information about your environment as possible. They’ll look for security software, and make extensive lists of anything that your systems will tell them about themselves.
Then they’ll start to look at your users. Social engineering is one of the most common ways to get into a secure network. Why break in when you can get someone to let you in? This is why training and vigilance are so necessary.
Not too far into a targeted attack, they start to access your Active Directory system. Why? Because Active Directory knows where everything is. It’s precisely what it’s designed to do.
- Network Shares
- Domain Controllers
- Routing Tables
Once they get this information, looking for places that are good to attack becomes easy. As they gain access to more systems, this process snowballs.
You are owned.
Those are words that you do not want to hear.
Now stealing information and documents becomes easy.
What are you doing to protect your active directory? Are you monitoring your Active Directory and actively securing it?
We can help.
As longtime security leaders and innovators, we can say categorically that while you can learn concepts in school, that’s never enough to actually perform real-world security tasks.
We’re into our second year of the intern program at Assurance Data “University”. Every Friday our Chief Strategy Officer Chuck Sirois leads an intensive training program online to a select group of up and coming security experts.
This month we’re covering topics like:
- Attack Vectors
- Keeping up with the daily changes in security threats
- How to mitigate security problems.
Interested in becoming the next security leader? Email us at email@example.com.
Security depends very much on your actions as an end user. The more secure you are personally, the more secure you organization can be.
Let’s start with a simple things you can do right now to make yourself more secure.This week we’ll focus on passwords and authentication.
Use a password manager AND a different password for EVERY account
Data breaches happen. But it’s easy to mitigate the damage if you use completely different passwords for EVERY login. Managing this is easy with apps like Lastpass and 1Password (there are many others). You remember one login, and the app helps you generate secure passwords you don’t even have to know for every service.
Surely you can see how “!D4sL@nN1pJRbG” is a better password than your kids birthday right?
Turn on 2 factor everywhere it’s available
Most major services, from Facebook to Flickr offer a free way to get a text or use an authentication app like Lastpass authenticator to give you a second layer of password protection. This isn’t perfect, especially if you use text messages for this, but it’s better than your password alone. Check with your help section in the app on how to enable this and do it for EVERYTHING.
These two simple things can help make you dramatically more secure in your day to day internet interactions. Need a solution for enterprise password management or authentication? Let us know.
AssuranceData was pleased to be named Government partner of the year for 2017 by Forcepoint. We expect 2018 to build on the many successes of 2017 and are honored to be the top VAR.
There are a new set of Meltdown and Spectre variants. CPU fixes will need to be implemented, but according to Tom’s Hardware for the moment they seem to be blockable with OS software patches.