Part 1: Personal Security
Most people have seen the LifeLock identity theft commercials while sipping their morning coffee, or heard about one country hacking another on the radio during their work commute. So, how can you avoid becoming one of these victims? Do you really know how to keep yourself safe from the extortion mechanisms used by malicious actors? How to steer clear of phishing sites, scams, and ransomware?
This three part series will discuss some security basics you should be aware of, including:
- How to protect and secure your assets on a personal level
- How to keep critical information secure on an employee level
- How some basic security implementations can help avoid compromise on a business level
Some of the areas throughout this series may be too cumbersome for the average user. This is why I'm providing classifications for users so they can determine what may be useful for their experience level.
- Common Sense = Relatively easy practices to perform or acquire for an average user.
- Arcane Magicks = Advanced security measures for your standard power user or IT professional.
Level: Common Sense
This is probably the single biggest flaw in virtually everyone’s personal information security asset table: password reuse.
DO NOT use the same password at your bank as you do on Facebook or your email.
You might’ve noticed, for example, the news stories about the Yahoo! Breach that culminated in over 1 billion accounts being compromised. Think about that for a minute. 1 BILLION accounts. Let’s assume that half of those people used the same password for their online banking services... That’s 500,000,000 possible breaches of bank accounts worldwide, at a minimum!
Reusing a password, or pin code, is a bad idea all around–if one service is compromised, the rest using the same password will be too. Once an account has become compromised, pivoting (meaning to “move” around inside a network by using the first compromise to access other systems) across the rest of your identity is a snap even for the most unskilled of attackers. It doesn’t take long to figure out that Billy’s email firstname.lastname@example.org has been used for Facebook, Instagram, his bank account, his student loans, and multiple credit card logins. If Billy’s password of “goatman” is used across those sites, his entire world is going to be turned upside down and potentially lead to irreparable damage to his online identity and personal information.
There are several services and programs that can help keep this kind of activity under wraps and make life easier. These programs are called "Password Managers".
Fortunately most, if not all password managers, offer multiple variants of password generation criteria. They can also monitor that you’re not reusing passwords on multiple sites, as well as encrypt their data so that it cannot be easily exfiltrated. Instead of memorizing 10s, or even 100s of passwords, a password manager relies on a single, strong, master password to encrypt your entire vault of passwords–meaning you only have to remember one.
The most commonly referenced service in this regard is called LastPass, but there are others. If you’re looking for different options, 1Password and Keepass can also be used to manage your various login credentials.
Suggested Product / Service: LastPass
Level: Common Sense
The next common issue in the realm of information asset security would be password creation. There are a lot of annoying rules these days, such as how your password should be more than 8 characters long, contain an upper and lower case letter, a number, and a special character in order to be the most secure.
There are a couple of metrics for password creation that are taken into account by most systems with rules in place: length of password and minimum requirements. Password length can certainly make it a little harder for someone to brute force your password, but typically the ease of cracking a password comes down to a small problem that can easily be fixed: commonly used words, dates, or combinations of the two. Stop using your kids’ birthdays as passwords and pins, stop using your favorite color, season, or your pet’s name. These are all weak and easily findable on the Internet if you use social media in any capacity.
Additionally, social engineering is one of the prominent attack methods used to acquire a user’s credentials. People often provide lots of hints, or full answers, as to what they’re using as a password. Be wary of any phone calls or emails that look even slightly suspicious -- particularly those that request information regarding answers to password recovery questions, or other personal information such as mother’s maiden name, pet’s name, etc. Professional entities that are looking to steal identities and other information are also likely to “cyber stalk” people to get all the information they can about their target in order to make educated guesses at what passwords or password hints might be. For more information on Operations Security and Privacy, check out another blog post by Tony Robinson of Hurricane Labs!
So, let’s take Billy’s password of “goatman” and see where improvements can be made. By default “goatman” is incredibly insecure. It contains two components that are dictionary words and will likely be cracked within minutes, or even seconds by brute-force methodologies. Brute forcing is a password compromise technique that relies on commonly used words in passwords to repeatedly try different combinations of those words to break into an account. Most of these attacks utilize varying arrays of password lists with the top likely passwords.
Some examples of strengthening this password could be:
- Replacing vowels with numbersEx: g04tm4n
While this is a step in the right direction, it’s still a very common method of securing a password and is easily anticipated by password cracking software. Let’s take it a step further and throw in some capital letters.
- Capital letter additionEx: G04tM4n
Looking a little better now, but is still pretty much the same as before, and won’t likely stop any attacker anytime soon. The next step is to start swapping out letters and numbers for symbols as appropriate
- Symbols additionEx: G0@t!M4n
This looks like a fairly strong password that isn’t going to be easily cracked in a timely fashion. Let’s take a look at some estimates of “length of time to crack” from X (Please note: do not use any REAL passwords here, it is for demo use only)
So after we’ve determined that we can strengthen passwords through the use of mixed case, numbers, letters, and special characters, let’s discuss actual password strength. No strength meter is 100% accurate, but they can give you a good idea how strong your password actually is when it comes to being able to be brute forced with blind guessing.
For our purposes we will use the Password Strength Meter to test our passwords. Despite their claims that they don’t document input data, I would suggest NOT using an actual password for your accounts in this meter as that presents a security risk and this tool should only be used as a demo.
How our strengths rate on this particular password test for the initial password “goatman” and the changes we were able to make to it:
As you can see, even with the most complex versioning of the password, this tool still states that the password is weak and could be cracked in 18.77 minutes because of its use of dictionary words.
Let’s try a randomized password created by LastPass with bare minimum complexity requirements of 8 characters, mixed case, symbols, and numbers.
As you can see, this is a VERY STRONG password that could be used for virtually any service you might be using. It’s generated by LastPass and can be added into the LastPass site vault to remember it for you so that you aren’t burdened with remembering this random string of characters.
It should be clear at this point that using your (likely) existing password combinations of things like “mary1988” and “fuzzybear123” is not a secure method to password protect your accounts and personal information.
Suggested Product / Service: LastPass
Level: Common Sense
Multifactor authentication is incredibly useful in securing your accounts across the Internet. Based on combining something you have with something you know, due to the complexity involved in generating false second factor keys, multifactor authentication can deter most credential theft activities.
Multifactor authentication or two-factor authentication (2FA) can come in a variety of forms. A few examples include: a physical key card that’s required in addition to a password or phrase to gain access to account; or more commonly, a randomly generated code with a validity timer that’s tied to your account on an authorized device you own (the something you have), which is paired with your password (the something you know) to add an extra layer of identity authentication to your data.
It should be noted that all 2FA is Multifactor Authentication but not all Multifactor Authentication is 2FA. Multifactor implies that more than two resources are involved in the authentication process. For example 2FA would be a password + fingerprint, Multifactor might be password + fingerprint + pin + randomly-generated-key.
It’s quite easy to implement in general, but the process does vary by service. Google Authenticator and Duo Authentication are supported across a wide array of platforms, such as Dropbox, Gmail, Facebook, Instagram, etc. To take it one step further and secure your password vault through LastPass, you can even set up 2FA there!
Secure browsing means different things to different people. For some people, it means never ever visiting a website that could possibly harm your computer (that’s not a great use of the Internet... You’re missing out!). To others, it means simply disabling the bits of code that can be leveraged to force your computer to download malware.
The solution here is to use a browser that is NOT Internet Explorer. If you can, switch to Google Chrome or Mozilla Firefox at a minimum. Why do you want to use Chrome or Firefox? Because they offer extensions or addons from a vetted “store” of sorts that can help protect you online and Internet Explorer cannot. These extensions are built by third party developers and are hosted on a Google or Mozilla server for download as additional functionality for your browser; think app-store for your web browser. The majority of security alerts that our SOC sees on a daily basis are caused by visiting sites in a highly vulnerable browser that just runs whatever code it sees on the page and hopes for the best. Back to the extensions, there are a few that can help you out but might take a little bit of configuration. By default these extensions might make some websites unusable, or at the very least “odd looking”. These extensions for Google Chrome are called: ScriptSafe, Ghostery, and Ublock Origin. For Mozilla Firefox, the add-ons you would want to look at installing are: NoScript, Ghostery, and Ublock Origin. One thing to keep in mind, is that your results may vary based on your browsing habits and how you choose to set these add-ons up. That said, for a minimalist approach, I recommend starting with Ublock Origin in either Chrome or Firefox to get a taste of how it works, and then move on to bigger and better things with the other options added in.
Additionally, Google Chrome is configured to use Google’s own threat lists to block known harmful sites by default and should be considered the primary alternative browser to use.
Suggested Product / Service: Alternative Web Browsers, such as Google Chrome or Mozilla Firefox with Ublock Origin, Ghostery, and NoScript extensions set up.
Level: Common Sense
This one should go without saying, even for the most “careful” of us in the IT / Infosec world. No Antivirus software is perfect and is going to catch 100% of the bad stuff coming your way on the Internet. Many antivirus software solutions available even flag totally non-malicious things as viruses. This means that when using an AV solution, there is potential for some application specific configuration to be done such as explicitly allowing known-good programs (whitelisting) or setting up allowed ports (if your AV includes a firewall and/or active web monitoring).
Common products you can find off the shelf at any electronics retailer do most of the hard work for most folks; products like Trend Micro Internet Security or Norton 360. As a personal recommendation, I like Bitdefender Internet Security as it covers multiple PCs and does Antivirus, Antimalware, Web Filtering. It can even help you protect your sensitive data through the use of its proprietary wallet system that launches your banking sites in a secured, sandboxed (separated from the rest of your computer) web browser.
Any antivirus solution is better than no antivirus solution. Even that free stuff you find from your niece or nephew that “knows all about computers” like Avast Antivirus and AVG; they’re better than nothing at all. By default Windows 8.1 and Windows 10 have the “Windows Defender” antivirus installed and running in the background, and while it is mostly considered sub-par among industry professionals, it’s still better than having nothing protecting you from auto-executing code.
Suggested Product / Service: Anything is better than nothing, but Bitdefender is highly rated based on its available features.
Level: Arcane Magicks
PGP, or “Pretty Good Privacy” is an encryption method that provides privacy and authentication through the signing, encrypting, and decrypting of texts, emails, files, directories, and disk partitions. It uses a combination of hashing, compression, and symmetric-key cryptography in conjunction with public-key cryptography to encrypt data that is sent to external parties.
Example of use:
Encryption of plaintext data (ie, email) is handled with a one-time session key (which is secret) and the session key is then encrypted using the user’s public key. This is so the email that’s sent over the wire is only seen as the ciphertext and the encrypted session key.
Decryption of the message is handled by the recipient’s private key to decrypt the session key and then that session key is used to decrypt the ciphertext in the message so that the original plaintext can be seen.
In essence, PGP works by creating a public and private key pair tied to your username, an email address, an account of some kind and that pair is used to encrypt data and authenticate the sending entity.
The Electronic Frontier Foundation (EFF) has a great writeup on PGP, what it does, and how it works on various operating systems.
Suggested Product / Service: For Windows, Mac, and Linux: GnuPG
Level: Arcane Magicks
- For Windows
Windows 8.1 and Windows 10 offer Device Encryption, but only if you’re signed into a Microsoft Account and on supported hardware configurations. Furthermore, if you would like to enable BitLocker for a more robust encryption methodology, you must be using a Professional or Enterprise edition of the Operating System.
- For OS X
The primary way to do full disk encryption on your Macintosh is to use the Filevault encryption method built into OS X.
- For Linux
Most “mainstream” Linux distributions, such as Ubuntu offer, whole disk level encryption to be set up during the installation phase along with home folder encryption.What does whole-disk and/or device encryption do for you? Well, in terms of device theft or loss, without the hardware/device passphrase (which should be strong, just like your password) the device would have to be wiped to be usable by anyone else. Please note that some advanced forensics tools can still pull data from an encrypted device in some cases, but it’s incredibly time consuming and is likely only to happen via state-sponsored attackers or law enforcement agencies. The goal here is not to protect the device, it’s to protect the information it holds.
To be continued...
This concludes Part 1 of this blog series. Part 2 will consist of security basics at an employee level and protecting data assets therein.