Cybersecurity Awareness Month is celebrating its 19th year, as it continues to make a large impact on the cybersecurity community and is co-led by the National Cybersecurity Alliance and the Cybersecurity and Infrastructure Agency (CISA).
The theme for 2022 is See Yourself in Cyber. The White House also released A Proclamation on Cybersecurity Awareness Month, 2022, highlighting “the importance of safeguarding our Nation’s critical infrastructure from malicious cyber activity and protecting citizens and businesses from ransomware and other attacks.” We asked team members from our IT department a few questions to see what they thought of the latest cybersecurity best practices for staying safe online.
Q: How do you keep your entire company updated on best practices for staying safe online?
Joseph Hornsey: Though it may seem like the largest cybersecurity threats come from the actions of outside bad actors, the biggest danger to a company’s network comes in the form of uneducated users. As threat actors continue to improve their methodology, their tactics become harder for the untrained eye to spot, leading to even more people falling victim to their attacks. The best way to counteract these attacks are through the implementation of effective Security Awareness training which includes best practices for things such as password security, recognizing phishing attempts, etc. Armed with the knowledge of what to look out for in a potential attack, users will be prepared and able to remain safe online.
Q: Why is it important to use strong passwords and/or a password manager?
Adrian Ocon: A stolen account can lead to a limitless potential of damages, including stolen bank information, leaked social security numbers, leaked addresses and so much more. Even if your stolen account does not contain credit card numbers or other sensitive information, hackers can use the information gained to potentially break into accounts that do have such information. They could also use that compromised account to gain the trust of friends and family to steal their information and so on. A strong password acts as the first line of defense against these types of attacks.
Here are a few general rules to follow when creating a strong password:
- Passwords must be AT LEAST 14 characters long and contain a mix of letters, numbers, and symbols. (In most cases, the longer a password, the more protection it can offer.)
- NEVER use any personal information when creating a password, for example: pet names, family names, birth dates, favorite sports teams, etc.
- Passphrases (along with being easier to remember) are generally harder to crack than normal passwords when used with a combination of letters, numbers, and symbols. Here is an example: %th3 Duck $w1ms 0n Th3 Lake%
If an attacker manages to crack your password and gain access to your account, the first thing they will do is use that password and attempt to access any other accounts that could be connected to that email address. Because of this, it is important to NEVER use the same password across multiple accounts. This can seem like a daunting task because memorizing dozens of passwords isn’t practical. This is where a password vault can provide value.
Password vaults securely store and record each of your passwords and can only be accessed through a master password. In theory, this makes it so you only have to memorize your master password. Because of this, it is important to have an extremely strong master password when using a password vault and to never share it with anyone!
No matter how strong you make your password, there is always the possibility that hackers will be able to break in. Because of this, the best way to secure your accounts is to use a combination of a strong password and a multifactor authentication method (MFA). I believe Troy will talk more on this point.
Q: Why utilize multi-factor authentication (MFA)?
Troy Cichosz: Historically, account security only utilized a username and its associated password. Knowing both would surely allow a successful login assuming both were correct and accurate at the time of a login attempt. However, it is common knowledge that usernames can be guessed or deduced using publicly sourced information, and we know that passwords can sometimes be located from known data breaches. Combining that information, as well as using credential stuffing and dictionary brute force attacks, it is just a matter of time before an account without additional protection could be compromised.
A way to help offset these inherent vulnerabilities is to introduce another layer to account security by adding something you have (a one-time password) to something you know (username and password) when logging in somewhere.
Multi-Factor Authentication (MFA) provides an additional stopgap that results in greater log-on security. When a threat actor attempts to gain access to a resource and faces greater challenges, it typically results in a better chance of keeping them out of restricted systems.
MFA creates such a stopgap by requiring yet another piece of information that is often specific to that exact moment in time before a login attempt can be successful. This time-sensitive piece of information is usually a one-time password (OTP) with a short expiry time. OTPs can be generated and provided using individual and dedicated devices like key-fobs and mobile applications that generate new and random OTPs often, or even by receiving a unique verification code to a linked email account.
This means that even if a bad actor has a valid account ID and password for an MFA account, the credentials are worthless without having the valid OTP or code required to complete authentication at that precise moment.
In a simple example, you have an encrypted cell phone that requires unlocking by fingerprint in order to access an authentication app that creates a new OTP every 60 seconds, and you still must know the correct username and active password for the account you’re trying to log into. When using mobile authentication apps for MFA as in our example, the mobile device has stacked its own security options for yet more layers of account protection with MFA.
Some MFA solutions also provide notifications of login events. This added benefit can alert responsible parties to authentication attacks in real time, allowing for faster response to unauthorized access attempts.
The need for enhancing account security is obvious as cybersecurity evolves to incorporate even more into our ever-expanding online lives. From securing critical infrastructure and digital correspondence to online banking and purchases, MFA is a proven technology to help protect ourselves and our information, and it should be implemented when and wherever possible. Helping to thwart threat actors before they can get in is always a great idea.
Q: What is one thing you wish everyone would do to keep themselves safe online?
Joe Neal: Hands down, it would be patching.
Imagine this, your system is running perfectly. Internet browsing is quick with no lag. Accessing 4k movies on shared storage is seamless. Netflix is streaming without issue. Why patch my systems?
Patch Tuesday is commonly known for Microsoft’s monthly release of security fixes on Windows operating systems (OS). We are to patch our Windows Systems, and most people do. However, most people forget about their wireless router, wireless camera, and even the firmware on their laptops. Most also do not realize printers have firmware updates, baby monitors, and new garage door openers where you can open the door from anywhere with just internet access.
By patching the firmware on your PC, it can fix performance issues and plug security holes. Microsoft does some driver updates, but most must come directly from your hardware manufacturer. HP and Dell provide utilities to handle your firmware and driver updates.
Should you update your wireless router? Yes! The wireless router is the front door to your home network. You don’t leave your front door unlocked when you go to bed, or wide open for anyone to walk in. Of course, when you do update your firmware on your wireless router the internet will be down, but you will get the security update along with bug fixes to make your browsing experience that much better. Don’t forget to change the default password on your router.
It may require some work to update the firmware on your IoT devices. Most companies provide a mechanism for checking the firmware but require you to log in to the application they have provided. You might have to click check for updates button to initiate an upgrade, you also need to keep the application up to date on your phone.
But considering you won’t have someone taking over your devices, spying on or opening your garage door you might find it worth an hour once a month to update your devices.
Q: What is your advice for anyone looking to enter the cybersecurity industry as a career?
Joseph Hornsey: The demand for cybersecurity professionals continues to increase as the threat landscape continues to evolve, but so does the number of applicants. With so many talented applicants entering the space, it is becoming more and more difficult to stand out to potential employers. The key for anyone looking to enter the cybersecurity industry as a career is to differentiate themselves through their experience and knowledge. The best way to do this is through certification programs which allow aspiring cybersecurity professionals to learn unique and important skills that will help them to be successful in their careers.
There are many possible certifications, but I recommend CompTIA’s Security+ as a good starting point. From there, do research, see what other peers and cybersecurity professionals are recommending and learn as much as possible. There is no such thing as too prepared when it comes to cybersecurity both on the company and career levels.
New and emerging technologies will continue to drive digital transformation. Take a look at our recent white paper on the next generation of best practices in data security, click here.
For any questions, please click here to contact our team directly.