Wednesday, June 20, 2012

Passwords a Weak Link in the Chain of Cyber Security

Passwords a Weak Link in the Chain of Cyber Security

The other day, I was reading an article by a reformed hacker who was telling his secrets for “gaining access” to company networks. Much to my surprise, and I will assume yours, he focused on passwords. Here was his recipe, plus a little social research thanks to Facebook.
1.    Your partner, child, or pet’s name, possibly followed by a 0 or 1 (because they’re always making you use a number, aren’t they?)
2.    The last 4 digits of your social security number.
3.    123 or 1234 or 123456.
4.    “password”
5.    Your city, or college, football team name.
6.    Date of birth – yours, your partner’s or your child’s.
7.    “god”
8.    “letmein”
9.    “money”
10.  “love”
Believe it or not, this person claims a 20% success rate.  I am sure some of you already see your own password in the list.
This got me thinking—with all the money being spent by corporations on sophisticated hardware and software, just how much attention is being paid to the selection of passwords that are entrusted to us?  Looking at this list of the Top 10 passwords (rockyou.com) the answers is not too much.

Not to mention how many network administrators leave the password defaults on routers and firewalls set to the default…administrator.
The solution to this dilemma is twofold; first, knowledge of why I need such long passwords, and secondly, discipline to change them and to change them frequently.
What many people do not understand is the impact that password length has on security. Add to that mix all characters—alphanumeric, special characters, and upper and lower case letters. You have just exponentially increased the difficulty to hack your password.  Adding just one capital letter and one asterisk would change the processing time for an 8 character password from 2.4 days to 2.1 centuries.
Password tips:
1.    Follow your network administrator’s guidelines on changing your passwords!
2.    When given the choice on length of password, always opt for the longer password string.
3.    Do not choose passwords that are common to you or a reflection of who you are, as they are easy to guess.  But do create passwords that you can remember.
4.    Do not write your password down on a sticky note and put behind your monitor or under your key board.
5.    Randomly substitute numbers and characters for letters, like the letter o for zero (0).
6.    Randomly substitute special characters for letters or numbers, like @ for the letter a.
7.    Change default passwords that come on every device. These passwords are published on the internet.
8.    Use the Microsoft password strength checker at https://www.microsoft.com/en-gb/security/pc-security/password-checker.aspx.
9.    Use common sense; if a contract crew has been working in the area, change your passwords.
10.  Change your passwords frequently.

Like Benjamin Franklin said 'An ounce of prevention is worth a pound of cure'

Tuesday, June 12, 2012

Cyber Security Advisor Newsletter: Best Practices

Why Cyber Security Best Practices?
Few can deny that cyber security is important. If you are not currently being held to a regulatory requirement ‘Best Practices’ is what Invensys Cyber Security team would prescribe.  We have sought out and listened to our clients from around the globe over the last 4 weeks and they are moving towards supporting best practices to protect their Intellectual Property and Process environment.    We believe our clients need to define what makes them unique and profitable and make sure they are protecting those assets.  
The Critical Infrastructure and Security Practice has the skills and the resources to help your clients no matter what industry.    Cyber security is so much more than Firewalls and Antivirus.   We are structured to help you with your entire Cyber Security program.