Multiple Usernames and Passwords

Week 9 Blog

This week I wanted to take a minute and discuss a little about passwords and what some large companies are offering to help make it easier on users.  Keep in mind though, if it seems too good to be true, there are risks associated.

It seems like these days no matter what you do online, it somehow involves creating a user account followed up by creating a username / password.  Although this is a security practice that needs to take place, remembering different usernames and passwords for many different sites can become tedious.  Not to mention the aggravation associated with trying to get a password reset if the account gets locked out after so many failed attempts.  Because of the vast amount of websites requiring authentication, it’s no wonder many use the same username/ password for all their different accounts.

To help simplify matters and make it easier on users, many large companies are offering a service that allows a user to login into a certain site using the same credentials as what they use when accessing that same large company.  For instance, Yahoo allows a user to login with their Google credentials if they elect to.  Or some music sites allow users to login using their Facebook account credentials. 

Although this eases the burden for many users either trying to remember several username / passwords, or using the same one, there is a risk.  Because these credentials are linked to the various sites a user may visit, an attacker needs to only compromise one of the sites and retrieve the username /password, which would then give them access to all the other sites those credentials are linked to.  For instance, if a user’s Facebook account is compromised and their username/ password is obtained, all the sites associated with the account could then be compromised. 

In a day and age where attackers tend to go after large databases to obtain user’s credentials, this could be like inviting the lion to dinner.  With that said, most major companies like those hosting this type of service do have many protection levels to help secure an individual’s personal information, but remember; nothing is full proof.  It really boils down to confidence in the company and the risk the user is willing to take.  So before a leap of faith is taken and one clicks to jump on board, just stop, think about it first, and then use your best judgment.  It’s the least anyone should do when it comes to protecting their most important assets.

Tips for Security Spring Cleaning

Just as we change our batteries in our smoke detectors or cleaning out the old to make room for the new is a routine we usually associate with springtime, securing our devices should be a part of a that routine.  And even though we may be half-way through the summer, it’s not too late to start servicing those devices to help deter and protect our home assets.  Therefore, this week I’d like to provide a few tips on things that can/should be done, and springtime is a great way to remember.

1.      Online accounts are one of those things we seldom think about.  Many folks may shop online and are forced to create an account.  Problem is, they use it one time and the account remains out there for years.  Information can be gathered from these accounts which can lead to theft.  Protect yourself and delete these accounts.

2.      Check the subscription on your Anti-virus software.  Some folks may get it for free from their place of business, but for those that pay, now is a good time to check its expiration date.  Many don’t even realize they are unprotected.  Finding out after something happens is a lot worse than taking the few minutes to check and update accordingly.

3.      Password changes are a great way to protect you and your devices.  Many fail to change for fear of forgetting them.  But changing your password and making it difficult so it’s harder to crack should not only be done at this time of year, but at least semi-annually.  Since some use the same password for many accounts, all it takes it to have it cracked once and the doors open wide for other instances.

4.      Firmware updates are fixes for known bugs whether it is for a router, printer, or mobile device.  Downloading and installing firmware updates is a great way to plug the holes.  If the vendor is aware, you can bet the attackers are also.  Since vendors normally do not send out messages regarding firmware updates, this is the time to go out and check for them. 

5.      Protect your mobile devices.  Malware is on the incline for such devices.  Downloading free apps or apps from places other than, for instance: Google Play or the Apple Store is like leaving the front door open.  Take this time to look over the apps on your devices.   Delete what’s not needed.  Since many apps don’t go through a screening process if not downloaded from a reliable source like the Apple Store, it stands a bigger chance of containing bugs and even backdoors.

6.      Connecting to the Internet is as natural today as eating dessert.  Although it’s not thought of much, but this is also an excellent time to update the Wi-fi security.  Just like with accounts, changing the password to the router, hiding the service set identification (SSD), and installing updates will help provide another level of security.  This will reduce the risk of an attacker either gaining access to the network and your personal information or using it wrongfully for their gain.

7.      Lastly, create rescue disks or restore disks.  Nothing is worse than having an unknown virus that causes a hard system crash. Having a rescue disk or restore disk can expedite getting your machine back up and running.  Also, if not already done, consider buying an external hard drive and begin backing up your files.  If the need ever arises, you’ll be glad you did.  External hard drives have the capacity in which an entire operating system and files can be stored and will make it easier if or when you have to reload.

So as winter disappears, don’t forget to take a look at the few tips just provided.   Not only will it protect your devices, but even more importantly, it will protect you.  “The gadgets that connect to the Internet need a security spring cleaning to keep them free from viruses and other forms of malware” Poremba, Sue (2013).

 

Reference:

Sue Marquette Poremba, Tech News Daily Contributor (May 2013).  7 Security Spring Cleaning Tips. Retrieved from http://www.technewsdaily.com/17974-7-security-spring-cleaning-tips.html

Dealing with Cyber Threats

This week’s blog is aimed at threats and some of the things that should be done to help mitigate and rebound from an attack.

An attacker’s job is to penetrate networks and either gather data or cause havoc.  For them, it is their full time job.  But for those who are there to protect and defend may find their full time job is partly that plus a dozen other things.  “Unfortunately, defenders don’t have the luxury of spending their days focused on security. The reality is that most IT security teams are understaffed, hampered by static and disconnected security technologies and consumed with addressing compliance and regulatory issues and other business imperatives” Huger, A., Sourcefire (May 2013).  In order to help even the odds a little, defenders can do a number of things, but they can’t do it alone, and will require help from management.

First thing is to ensure up to date technology is put in place.  Too many times the focus of security is bestowed on key assets, but with the entourage of devices used these days, the technology must be able to encompass and protect against all of it, not just the cores.  Attackers don’t care if the security hole is with a server or a mobile device, to them; it’s just a way in.  Current technology whether it be hardware or software will comprise the tools necessary to cover all types of assets, and management must be willing to accept the cost to protect what’s most valuable.

Secondly, management and security personnel should perform a review of the processes in place and determine which ones could be automated.  Automation should be exercised to its fullest advantage as it can play a key role in reducing time, touch maintenance and allow for better utilization of resources, such as people; especially as manning becomes more limited.  Overall, automation will free up valuable time and allow administrators to cover tasks that they may have fallen to the wayside since higher priority tasks dominate.  Use of automation that can detect and enforce policies as needed, will help tremendously since threats and vulnerabilities are also changing at a rapid rate.  Additionally, having an Incidence Response Plan (IRP) readily available will help alleviate the threat if an attack does happen.  The old saying of “people don’t plan to fail, but fail to plan” holds true not just in the financial world but also the cyber world as well.  An IRP can help administrators act quickly and make decisions promptly allowing them to contain and remediate the damage.  Review of these policies and testing of the IRP should be done at least semi-annually but quarterly is best if time permits.

Lastly is training.  Training is what ties it all together.  People are the first line of defense, educating personnel on what to do will ensure each player knows their role, and when the time comes, will know exactly what to do.  If an orchestra wants to play music and sound well, you can bet they’re all playing to the same sheet of music.  Training also helps keep personnel aware of the latest threats in the cyber world and the fix actions which remediate them, “Organizations must be committed to keeping their staff highly trained on the current threat landscape” Huger, A., Sourcefire (May 2013).

To put it briefly, management must be willing to take the steps necessary to defend against threats, security must encompass all devices, not just the cores.  Automation should be utilized to help mitigate risk, reduce time, and increase productivity.  A sound IRP should be developed and exercised so the staff can act accordingly and remediate quickly.  Finally, training should not take a back seat as it is the foundation of safeguarding information.  A little pain today equals a lot of gain tomorrow.

 

References:

Huger, A., Sourcefire (May 2013).  The Need For Threat-Centric Security.  Retrieved from http://threatpost.com/the-need-for-threat-centric-security/100517

 

 

 

Protecting Your Home Network Assets

This week I wanted to talk a little bit about the mysterious box provided by Internet Service Providers (ISP’s) or store bought, which allow a home network to connect to the Internet.  Most don’t stop to think much about how they get to the Internet, or more importantly, how the mysterious box provides a connection.  In fact, most view the box, known as a router/modem combination, as nothing more than a plug and play device much like a CD ROM or flash drive.  Plug it in; turn it on and before you know it your surfing the net.  However, even though it really is that easy, the router/modem combination is eye candy for attackers and needs be secured.

Probably one of the most prevalent vulnerabilities associated with these devices is the default password.  In a research study by two individuals, they stated, “The first thing we [exploited] was the default passwords; we were able to see more than 1 million of them” (Mimoso, 2013).  When ISP’s send a customer a router/modem or install it during the initial setup, the router/modem combination is configured with a default username/password.  Many individuals aren’t even aware of this or if they are, they aren’t too concerned, and therefore it never gets changed.  After an attacker tracks down one of these devices, if the password hasn’t been changed, it’s relatively simple for them to login and take control.  Once logged in, they can perform a firmware upgrade which cannot be erased even if the router/modem is reset.  This allows them access to the device at any time.  In other words, they can utilize the device at will whenever they need it.  Once they have control of the device without the owner suspecting anything, it can be used for such things as: bank fraud, identity theft or could become part of a netbot system for Denial of Service Attacks.  Once the device is compromised the only fix is for the ISP to replace the device, which will also increase cost.  The researchers stated, “This not only creates avenues for malicious activity but also will likely leverage fees on consumers for getting replacement equipment” (Mimoso, 2013).

So bottom line is, be aware.  If your ISP provides your device or if you purchase one on your own, the first thing that needs to be done before connecting it and surfing the web is to change the default password.   Changing the password on your router/modem is no different than locking your front door.  Other things that can be done as well are: turning off the SSID broadcast, filtering/blocking addresses, and using static IP’s versus DHCP or limiting the number of devices that can connect to the network…just to name a few.  Don’t become one of the million statistics; don’t make it easy on the attacker.  The harder it is, the more likely it is he/she will move on to something more readily accessible.

 

Reference:

Mimoso, M. (April 2013).  Using Customer Premise Equipment to Take Over the Internet.  Retrieved from http://threatpost.com/using-customer-premise-equipment-take-over-internet-040113/77684

Importance of Automatic Updates for Windows

Importance of Automatic Updates for Windows

This week’s blog I wanted to talk a little bit about the importance of automatic updates for Windows systems.  Operating systems in general, inherently come with vulnerabilities which can be exploited.  Let’s face it, nothing is perfect and the code to an OS is no exception.  With the thousands of lines of code, there’s sure to be security issues.  For this reason, safeguards are put into place to help combat vulnerabilities as they are found and hopefully before they are exploited to the point where someone can use them to cause serious damage. 

Windows automatic updates can help secure your operating system by automatically loading and installing the required patch or patches needed to remove the vulnerability or at least mitigate it.  For example, “Nineteen privately reported vulnerabilities in Internet Explorer.  An attacker who successfully exploited the most severe of these vulnerabilities could gain the same user rights as the current user. This security update is rated Critical for Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, and Internet Explorer 10 on Windows clients.  Most customers have automatic updating enabled and will not need to take any action because this security update will be downloaded and installed automatically”, according to Security Tech Center (June, 2013).

 

From the example it should be clear of the importance of utilizing automatic updates.  The security update, MS13-047 was able to resolve 19 vulnerabilities that could potentially provide an attacker the opportunity and capability to take control of a system.  This control could lead to such things as identify theft, be used as a netbot for denial of service, or some other form of malicious intent.

Keep in mind though; some patches can cause other type of issues like certain programs not to work correctly.  For this reason, it should be stated that before installing patches, other than critical ones, the patch or patches should be reviewed to see if may cause any other types of complications.  

Bottom line is, whenever that little window pops up and states updates are available or installed and your computer needs to be restarted, don’t ignore it.  Stop and think of the 5 minutes it may take and reboot the system quickly as you’re able.  It’s a small task to do to protect your system, your network and even your identity.

 

Reference:

 

Microsoft Security Bulletin MS13-047 – Critical Cumulative Security Update for Internet Explorer (2838727), version 1.0, June 2013.  Retrieved from http://technet.microsoft.com/en-us/security/bulletin/MS13-047