Stop Cyberattacks in Their Tracks: Secure IT

Stopping cyberattacks requires diligent behavior. One of the themesof this year’s National Cyber Security Awareness Month, or NCSAM, is thatall computer users should take steps to Secure IT.

October 2019 is National Cybersecurity Awareness Month #BeCyberSmart

That means shaking up the passphraseprotocol by using not just strong passwords but strongand unique passphrases.

Consumers and corporate computer users alikeshould double login protection through multifactor authentication, and everyone should embrace safe online shopping practices.

It is easy these days to connect with people and make newfriends, but everyone should play a little hard to get with strangers online, according to the National Cyber Security Alliance. Users shouldwatch for phishing scams, which often involve social engineeringtechniques as much as direct brute force hacking attacks.

“National Cyber Security Month is an opportunity to elevate people’sawareness and to increase the caution with which they interact withtechnology,” said Bob Noel, vice president of strategic relationshipsat cybersecurity vendor Plixer.

“It’s very important for everyone to second-guess and question whetherthe email they are opening, link they are clicking on, or answers theyare providing are originating from a valid source,” he toldTechNewsWorld. “Training people to question the authenticity ofdigital communications prior to engaging with them can and should bethe goal.”

Positive Online Experience

The point of NCSAM isn’t so much to deter individuals from goingonline or even from using a computer, but rather to ensure that they do sosafely.

“The security of a consumer’s digital identity is paramount for apositive online experience,” said Justin Fox, director of DevOpsengineering at NuData Security, a Mastercard company.

“Organizations often remind us to use unique passwords of varyingcomplexity for each product or service we use online,” he toldTechNewsWorld.

“Employees need to be aware of social engineering tactics used tocompromise accounts through the employees’ access privileges, such asan attacker calling in to reset a password through an employee andtricking the employee into accepting the attacker as the accountowner,” said Fox.

“Awareness needs to be a goal for all people at all levels,” said Plixer’s Noel.

“Bad actors have become incredibly skilled at social engineering andcan use social media posts and publicly available information toappear credible,” he pointed out.

“Everyone should constantly have their radar up, questioning theauthenticity of digital communications,” Noel said. “That whichseems obvious to some may not be so clear to others. Nobody knowinglyor willingly becomes compromised. The key goal of raising awareness isto encourage people to question everything. It may take a bit moretime, but when unsure, people can and should reach out via anotherchannel to validate whether or not the communication they received isreal.”

Beyond Static Authentication

One problem with cyberattacks today is that they aren’t just abouthijacking a single computer via a virus. Today’s attacks can cripple acompany or even a city. Atlanta and Baltimore are just two examples oflarge municipalities that spent weeks in limbo and millions of dollars inrecovery.

Meanwhile, data breaches have hit major retailers, including Target, costing the companies large sums of money and harming their reputations. The cyberattacks on the federal government’s Office of Personnel Management compromised millions of government workers and contractors.

Unique passwords and better security can help, but they go only so far.

“This helps to control the ‘blast radius’ and overall impact of a databreach but misses the underlying problem: Static authentication isbroken,” said NuData’s Fox.

“To fix how you authenticate consumers requires executive buy-in as afirst step, but then the new authentication strategy has to becascaded down to each team, all the way to the consumer,” he suggested.

The answer is not necessarily using SMS or tokens, although secondfactors are generally an improvement Fox added.

“SMS solutions rely on vulnerable infrastructure, and tokens increaseconsumer friction; and the consumer experience is extremely importantto running a successful business,” he explained.

“Data breaches cause brand damage regardless of whether the databreach is a result of consumer password hygiene or service providermishap,” Fox noted. “In the later scenario, monetary fines and otherpenalties may follow.”

Passive Biometrics

In the future, there could be more advanced technologies — such aspassive biometrics, which organizations already are adopting — to “Secure IT.”

“Passive biometrics leverages information about your patterns torecognize how you type, how you browse, how you interact with yourdevice,” said Fox.

“Many passive biometric solutions are powered by machine learningmodels that adapt to become increasingly accurate.”

Secure IT – Strong Passwords

For now, however, a simpler solution could be to utilize uniquepasswords or, when possible, passphrases. It’s important to avoid passwords thatcould be guessed easily — such as a birthday or favorite sports teamor movie.

“Many people default to their personal information for theirpasswords, such as dates of birth of family, nicknames, addresses,”noted Ralph Russo, director of the School of Professional Advancement Information Technology Program at Tulane University in New Orleans.

“Unfortunately, these can be guessed or deciphered through inadvertentleakage of this info. People also use simple dictionary words inpasswords, e.g. ‘Brooklyn’ or ‘Yankees,’ and all of these are easilyhacked,” Russo told TechNewsWorld.

Strong passwords are those that are lengthy, and the longer thebetter. Moreover, they don’t include straight “dictionary” words,which can be guessed.

“Straight dictionary passwords can be cracked by brute-force’guessing’ tools that use established word lists, includingdictionaries, and try each word in the list — thousands of times aminute — against your password,” explained Russo.

“The best passwords are long and can be created by inserting andsubstituting characters and numbers into a long phrase,” he suggested.”An example ofthis could be d0n7f3ar7her3ap3r$ instead of Don’tFearTheReaper.”

Users should consider using a password keeper — such as LastPass,1Password, dashlane or similar program — to store all the passwords,and then autofill into a browser and forms, advised Russo.

These tools allow users to create distinct, super complex passwords for eachsite while remembering only a single password — the one for the keeperitself. However, that isn’t perfect either.

“The downside is that all of your eggs are in this one basket, and anintrusion into your keeper system could spell disaster,” said Russo.

Secure IT – Multifactor Authentication

Email, a banking website, or even eBay can be better protected when anindividual opts for multifactor authentication.

“Mutlifactor authentication is the process of using two or moremethods of authenticating, or logging into, apps,” said Russo.

Typically, this is accomplished by requiring users to enter not only something they know — their username and password — but also a pin or key sent to something they have — for example, their mobile phone.

“A malicious actor would not only need to have theuser’s username and password — they would also need access to the user’scellphone to be able to get unauthorized access,” Russo pointed out.

Mutlifactor authentication usually can be set up in less than a minute, but it can increase security substantially on sites that contain personal information. While texting a one-time code is now the standardmethod of multifactor authentication, there are other methods to keep users safe, and their use likely will increase.

“Always use it on key applications including banking, Social Security,online payments, finance/investment, password keepers and socialmedia,” said Russo. “There are a myriad of ways to accomplishmultifactor authentication, including biometrics — e.g. facialrecognition, fingerprint — or a random key generating device or appthat the user has possession of, and more complex methods can beemployed to meet the need involved.”

Peter Suciu

Peter Suciu has been an ECT News Network reporter since 2012. His areas of focus include cybersecurity, mobile phones, displays, streaming media, pay TV and autonomous vehicles. He has written and edited for numerous publications and websites, including Newsweek, Wired and Peter.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by Peter Suciu
More in Cybersecurity

LinuxInsider Channels