Password Management and Improved Security

When computers first started appearing on desks and before an Internet connection became a necessity, passwords were very limited. Maybe a simple sign-on might be required to access your computer or just for specific applications. But now, every device has an IP address which means each device can literally be accessed through the internet (including smart thermostats and webcams.) The risk of data breaches increases daily. IT managers recommend complex passwords, regularly refreshed  and sometimes two-factor identification. This is a complex set of requirements making it harder to ensure compliance. This brings up the questions, to what extent should individuals have security responsibility? Is there a role for individual users? If not, then how can the security function be executed and maintained safely? The solution is different security solutions apply to different types of situations. It is helpful to know something about how security breakdowns happen and where they can be prevented.

Department or Localized Attack

These types of attacks even though they can be quite disruptive and can cause some loss of data, are not particularly sophisticated. They usually rely on a user with limited awareness of the form and execution of the attack. And they usually are delivered through an email. A good example is a phishing attack.

It works like this. The phisher sends out bait; often it looks like an email from a reputable company like a big retailer or bank. The email is a notification that your account has been disconnected or compromised and you must re-enter your data to re-establish your account. They send you a link to activate this form and then capture your login information while you are filling out the form. If you happen to use the same username and password on different accounts, then the attacker can use that information to hijack other accounts of yours.

The best defense against this type of attack is just awareness at the user level. Share a screen shot (don’t just forward the email) with your IT department so they can send out an alert. Delete the email without clicking on any links. Usually these emails have been made to look very official, but by comparing the URL against the known URL of the parent company and by making sure that the web site is secure (it starts with https:) it could be legitimate. To really be sure, it’s best to call the company service line on the phone and validate the email. If you have recognized this type of email and deleted it you have successfully deflected the attack.

Area Wide Attack

When an attacker is able to access usernames and passwords they can do some very disruptive behind the scenes activities. Often in these situations, a program is quietly inserted into the operating system or poses as “free software” and, once installed, it searches for other usernames, passwords, email addresses, credit cards and so on. Although most internet browsers and/or operating systems have protections built in to avoid malware or snippets of malicious code, they are not fool-proof. Once the information has been collected, you and any person on your contacts list could become similarly infected. This gives the attacker a larger pool of victims. Protecting your passwords significantly reduces the risk for attacks that rely on capturing logins to do their dirty work.

Since email is the usual vector for so many attacks of this type there is a high risk if you rely on your own made-up usernames and passwords. Since they are often related in some personal way to something in your life; a birthday, name of a pet, etc. it is easier to crack the code. A better choice is something called password vault software. A vault contains all of your user names and passwords in an encrypted form. They usually have an autofill feature so you don’t have to enter the user and password fields. Some of the attractive features of a password vault are that most of them will create 12 character random codes for you that are impossible to guess. All information in the vault is encrypted and only the user can activate the encryption key. You control the master key which you can store on your phone or other device. Password vaults have become very popular lately as they have become more sophisticated. Even if an attacker finds the vault, the contents are encrypted and they can’t do anything with the information. Several companies have password vaults with a variety of features that make it easier to keep track of usernames and passwords. These are regarded as very secure.

Enterprise-wide Attacks

Unless you are an IT professional you will not likely deal with enterprise level attacks, but it is useful for you to be aware that they exist and how some of them work. One popular one is called a Denial of Service or DoS attack. This is simply an attacker that has found a way through your company firewall and has bombarded this entry point with data to the point that your company-wide system is overloaded and cannot function. Another attack type that has gotten attention lately is called a Ransomware attack. In this case the attacker encrypts critical company data and, for a fee will “sell” the encryption key back to the company so that they can access their data again.

Summary

The level of sophistication for computer attacks continues to grow. Staying on top of it is a full-time job for IT professionals. But, there is also a role for individual users to play. They should be given training to recognize some common attacks that can come through emails. For added protection, IT should set up users, especially those with access to critical information with a password vault and training on how to use it. This combination of skills, software and training will significantly reduce the risk of an outside attack making its way  into your internal systems.