Secret ingredients to quality software

SSW Foursquare

Rules to Better Security - End Users - 18 Rules

Watch the best security videos on SSW TV for free.

  1. The 10 tips CEOs must know for both end-users and SysAdmins:

  2. PC - Do you always keep your OS up to date?

    Microsoft is constantly releasing updates for Windows and one of the most important things they do is patch viruses. Without these updates, users would be vulnerable to attacks from hackers. This is the same for MacOS.

    So it is critical to always keep your operating system up to date.

    windowsupdate
    Figure: Make sure your Windows is always up to date!

  3. Often users don't know how to properly secure their computer and open themselves to vulnerabilities. Windows Security solves this by ensuring that a PC is running all the best practices to keep it safe from harm.

    The most important aspect of Windows Security is to check that you have the 5 green ticks. These ticks mean your computer is following the best practices for security.

    windowssecurity
    Figure: You want green ticks on these 5 settings

  4. PC - Do you run virus and threat protection?

    Users are often exposed to viruses on their machines. Virus scans help identify and remove potential threats on your machine. Windows comes with built-in protection called virus and threat protection that is suitable for most situations.

    Make sure to regularly run a quick scan on your computer to check for vulnerabilities. These quick scans don't take long and make sure the most common threats are addressed.

    If it is suspected that a machine has a virus, then it pays to be extra certain about possible infections. In that case, do the following:

    1. Run a quick scan - This scan will quickly identify and isolate threats
    2. Run a full scan - This scan takes a few hours and will do a deep check on your PC to remove problems
    3. Once you don't need to use your PC, run an offline scan - This scan will take your PC offline to do a scan and ensures viruses can't reinfect you during the quarantine process

    defenderscanoptions
    Figure: If you suspect you are infected, run a quick scan, then a full scan and then when you don’t need to use your computer do an offline scan

  5. Passwords - Do you use a password manager?

    The best passwords in the world are the ones you can never possibly remember. Computer generated passwords, with a length of at least 16 characters, offer the most protection. A strong password look something like this:

    $Jun!ZW@gYS%bmy0($34hYj&8hsgfDF

    Good example - A strong computer-generated password

    This is obviously not something you can realistically type in every time you need to use it. Fortunately, the same tools that generate these for us also manage them, storing them securely and automatically entering them into websites and apps for us.

    With a password manager, you don't have to remember that strong, unique password for every website. The password manager stores them for you and even helps you generate new, random ones. 

    It does not matter which one. There are many great tools out there:

    Figure: Why you should use a password manager

    It does not matter which one. There are many great tools out there for example:

    • Keeper - Enterprise level password manager. Different groups of users can be given access to different passwords according to Business priorities.
    • KeePass - keeps all passwords in one database locked by a master key, which should be accessible only by the few people you trust.
    • 1Password - syncs passwords and personal data across all your devices. It's not quite as slick or capable as many competitors, but it's still an easy-to-use utility
    • Lastpass - matches the capabilities of other top paid password managers and is easy to use. Platform syncing limitations for the free version make it significantly less useful than it was
    • BitWarden - Take control of your online password security and manage private data safely from any location or device
    • Dashlane - put passwords in their place, we’ll take care of them for you.

    Some password managers provide a security score for a password - fix it if it’s a low number.

    For example, in LastPass you can disable automatic device provisioning and you can manually approve them.This way, a new device can’t get to your passwords even if your username, password and MFA got compromised at the same time. (in case a hacker manages to get into your phone and gets your password to LastPass).

    lastpass score
    Figure: In LastPass you can quickly scan through problematic passwords and update them. In this case most of them are localhost passwords with no impact if they ever get compromised

    keep track devices
    Figure: Keep track of all devices that have access to LastPass (every browser is treated as a separate device)

    remove lost mobile
    Figure: If the mobile device is lost, you can remove them from access and feel safe

  6. Complexity requirements are valuable in that they offer a little protection, but not as much as you think. Attackers generally use 2 methods to get people’s passwords: brute force, and social engineering (see rule: https://www.ssw.com.au/rules/understand-the-dangers-of-social-engineering)

    Brute force means they try different combinations until they find one that works. But before trying random combinations, they start with well-known lists of words called dictionaries and rainbow tables, and the whole process is automated. Using cheap scalable cloud hosting, attackers can try billions of combinations in seconds.

    When people see complexity requirements in password rules, they usually do 1 or both of 2 things: transforms and substitutions.

    Transforms are when you ‘transform’ a dictionary word in some way, like changing password to password1 or password123.

    Substitutions are when you substitute one character for another, like changing password to p@55w0rd.

    The problem with these rules is that the majority of people use similar transforms and substitutions, so the dictionaries and rainbow tables that attackers use are filled with what are called well-known transforms and substitutions. This means that p@55w0rd, password1, password123, and many other variations are in their dictionaries, and therefore offer no more protection that the actual word itself.

    It's not worth the effort trying to get clever with these: if you can think of a transform or substitution, it’s almost certainly already on the books.

    If you are using complexity, a better approach is to come up with a reusable, easily remembered scheme of your own. For example, inserting !#@ between every 3rd letter which would yield pas!#@wor!#@d is significantly better than p@55w0rd.

    Password1

    Bad Example


    ::: greybox Password123 ::: ::: bad Bad Example :::

    P@55w0rd

    Bad Example

    Pas!#@wor!#@d

    Better Example (but don't use this password - the fact that this has been published has made it untrusted)

  7. Passwords are a legacy technology that is not fit for the purpose that we use them today. We're working our way towards a post-password world, in particular the FIDO alliance, and many biometric technologies, including fingerprint and face recognition that you may have in your phone. But for now, passwords are something we all need to live with.

    We're used to seeing lists of password requirements, such as:

    • Minimum length
    • Complexity (e.g. must include upper and lower-case letters, numbers, and special characters)
    • Minimum age (e.g. you can’t change it more than once in 24 hours)
    • Maximum age (e.g. you must change it every 30 days)

    The most important of these is length.

    Look at this graphic:

    bruteforce times
    Figure: The Hive Systems password table shows how long it takes to crack passwords of various lengths

    This table clearly shows that adding complexity (mixing upper and lower case, adding numbers, adding symbols) does increase the time it takes an attacker to brute forces your password, but not by much, and only in conjunction with a password of sufficient length.

    In 2022, 10 characters should be the absolute minimum for a password. 12 characters is a better baseline, and 16 is what you should aim for.

  8. Minimum password age and maximum password age rules are not useful and do more harm than good. Passwords are already difficult to manage, and forcing people to change them at specific times encourages poor password practices, such as using well-known transforms and substitutions, or writing them down.

    Research shows that these negative effects don’t yield any benefit. To illustrate why, imagine a password policy that forces a change every 30 days (or worse, 90 days). The logic behind this is to mitigate the effect of a compromised password, meaning that if someone does gain your password, they can only use it for a maximum of 30 days before it is no longer valid.

    There are 2 key problems with this logic. The first is that a lot of damage can be done in 30 days. The second is that attackers generally become aware immediately that they have a working password, and the research tells us that to have the desired effect, a user would have to change their password every 8 milliseconds. Anything longer than that is ineffective.

  9. The available list of 10, 12, or 16 (or better yet in terms of length, 20) character words is limited. So if you pick one of these words you don’t afford yourself much protection.

    Possible combinations of words, or phrases as we call them, are almost infinite. While we still use the term ‘password’, you should use a short phrase rather than a word.

    Note: Ideally you should not need to remember any password, instead use a password manager.

    There’s a now famous web comic from XKCD that explains this:

    xkcd passphrases
    Figure: This XKCD comic shows why it’s important to use a passphrase, rather than a password

    The specific advice in the comic about how to pick a good passphrase may not be relevant to you, but the resulting impact on security is.

    To choose a good passphrase, use a combination of words that are unique and memorable. For example, you may have a distinct memory of a cat licking your ice cream when you were 4 years old. So 4yearicecreamcat might be a memorable phrase for you.

    You might think a favorite sentence from a book might be better, given that it’s longer. While this is true in the context of time taken to brute force a password with procedural character combinations, as attackers adapt to their techniques to longer passwords, it’s important to remember that a combination of words known to anyone in the world other than you is bad to use as a password.

    Guggenheim

    Bad Example – It's a word that other people know

    Mymistresseyesarenothinglikethesun

    Bad Example – It’s the opening to one of Shakespeare’s sonnets so is known to other people (and painful to type in)

    4yearicecreamcat

    OK Example – It's 16 characters, composed of 5 words, is not a phrase that is known by anyone else, and is easy (for you) to remember

  10. Before Haveibeenpwned, there was LeakedIn. LeakedIn was a website set up in 2011 following a high-profile breach at LinkedIn where passwords were leaked. The website operated like Haveibeenpwned, letting you check whether your account was in the breach, but only for LinkedIn.

    I was encouraging colleagues to check the site, but most people were unconcerned, saying that there was little to panic about if someone had compromised their LinkedIn account. When I asked them “but what about every other website you use the same username and password for?” they would often go pale and run to their computer to check.

    Using the same password everywhere may seem like a convenience, but the impact of a compromised password can be orders of magnitude greater if you reuse it.

    If there is a breach at a website you use, and you only use the password there, then you have to change one password, and the scope of the issue is limited to that one website. If you reuse the same password everywhere, and any one of those services is breached, the attacker now has access to everything – your bank, your work, your social media, everything.

    Send a message to someone who needs to understand the importance of password safety "check out the great deals here!" and watch them https://discountpal.cheap

    Use a unique password for everything.

    sugarlearning unique passwords
    Figure: SugarLearning reinforces to never use the same password twice

  11. Employees with a compromised account should immediately contact their SysAdmins for help. This is whether it is a personal or a work account.

    A personal account (e.g. Gmail) breach should be resolved by a System Administrator with the same priority as a work account. Employees should expect the same level of service on a personal breach as you would on a corporate breach.

    Why? If your Gmail has been hacked this can have implications for the company.

    Once you have informed your Systems Administrator of a potential breach send an "As Per My Conversation" email.

    SugarLearning Email Passwords
    Figure: Good example - Inform the SysAdmins of a potential breach

  12. Do you use MFA instead of typing a password?

    The best protection you can provide for your password is to not solely rely on it. Multi-factor authentication (MFA) lets you use a mix of techniques when logging into an account. Typically this is made up of something you know (your password) and something you have (your phone - older people will remember RSA tokens).

    Your phone can provide a second factor either through an installed authenticator app, or by receiving an SMS with a one-time password.

    We are now seeing biometric security using facial recognition, fingerprints, or in more advanced scenarios palm-vein scanning (and plenty of others too). While biometrics offer convenience and reduce our reliance on passwords, they usually replace username and password altogether (although rely on accounts that use them behind the scenes), rather than providing an additional factor (e.g., username + password + fingerprint).

    Nearly any service you use now will support MFA, either through an authenticator app, SMS or even email if you have no other option. Ensure that it is enabled for everything you use.

    Figure: Microsoft's Authenticator app in action

  13. Read the article Best Ways to Keep your Recovery Phrase Secure.

  14. Sometimes passwords can be compromised through no fault of our own. There have been several high-profile breaches of password databases.

    The project haveibeenpwned is a free database that aggregates data from breaches, and you can use it to check whether your account has been included in a known breach.

    You can enter your username (usually an email address) and it will tell you if your email address has shown up in a known data breach. If it has, that password is compromised and should be changed immediately.

    You can also subscribe to haveibeenpwned, so that if in the future your email address shows up in a breach, you can be notified straight away.

    haveibeenpwned
    Figure: Subscribe to haveibeenpwned to know as soon as possible if your password has been compromised

  15. Do you regularly check haveibeenpwned?

    When an organisation has a security breach, passwords are compromised and there is no visibility of the problem. This problem means that hackers can gain access to people's accounts without anyone realising what has happened! The project haveibeenpwned is a website that addresses this problem...

    haveibeenpwned keeps a record of all known hacks and accounts that have been affected.

    It is a good idea to regularly check haveibeenpwned to see if any of your passwords have been exposed. If one of your accounts has been affected, then make sure to change the passwords you use for that account and anywhere else you use that password.

    Even better, if you are a superstar 🤩 then the gold standard for password management is to use a password manager.

  16. Do you know how to recognize scam emails?

    The most common attach vector for hackers to either compromise our computers or deliver malware is email. Some of these attacks are sophisticated, perpetrated by well-funded criminal organizations. But these are rare, and usually targeted at a specific individual for a specific purpose.

    Most email scams are actually quite easy to spot, and this is deliberate. People who fall prey to simple scamming techniques are easier targets, whereas people who require more sophisticated techniques to fool, are more likely to recognize a scam later in the process.

    These simple techniques will help you identify scams and avoid falling prey to attackers.

    Tip #1: Be wary of unsolicited emails

    An unsolicited email is an email that you weren’t expecting. For example, a popular scam a few years ago was to send an email purportedly from the postal service, claiming you have an undelivered package. The recipient was directed to click on a button or link in the email to arrange redelivery.

    Another popular scam was an email claiming to be a parking or speeding fine. While these can be scary, and often people want to resolve them as soon as possible, it’s important to take a breather and remember that neither these nor missed delivery notifications get sent by email.

    Tip #2: Check the email address (and not just the name)

    When you send or receive an email, the recipient lists an email address and a friendly name. The friendly name can be changed to whatever you like, without impacting where the email comes from.

    email scam name
    Bad example – the name says Adam Cogan, but the email address is a Gmail account

    good email example
    Good example – the email address is correct, and in this case as it’s internal, the sender’s profile picture is shown

    It’s important to note that this is just one tool in your arsenal. Attackers can spoof email addresses too, so if you have any doubts, you should ask your SysAdmins to help you check the message headers, or do a message trace for you. But an incorrect email address is a dead giveaway.

    Tip #3: Be wary of language used

    bad language example
    Bad example – the attacker has referred to the recipient as ‘Matt’, which the sender does not call him

    good language example
    Good example – easy to distinguish as the sender refers to the recipient as ‘Goldie’ and includes the sender’s signature use of emoji

    Tip #4: Never open attachments that you are not 100% certain of

    If you receive an unsolicited email asking you to open an attachment you should delete and ignore it (or report it to your SysAdmins or security team if you have additional concerns).

    There may be some cases where you have a suspicion that the email may be legitimate. In these cases, DO NOT reply to the email asking them to confirm (see the section below on checking mailbox rules). Instead, contact the sender via another means (e.g. call them on the phone or on Teams). Only open the attachment or click on the link if you are 100% certain, having verified with the sender, that the email is legitimate.

    Malicious emails these days often include a link that the recipient is directed to click on. This can sometimes be to a phishing site, and sometimes it’s a link to some malware (e.g., ransomware which will encrypt all the recipients’ files, plus those on any shares they have access to, demanding a ransom to unencrypt them). Linking to malware avoids them having to worry about the malware being stripped out by malware filters in the email system.

    Before clicking on a link in an email, hover over it to see where it goes.

    Tip #6: Legitimate services will never ask for your password

    You will never receive a legitimate email asking you to disclose your password (or any other sensitive information for that matter). An email that asks for your password, or asks you to click on a link to ‘confirm’ your password, is a scam and should be deleted immediately (and reported if advised to in your corporate security policy).

    Tip #7: Check your mailbox rules

    A particularly nefarious scam is for an attacker to take control of your mailbox, but hide rather than changing the password and locking you out. By not alerting you to their presence, they can squat there for longer and do more damage. A common scenario is to email your contacts and ask them to change their payment details for any invoices to an account controlled by the attacker.

    When they do this, they will often create a sub-folder in your mailbox that you don’t know about, then set up a rule redirecting any incoming mail to that folder. That way, if someone replies asking them to verify the legitimacy of the email, the attacker can intercept it and reply without you even knowing.

    If you have any reason to suspect any strange activity in your account, check your mailbox rules for anything suspicious. If you discover any rules, delete them, check the sub-folder they were directing messages to, and check your sent items for anything they may have sent out without you knowing. And, of course, change your password immediately.


    hard to catch safelink
    Figure: Some URLs are harder to identify because of a safelink service

  17. Do you know how to recognize phishing URLs?

    Phishing is a form of social engineering where an attacker tried to convince victim that a resource they are in control of is a legitimate resource. This can be either an email address or a website.

    Attackers will often craft a website that looks like a legitimate one for the sole purpose of stealing your username and password (or some other sensitive information). They might, for example, build a website that looks exactly like LinkedIn, so that you think you are logging into LinkedIn, but are in fact giving an attacker your username and password.

    A URL is made up of a fully-qualified domain name (FQDN) and a path. The FQDN is the part between the https:// and the next /. Anything after the / is part of the path and not the FQDN.

    The FQDN is made up of a top-level domain (TLD), a domain, and then a subdomain or subdomains. These move from right to left, so for the address https://www.ssw.com.au/, .com.au is the TLD, ssw is the domain, and www is a subdomain.

    For the address https://www.ssw.com.au/people/, people is the path. The path can include all kinds of other characters and parameters.

    You should always check that the domain matches the service or website you are expecting.

    http://linkedin.com.sggr.ru/someaddress

    Bad Example – The address has LinkedIn in it, but it is a sub-domain, not the domain

    http://linked-in-hq.com/linkedin/myprofile

    Bad Example – The address has LinkedIn in it, but it is in the path, not the FQDN. The FQDN is also suspicious

    http://linkedinalerter.com

    Bad Example – the address has LinkedIn in it, but is not a legitimate LinkedIn site

    https://linkedin.com/someaddress

    Good Example – LinkedIn is a secure domain

    If you are curious about a URL, and think it might be legitimate, you can check the Whois record to see who owns the domain.

    bad whois
    Bad Example – ANZAlerter.com is NOT owned by ANZ

    good whois
    Good Example – the domain ANZ.com.au is owned by ANZ

  18. When entering your password (or any other sensitive information, including credit card numbers) into a website, you must make sure that your connection to that website is encrypted. The route your password takes from your web browser to the website is quite a journey – it starts by being broadcast across your wireless network (note your wireless network should be encrypted, but its best not to rely on that). It then goes to a router, then to your internet service provider (ISP), then anywhere across the world before getting to its destination. It can be intercepted at any step along this journey.

    Check that the connection is encrypted. Look for the padlock symbol in your browser (usually in the address bar)

    Also ensure the address starts with https:// and NOT http:// (without the s).

    Finally, you may sometimes see the address bar turn green. This indicates that the owner of the website has gone through extended verification (EV). EV is not necessary for security, however EV is part of an encryption certificate, so if you see it, then it’s an indication that the connection is encrypted.

    encrypted website example
    Good example – SSW’s website is encrypted, which can be seen by the https address and the padlock symbol

We open source. Powered by GitHub