Security Tips from a battlefield perspective
Updated: Jul 9, 2019
You've probably heard about the vast majority of security related incidents to sweep the news pages. For some perspective, visit Wikipedia's data breaches index.
Here are several ways you can reduce the amount of exposure to these incidents:
1. Password Complexity
One of things that still seems to be evident in today's technology environments is the idea that convenience somehow trumps security. Users consistently state they don't want an overly complicated password and the means to login easily to whatever environment they may be trying to access. While I can certainly understand the need for this, there still needs to be a complex password that makes it incredibly difficult for would-be attackers to "guess" your password. A single exposed user with a weak password is usually the entry point for most network attacks.
A complex password typically deals with symbols (#?!@#$%), Upper and Lowercase characters, and numbers. There has been continual debate over the length of the password. The general rule of password length: longer passwords are better. As computers become more and more powerful, they will increase the speed in which passwords are broken.
2. Two Factor Authentication (2FA)
I cannot stress enough how useful two factor authentication can be in securing environments. There are different approaches to how this can be implemented. Two factor authentication for those that are familiar with that term, is a process in which two forms of authentication are required. It's like showing two forms of ID when you're visiting the DMV for instance.
Most of the time, 2FA is a combination of an account password combined with an application on your mobile phone to send a generated code that you manually input as the second form of authentication. This method is great because you'll require your mobile device to gain access to the account, preventing those with the password only from gaining unauthorized access.
Other forms of 2FA include an account password, and digital key, such as a flash drive with encoded information for instance.
3. Account Lockout
Enforcing an account lockout after a certain amount of failed password attempts, provides the ability to render brute force attacks from being successful. A brute-force attack will try different passwords until one is successful. Most of these types of attacks utilize command words as password, so this also goes in hand with password complexity. The idea here is prevent brute force attacks, but setting a low limit of failed passwords may cause your users to get locked out more frequently if they forget their password. You'll want to set a happy medium in the number attempts before the account is locked out. Keep in mind many systems now have integrated authentication mechanisms, so a single failed password attempt, could be 3 or 4 attempts against the password database.
4. Password Expirations
Changing your password on a regular frequency will also help prevent unauthorized access to your accounts.
In active directory based domain environments, you can enable things like password expiration policies and password complexity to force user accounts to not only create complex passwords, but you can also force them to change them after certain frequency.
5. Security Questions This one is often overlooked as a security format by most end users. However, if you're able to gain enough information about an individual; you can easily guess what their security questions might be. The advent of social media platforms has made this even easier - specifically with user profiles that are set to public access. Your security questions are there in case you forget your password, yes. However, these questions can also be used a source to gain unauthorized access, and furthermore, remove your own access by resetting the password.
While active directory environments do not have security questions to reset a password, most online resources do have security questions. Make sure when you're setting up questions and answer combinations; the information is not easily accessible through alternate formats such as Facebook, etc.
6. Never repeat passwords!
I've seen time again, reports of a website being hacked and it's password database stolen. The commonality of most password databases are usually associated with e-mail addresses. Therefore, if you've used the same password across the internet, the likelihood that your account at another website will accessed by unauthorized entities will be exponentially higher. Instead, use a password tracking application which can store all your passwords, and even generate random passwords.
7. Enforcement All of the above examples are great tips to provide general security awareness. It is important to have policies in place at your organization detailing what is expected of your end users to ensure their accounts are safe as well. There is a common saying in the I.T. industry when it comes to security: "The weakest link in the security chain is the human element" - Kevin Mitnick.