Dream Firms Talks 02/2023

02/01/2023

Topic: Basics / Threats and Security

Basic Security

  • 12 Character Minimum for all passwords.
    • Anything 8 characters or less is vulnerable to immediate brute force attacks.
  • Businesses should use Premium Business versions of Anti-Malware software.
    • Premium Version on every work system
    • BitDefender or Malwarebytes are both good options
    • Make sure it is updated regularly.
  • Don’t use Gmail as your business email. Businesses should have their own domain.
  • Employee training is a very important part of your Cyber Security plan. Training frequency should be at least twice a year.
  • Monitor your internal networks and systems for alerts and changes. 

Password Policy – Best Practices

  • Length – 12 characters minimum
  • Complexity – Must include: 
    • Upper Case Characters (ASDF…)
    • Lower Case Characters (asdf…)
    • Numbers (1234…)
    • Symbols (!#$%…)
  • Last Changed – Change at least Twice a Year best practice

Password Policy – Best Practices

  • Length – 12 characters minimum
  • Complexity – Must include: 
    • Upper Case Characters (ASDF…)
    • Lower Case Characters (asdf…)
    • Numbers (1234…)
    • Symbols (!#$%…)
  • Last Changed – Change at least Twice a Year best practice

Password Manager – Benefits/Concerns 

  • Why use a Password Manager?
    • Biggest Risk – Users log into many sites but only use 3 – 19 passwords
      • Passwords are weak and are frequently shared (or share a pattern)
      • One compromise leads to other compromises.
    • Password Strength – To be effective, 12 characters or more that are completely random
      • Full words, caps at the beginning, symbol at the end, and reusing the same password structure make cracking the password easy. (GoBucs200, GoBucs!, GoBucs!FPL)
      • 20 Character, truly random passwords are nearly impossible to crack – and impossible to remember.
      • The same things that make a password ‘easy to remember’ makes it ‘easy to crack’.
    • Real Life Example – Department of the Interior:
      • Recent inspection of the Department of the Interior’s password complexity, management and enforcement controls revealed:
        • 21% of active passwords (18,174 of 85,944) were cracked in the test
        • 16% were cracked in the first 90 min of the test.
        • 288 accounts had elevated privileges and 362 accounts were senior U.S. Government employees.
        • The Department did not consistently use MFA including for 89% of its high value assets.
        • Password complexity was outdated and ineffective.
          • Password-1234 was the most used password.
          • 4.5% of passwords were based on the word “password”.
          • 5 of the 10 most reused passwords were a combination of “password” and “1234”.
          • Br0nc02012 was the second most used password. Very weak because it is a single dictionary word with common character replacements
    • Some online portals allow hundreds of thousands of guesses without locking the attacker out.
    • Password hashes can be guessed at 10s of trillions of times per second
    • Most passwords made by people are guessable within hours
    • Real Life Example – Akamai, Provider of Distributed Compute Platforms
      • In 2020, Akamai saw 193 billion credential stuffing attacks globally, with 3.4 billion hitting financial services organizations specifically
      • Password Cracking Speed_Perfectly Random PW
  • Common Options of a Password Manager
    • There are dozens of options available
    • May be Free, Open Source or Commercial
    • May be part of a browser
    • May have browser extensions
    • May be Desktop Client Only or Cloud Based
    • Some have Enterprise support
    • Some have family plans
  • Problems with ‘built in’ Password Managers (Browser / Windows)
    • Tied to a single browser or OS
    • Limited feature sets
    • Not the company’s primary focus
  • Features to Look For in a Password Manager
    • Create perfectly random passwords (must-have)
    • Auto-filling (must-have)
    • Password strength review (including comparing to other existing passwords)
    • Automatic notification of breached passwords
    • Can use MFA to protect password manager instead of master password
    • Password manager can simulate some MFA types for user logon
    • Clipboard auto-expiration
    • Secure notes and safe online storage of other documents
  • How to choose?
    • Do you need enterprise support?
    • Inventory your OS’s, devices and browsers 
    • Do you want to auto sync between all devices?
    • Look for companies with a long positive history and read reviews
    • Pick a few and actually try them out
    • Client or Cloud – Personal Preference
  • Risk/Benefit ratio
    • Single Point of Failure? Possible
    • Exploitation of Weak and Shared Passwords? Highly Probable
    • Password complexity requirements are so high that memorizing them is nearly impossible
    • Autofill helps defeat social engineering attacks
  • LastPass hack – What happened / Impact
  • Mention PI and Cyber Security Services and how they tie in

Links

Recent Posts

Archives

Contact Us

For decades, we have been helping clients dealing with legal issues of all sorts. Our firm is committed to simplifying the legal process and achieving effective results for each client.

"*" indicates required fields

This field is for validation purposes and should be left unchanged.