How Secure Are Your Passwords? Dian K. Alphonso 4/27/13
Are You READY!!! • Let’s • Get • Started
What is Social Engineering? • Social engineering is an approach to acquiring information by deceit that has really taken off in the last few years. • It can come in a number of different approaches, however they all have one thing in common; getting you to give up information that you normally would not through threats, incentives or patronizing remarks.
How Hackers Use S.E. • A person calling you pretending to be from the helpdesk and asking for passwords or login details so they can look into a problem. • Someone pretending to be a senior member of staff or their assistant calling you to ask for urgent copies of confidential documents that their manager needs for a board presentation. • An external sales person mailing CDROMs or USB stick which has a program on them that pretends to provide product information but also installs a virus. The salesperson may then call you up and encourage you to install the unauthorized program on your PC. • All these scenarios have been used to get information without authorization by fraudsters and there are many variations on the theme.
How to Protect Your Castle • Step 1: • Are they who they say they are? • Do you have any evidence that the person you are talking to or communicating with is who they say they are? • Can you confirm their identity and contact details independently of the information they have provided. • If you don't know them and can't confirm their identity don't assume they are who they claim to be.
How to Protect Your Castle • Step 2: • Is the request appropriate? • Is the request reasonable from the person that you are communicating with? • Even a colleague within your own organization asking about the information you are working with may not be appropriate. • As a rule, anyone asking for personal or sensitive company information should trigger your warning beacon.
How to Protect Your Castle • Step 3: • Is the requester following established process or procedure? • Is the requester trying to deliberately subvert or bypass process, for instance by requesting information from individuals other than the established points of contact in the organization? You may be less familiar with any authorization procedures or other restrictions than the correct individual or team. • Most individuals attempting to perform social engineering will be assertive and at times even charming, making it difficult for you to determine whether the individual is authorized for the information that they are requesting. • Using the simple questions above as guidelines and being prepared to politely challenge someone to request further identification or clarification should help prevent a successful social engineering attack against either yourself or the company.
Strong Passwords Importance Your Passwords are the keys that unlock your data, so it is essential that they are secure and difficult for people to discover, and yet easy enough for you to remember so that you do not need to write them down. Passwords should also be difficult for a computer to guess. A Brute Force Attack, where computers guess the letters, numbers or special characters that could be in your in your password could crack a weak or short one in short order.
Setting Secure Passwords • Personal Information • You should NEVER use information that others might already know about you – pet’s name, names of family members, favorite film, phone number, as these are easy to guess or find out. . • Password Length • The length of a password will make it more difficult for a computer to guess. For instance rabbits - a password all in lower case of 7 characters could take only 13 minutes to crack on a standard desktop computer. On the other hand, humptydumpty - a 12 character password could take 302 years to crack.
Setting Secure Passwords Cont’d • Characters and Substitution • Using additional characters to increase the complexity of your password will make it even more difficult to guess or discover using a brute force method. • You should use upper and lower case letters, numbers and symbols. Pupp1e$ - a 7 character password could take 87 days or more to crack by adding additional characters. • Substituting special characters or symbols for alphabetic ones will also make your password stronger because it increases the character set used. • Dian recommends at least one upper case and number or special character in your standard passwords.
Setting Secure Passwords Cont’d • Phraseology aka Combined Approach • One of the best ways to pick a good password is to use the first letters of the words in a phrase – for instance “humpty dumpty sat on a wall, humpty dumpty had a great fall” would become hdsoawhdhagf. • You could then use a bit of character substitution and add some symbols and you would end up with <HD$0awHDh4gf>
How Do I Use WI-FI Securely? • More time these days is spent working from locations which are public such as coffee shops. Many of these locations provide shared wireless networks in order to access the Internet. • There are several risks from such environments that need to be considered but can be safely overcome. • The networks are shared and may well be insecure allowing others to see any traffic that passes over the network.The other risk is the physical risk from working in a shared environment. • Care needs to be taken to ensure that people can not read your laptop screen when you are working on confidential materials and that you ensure papers, phones, electronic media and your laptop are not liable to be stolen. • By taking a little care and considering the risks, working from public locations can be made secure.
Bonus: The dangers of using Old Browsers
Dian’s Final Instructions • Never Use the Same Password across all your accounts. “IF THEY HAVE ONE, YOU ARE DONE!!!” • When answering secret questions, set the answer to something no one can guess • Never Write Down Your Passwords • Never Store Your Passwords on your Phone, Tablet or PC • Never Set your password as “Password” or something anyone can guess about your personal life • Remember to • Use at least 8 characters or more • Use upper & lower case letters and numbers and symbols • Remember: puppies A 7 character all lower case password= 13min to crack as opposed to a Pupp1e$ - a 7 character password could take 87 days or more to crack by adding additional characters. • Never conduct any personal banking etc on a WIFI network. Always be aware of your surroundings. Protect YOUR Castle!