It’s October, which means it is Cyber Security Awareness Month! The entire month of October is dedicated to raising awareness for cyber security in our everyday lives, and I feel the next few weeks of blog entries should reflect that.
Cyber security isn’t just something we need to worry about in a corporate environment. Quite the opposite, by raising awareness of cyber security concerns that can hit the average person, they will be that much more diligent in their corporate lives as well!
This week is Computer Week, which is one of the most transferable set of skills to a corporate environment. We’ll be looking at a few key areas, including complex passphrases, preventing malware, and avoiding phishing scams. With that, let’s dive into this week’s topics.
Using Passphrases Instead Of Passwords
Passwords are the one common theme that we all faced with as we use technology. From email to banking, from games to education, passwords are part of our daily lives. But what makes for a good password? Is it the standard recipe of 8 characters containing a combination of a least one of: upper case characters, lower case characters, digits, and symbols, or something else? At EliteSec, we recommend using a minimum of 12 characters (16 or more for critical accounts), and making use of a password manager. Then we go on to strongly recommend the use of multi-factor authentication as well, which we discussed in our previous blog.
Password managers can definitely help with the complex password rules that we recommend, but a common question that gets asked is what kind of password to use for the password manager itself? Or better yet, what if you don’t want to use a password manager, because its too complex to setup or use? The answer is to use a passphrase.
Passphrases
A passphrase is exactly what it sounds like - using a phrase like a sentence, song lyric, or something similar. The idea is to use whole words rather than a combination of random letters, numbers, and symbols. By using a phrase that is easy to remember, but difficult to guess, you can actually get a stronger password than you would with a shorter password with all these complex rules. We recommend using at least 4-5 words of at least 4 letters each for your passphrase. That works out to 19-24 characters (counting spaces) for your password, which is much harder to “guess” than an 8 character password.
Using a passphrase is easier to remember, longer to guess, and generally meets or exceeds password complexity requirements. Ideally you would mix uppercase and lowercase characters as well as some punctuation, just to raise the bar a bit more. However care should be taken not to pick an “obvious” passphrase. By obvious I mean a known family motto, a common expression that you say, a well known quote from a book, song lyric, etc.
There’s nothing wrong with picking a phrase from a book, song, movie, etc., but you shouldn’t use something that is popular, since it may be in an attackers arsenal. For example, EliteSec has access to passphrase word lists used for password testing, which contains more than 20.5 million passphrases, all taken from popular culture. Our recommendation is to pick something less popular, but more personal, for your passphrase.
The Government of Canada has a great video on passphrases that you can watch here.
Anti-Virus Software
Viruses and Malware (malicious software) are a common threat for all computer users. At the very least, you will want to be running some type of anti-virus software on your personal computers. In corporate environments, your IT team would have likely already installed some type of anti-virus software already, but given the large number of office workers who are working from home, ensuring that the other computers on your home network are also protected is vitally important. There are lots and lots of different anti-virus vendors to choose from, but we’re not going to pick a favourite. Ideally you can take some of these vendors for a spin through some free trials, demo versions, etc. Every user is unique and every situation is different. Some anti-virus engines run silently in the background while others can cause performance issues while you run a particular application or game. Testing them out to see what works best for your unique situation is what we recommend for home users.
Anti-virus is one area where we strongly recommend purchasing a solution rather than going with something free. As the expression commonly goes, you get what you pay for, and free anti-virus software may come with a hidden costs, such as actually being malware in disguise. Best to stick with a reputable brand rather than something that popped up on your screen as you were browsing a sketchy website.
Defend Against Phishing
In our previous blog article, we touched on SMS-based phishing called smishing, but for standard computer users, the classic phishing email is what plagues us. There are a few things that you can keep an eye out for:
Urgent or Threatening Information
Receiving an email that is threatening or urgent? It’s very rare for someone to try to send urgent via email, and threats are rarely sent this way. In Canada for example, the Canadian Government will send letters or use a phone call to get in touch rather than via email. Likewise, legal threats are often send via registered mail, rather than a poorly worded email.
Request for Sensitive Information
Asking for credit card information, social insurance numbers, passwords, or other sensitive information should never be shared via email. Use a phone call to share this type of sensitive information, and be wary of anyone requesting it via email. Remember, don’t send something via email that you wouldn’t write on a postcard, where anyone who can get ahold of the postcard can read whatever is written on it.
If It’s Too Good To Be True
As the saying goes, if it’s too good to be true then it probably is. Phishing emails work on this very same principle. Scammers are going to try to take advantage of human nature, so stoking emotions of fear, greed, wonder, etc. is a common theme in phishing emails. Take care with emails that promise near impossible deals or other promises that seem too good to be true - they likely are.
Unexpected Emails
If you receive an email from someone you don’t know or you weren’t expecting, take care before clicking on any links they may have in the email. A common technique is for an attacker to take over someone’s email, then send a phishing email to their contacts, enticing people to click on links and eventually steal their own credentials. When in doubt, reach out to the sender through a phone call or some other non-email means, just to see if they really sent that suspicious email.
Information Mismatch
Pay close attention to the from address or any links in the email. Do they have a mis-spelling? Does something seem off? Make sure to hover over the links in an email to see if they match the text, or that they actually go to a real site, and not a .biz, .co, or some other suspicious domain that isn’t quite right.
Suspicious Attachments
Similar to unexpected emails, if you receive an email with an attachment that you were not expecting, don’t click on it. Again, follow-up with the sender through some means other than email and see what this is all about. An anti-virus solution can definitely help, but it shouldn’t be the only thing you rely on.
Unprofessional Design
A poorly designed email is often a dead giveaway of a phishing email. Spelling mistakes, poor grammar, or low quality images are hallmark signs of an amateur attacker trying to get something from you.
Happy Cyber Security Awareness Month
Hopefully this week’s article provided you with some insights on how to better protect your personal computers and improve your own cyber security posture. Please share this with some non-technical people in your lives, since ultimately the better all of us can do, the better all our companies can do against cyber security threats. If you have any questions, please don’t hesitate to reach out to us. We’ll be more than happy to answer your questions.
– John
At EliteSec, we would be more than happy to discuss the security concerns you may have at your organization and how we can help to bridge those gaps. Contact us today and we’ll have a candid discussion on what pragmatic solutions we can come up with for your unique needs.