Monday

Tag: passwords

Active Directory Security Overview

Active Directory (AD) is a directory service that manages the identities and access rights of users and devices in a network. AD security settings are the policies and configurations that define how AD objects, such as users, groups, computers, and organizational units, are protected from unauthorized access or modification.

AD security settings are essential for any organization that uses AD as their directory service. They help protect the network from internal and external threats, comply with various regulations and standards, and optimize the network performance and management. However, not all AD security settings are equally important. Some settings have a greater impact on the security posture and compliance status of the network than others.

In this post, I will discuss the importance of the top 5 security settings in AD, namely:

  • Password policy
  • Account lockout policy
  • Group policy
  • Permissions and auditing
  • Kerberos policy

Password Policy

Password policy is the set of rules that govern how passwords are created, changed, and stored in AD. Password policy affects the security of user accounts and the authentication process. A strong password policy should enforce the following requirements:

  • Minimum password length
  • Password complexity
  • Password history
  • Password expiration
  • Password encryption

A strong password policy helps prevent password cracking, guessing, or phishing attacks by making passwords harder to break or steal. It also reduces the risk of password reuse or sharing by requiring users to change their passwords regularly and use different passwords for different accounts. You should look at minimum password length of 10-12 characters with complexity requirements enabled, remembering at least the last 5 passwords, etc.

Account Lockout Policy

Account lockout policy is the set of rules that govern how AD responds to failed logon attempts. Account lockout policy affects the security of user accounts and the authentication process. A reasonable account lockout policy should enforce the following requirements:

  • Account lockout threshold
  • Account lockout duration
  • Account lockout reset

A reasonable account lockout policy helps prevent brute force attacks by locking out accounts after a certain number of failed logon attempts. It also reduces the risk of denial-of-service attacks by unlocking accounts after a certain period of time or by allowing administrators to manually reset them. You should look at disabling a user account if they guess their password incorrectly 10 times in 30 minutes, and automatically enabling their account after it has been locked for 30 minutes.

Group Policy

Group policy is the set of rules that govern how AD objects are configured and managed. Group policy affects the security of users, devices, and data. A comprehensive group policy should enforce the following requirements:

  • Security settings
  • Software settings
  • Administrative templates
  • Preferences

A comprehensive group policy helps enforce consistent and secure configurations across the network by applying security settings to users, devices, and data. It also helps automate and simplify the deployment and management of software, policies, and preferences across the network.

You should minimize any GPOs linked at the root domain level as these policies will apply to all users and computers in the domain. You should also avoid blocking policy inheritance and policy enforcement.

Permissions and Auditing

Permissions and auditing are the set of rules that govern how AD objects are accessed and monitored. Permissions and auditing affect the security of users, devices, and data. A granular permissions and auditing policy should enforce the following requirements:

  • Least privilege principle
  • Role-based access control
  • Object ownership
  • Inheritance and propagation
  • Audit policy

A granular permissions and auditing policy helps ensure the confidentiality, integrity, and availability of AD objects by granting only the necessary access rights to authorized users or groups based on their roles and responsibilities. It also helps detect and deter unauthorized access or modification by recording and reporting any changes or activities on AD objects.

Kerberos Policy

Kerberos policy is the set of rules that govern how AD uses Kerberos as its primary authentication protocol. Kerberos policy affects the security of user accounts and the authentication process. A secure Kerberos policy should enforce the following requirements:

  • Ticket lifetime
  • Ticket renewal
  • Maximum tolerance for computer clock synchronization

A secure Kerberos policy helps prevent replay attacks by limiting the validity and renewability of Kerberos tickets. It also helps prevent man-in-the-middle attacks by requiring a close synchronization of computer clocks within the network. It’s advisable to set Maximum lifetime for service ticket to 600 minutes and Maximum lifetime for user ticket renewal to 7 days.

In conclusion, AD security settings are vital for any organization that uses AD as their directory service. Among them, password policy, account lockout policy, group policy, permissions and auditing, and Kerberos policy are the most important ones. They help protect the network from internal and external threats, comply with various regulations and standards, and optimize the network performance and management.

Windows Security Checklist for Home Systems

While your IT Department may have a handle on enterprise security, not everyone is technical enough to feel confident that their home computer systems are secure from attack. Many people wonder where is the best place to start, what steps they can take that will make the most impact, and which systems are most likely to need attention.

While there are literally hundreds of settings you can alter and fine tune to adjust your specific system settings, we are going to focus on general security actions you can look into, each helping build a general security mindset that will hopefully get you started without feeling overwhelmed. As you begin with general security changes, you will become more confident in your abilities and less worried that you are breaking anything.

General Considerations

  1. Router – All the devices on your home network communicate with the router. This is the device usually supplied by your internet provider, that allows your home computers to access the internet. This is the access point where most attacks are going to come from, so you want to start here to make sure you have a secure connection to the internet.
    • The router has an administrator-level account, and you must change the default password so that an attacker can’t access your router and disable any security settings.
    • You’ll also want to check if the router is updated with the latest firmware. As vulnerabilities are discovered, the router vendor will provide updated software and you want to make sure your router is patched. This can usually be configured so the router will automatically install new patches, but sometimes this must be manually performed. You’ll want to make sure you investigate these settings and configure them appropriately.
    • You should also disable remote administrator access to your router. This will prevent an attacker from logging into your router unless they are directly connected to the router from your home network. If you need help from your internet provider, they will contact you anyway, so you can grant them access if you need their remote help.
    • You can search the internet with the specific make and model of your router to get the user’s manual or recommended settings.
  2. Wi-Fi Security Settings – Many routers include Wi-Fi, which allows your home computers to connect to the router wirelessly so you can easily access the internet. You’ll need to check the security on your wireless network to enable the basic security features.
    • In Security Settings, create a name for the Wi-Fi network (SSID) and a complex password, and then select a type of encryption, like WAP2. Do not name your Wi-Fi network something that can easily be associated with you, such as your last name or address.
    • When possible, you’ll want to use AES on top of WPA2. Advanced Encryption Standard is a newer encryption standard that should be available on routers built after 2006.
    • Wi-Fi Protected Setup (WPS) was created with the intention of making the user experience easier and quicker when connecting new devices to the network. It works on the idea that you press a button on the router and a button on the device. This makes both devices attempt to pair automatically. You’ll want to disable this feature, if possible, because it has a history of security issues.
    • You can also sometimes create a separate guest Wi-Fi network, if supported by your router. A separate guest network has some advantages, like not having access between the two networks. It not only provides your guests with a unique SSID and password, but it also restricts guests from accessing your primary network where your connected devices live. You never have to disclose your main Wi-Fi network password to guests or visitors since they only need to know the guest Wi-Fi password. You can easily change the guest Wi-Fi password when your guest leaves without having to log all your other devices back into the network.
    • You might also want to consider the Wi-Fi signal power. If people can detect your Wi-Fi from across the street or in a nearby home, there is a risk that they will also attempt to log into your network. You can sometimes adjust the router signal strength or physical placement of the hardware to reduce that risk.
  3. System Update – Now that you have a relatively secure network, you can start looking at the devices connected to that network. It used to be a network used from a laptop or desktop computer, but today you can have a multitude of devices that are connected for internet access. You can have a smart thermostat, doorbell camara, video game console, cellphone, coffeemaker, etc.
    • For each system involved, you’ll need to log into the device and make sure you understand how to check for firmware and operating system updates and attempt to configure the device to automatically check for and apply vendor updates, if possible.
    • For each system involved, review the available security and privacy settings to make sure the device meets recommended settings. Vendor websites are a good resource to help you complete this step.
    • This might also be a good time to determine if the device really needs internet access. If the device is using internet access just to allow you to remotely access the device from the internet, for example, you need to ask yourself if you ever plan on using this feature. If you don’t need the feature, you may be able to disconnect the device from your network and reduce your overall risk profile.
  4. Security Suite – For your major devices like laptops and desktops, you should install and properly configure anti-malware and anti-virus software. There are various free versions available, so research a few vendors and find a solution that meets your needs. Make sure you use a vendor that you can trust.
    • Installing an anti-virus solution with default settings is rarely enough to really protect your computer. You’ll want to look at the available settings and properly configure the solution to provide the security you are expecting. Many vendors will guide you to using the best settings.
  5. Installed Programs – Review each program installed on the computers on your network and determine if those programs are still needed.
    • Maybe you installed a game a few years ago and haven’t used it since that one boring weekend. Now is a good time to uninstall or delete all the unneeded programs that are not essential.
    • If the program doesn’t look like something you need, and an internet search doesn’t answer the question around why it is installed, now is a good time to remove the program. It can be difficult to research something you don’t recognize, but a good internet search should answer your questions.
    • Now that you know what should be installed, a periodic check would help you quickly recognize when something new and unauthorized has been installed. If you do a periodic visual scan of installed applications every couple of months, this will be an easy security check to keep the device as clean and secure as possible.
  6. Program Updates – On your computer, you probably have several programs installed that you may not use very frequently. This could include word processing or spreadsheet suites, but it might also include specialized utilities or even games. All of these need to be patched because vendors periodically update their software to add new features and remove security vulnerabilities.
    • Check each application to see if patching can be automated. There should be a way to manually check for updates, but an automated check will make this process much easier.
    • If the program is older or doesn’t support regular updates, you should consider uninstalling or deleting the application. Each situation is unique, but you need to evaluate the risk if that one old program were compromised and allowed remote access to your computer.
  7. Password Hygiene – Now is also a good time to determine if you need to change your passwords. Easy to remember passwords are usually easy to guess passwords. You should really think about what makes a good password and make sure you change all your passwords to meet current best practice guidelines.
    • You can read more about selecting a better password here. You’ll want to select a really good and unique password for every account. You may need a password manager to store all your passwords, which can encourage longer and more random password selection.
    • Never use the same password for two different accounts. If you are using the same password for LinkedIn as you use for Netflix, if one account is compromised the attacker can use that same password to log into potentially sensitive information from a different account.
    • If you haven’t changed the password recently (within the last 90 days) then change the password now. That will make sure that starting today you are following best practice with your password selection.
    • If you hear one of your online accounts may have been compromised, don’t wait for the service to contact you with the bad news. It takes only a couple of minutes to change a password.
    • If you no longer use the online service, see if the online account allows you to delete or disable the account to reduce your online risk profile.
  8. Firewall Rules – Each computer you use probably has a firewall installed. The Windows Firewall is rarely used and it can be a great tool for limiting online access to your computer. You can essentially use the Windows Firewall to block remote access to your computer using specific ports and protocols, which can make a remote attack very difficult. It can be a little technical on how to configure the Windows Firewall correctly, so make sure you do your research and take notes on any changes you make so you can undo the changes if you find something has stopped working.
    • You can read more about how to get started with the Windows Firewall here. Don’t be afraid to do some internet searches to find some recommended settings.
  9. File Backup – So you have your home network secured, and the devices on that network are also more secure, and the accounts used to log into those devices are more secure. That is all great news, and you can continue to improve on that security as you learn more and have more technical confidence. But you are not completely safe, because a determined attacker is probably more technical than you and knows more tricks to successfully attack your systems. All is not lost, because you can create a fail-safe plan for recovery even if your files are deleted, scrambled, or encrypted to prevent your immediate access.
    • Backup your important files to a safe location. You can manually backup your files to an external disk drive or thumb drive. While not perfect, it can be a cheap and effective way to keep an external copy of important files where an attacker can’t find them. Just be sure to remove the external drive every time you finish the manual backup. Some people store the external drive in a fireproof safe.
    • An online backup service can make automated backups to a secure folder on the internet fast, easy, and low cost. While the amount of space available and cost can vary widely, a little shopping around can allow your entire family to back up their computers for about $100 a year. That is an inexpensive insurance policy if things go sideways.
  10. New Devices – While all the about steps will take some time and energy, you have to remember that this isn’t a one-time effort. As you add new devices to your home network, you have to review these steps again to make sure the new device isn’t the weakest link in your home network.

Protecting your family starts with taking responsibility for your home security, and that includes your home network. If you perform all these steps, you are well on your way to a safer and more reliable home network.

6 Ways Employees Bypass Security Policies

As an Information Technology professional, one of the things you will find yourself doing is creating and enforcing security policies. You will need to support good technology security by creating policies at outline the things a good employee must do to support good corporate security. All the other employees are hired for what they are good at doing, and that usually means finding ways to get the job done, regardless of your security requirements. That means good employees may be your biggest security threat.

You can hopefully understand the reason for this effort to ignore the tedious security requirements published by various technology professionals. The average person has to now memorize numerous user accounts, understand document transfer policies, deal with applications with missing or buggy functions, and work with web site filtering that may block access to important data. They must deal with all your security controls and rules while trying to get their job done, and they know there is a “better” way. So, what are some of the most common workarounds used by your company employees?

  1. Offline BypassMany security features are only enabled while the device is online. In one case, users were blocked from attaching USB devices to their computer or laptop. The software was only able to alert the security team if the device was connected to the corporate network. The users simply disconnected the device from the network when they wanted to connect their USB hard drive or cellphone to copy files from their local PC to the external device. Make sure your controls work as expected.
  2. Bypass Session Time-out – Most systems and applications have automatic session time-out features, based on a defined idle period. Vendors will also employ utilities to make connections seem used, even if the vendor isn’t using the connection, so they don’t have to restart VPN connections.
  3. Simple Passwords – The average person today has scores of personal and professional accounts. Changing 30 or 40 passwords every ninety days (what is commonly recommended) results in creating and recalling more than 100 passwords each year. It’s understandable that people use easy-to-remember passwords, but simple passwords neutralize much of the security benefit of password-based authentication. Studies have shown people are horrible at selecting secure passwords. And beware of the clever users that bypass the password-reset problem altogether by calling the help desk claiming to have forgotten their password. Administrators will often reset problem user’s passwords by bypassing the regular password reset requirements. Some people may use various bypass methods to keep the same password for several years.
  4. Post-It Notes – One survey found that many people record their passwords somewhere, sometimes in a spreadsheet or text files, but usually on simple post-it note. This means someone with access to the device probably has access to the post-it with the user’s login information written down for them to use without delay.
  5. Internet Document Storage – You have strict security settings on network shares and documents stored on your network. You may think you have met corporate requirements on who gets access to specific data and information, but you probably don’t have any idea of the volume of data transferred outside the corporate network. Users will find ways to get the data to their coworkers, and that probably means storing the files on the internet. The mobile workforce demands anytime-anywhere access to their documents and data. Many mobile workers aim to streamline their productivity by circumventing your security protocols: emailing sensitive documents to themselves, storing files in a personal Dropbox account or other public cloud, and even taking photos/screenshots with a smartphone and texting those images to friends or vendors.
  6. Disabling Security – One of the most popular security workarounds is simply turning off security features that hinder your productivity. With the growth of BYOD environments, where employees have greater control over the enabled security features, it is common to find even the most basic security features disabled.

As an IT professional you need to assist the hard-working and well-intentioned employee get their job done without putting the network at risk. Your security policies should avoid restrictions without any explanation, leaving the end user with productivity loss and no apparent improvement to their lives. Your organizations should implement security training for all employees, showing your team specifically how security protocols protect against data leakage, data breaches, and other threats while highlighting how workarounds put data (and their jobs) at risk. This will help the typical employee keeping security top-of-mind with regular communications and meetings with staff.

8 Small Business Cybersecurity Tips

There are about 80 million businesses worldwide who meet the “small or medium business” (SMB) definition. Businesses with less than 300 employees can’t always afford someone to tell them what they can do to develop a more mature security posture or how to educate employees to be smarter about their cybersecurity practices. Most of the successful cybersecurity attacks are with small businesses and small government entities. Since the average cyberattack will cost them about $200k and a ransomware attack can force them out of business, we should talk about the basics of cybersecurity defense.

  1. Make sure you require complex passwords for every system. This means changing any vendor default passwords, not allowing simple or common passwords, and teaching your employees how to select a good password.
  2. Configure Multi-Factor Authentication (MFA) on all accounts. Just by requiring MFA to access business accounts you can prevent about 99% of all online attacks. The hackers might steal or guess your password, but it is much harder to access something like your cellphone.
  3. Use a separate account for performing administrative tasks for all your on-premise and cloud business accounts. Use this new account to only perform administrative actions, not to browse the internet or check email, and your risk of account compromise is significantly reduced.
  4. Install, properly configure, and use an antivirus solution that accesses the cloud to better protect your systems from the internet threats. This includes all your user computers and all servers.
  5. Backup your important files to the cloud. Using an automated solution to automatically backup your files to the cloud can prevent a successful ransomware attack from locking you out of your critical files.
  6. Don’t allow your users to configure email auto-forwarding rules in O365. If your account is hacked, one of the first things the attacker will do is configure auto-forwarding rules to exfiltrate your data to their systems across the internet. If you prevent this activity, it will slow down the attack and allow you more time to react. With alerts configured, you will get an email when the attacker attempts to create a new rule, giving you notice that an attack is underway.
  7. Use your available online tools to get tips and suggestions. Things like the Microsoft O365 Secure Score can be a really helpful source of useful tips and techniques for leveraging many more security settings to improve your overall security, and these tips are free just for having an O365 account.
  8. Educate your users about the threats on the internet. Billions of users have internet access, and not all of them have your best interests in mind. Warn users about sharing too much personal information on social media, discuss how to identify phishing emails, and provide guidance on who they need to contact if they aren’t sure about clicking on a link.

You need to think about how you use the services and systems that you have access to each day and determine what data you share has value, what processes are at a high risk, and how a malicious user might monetize your activity. A little work today can pay big dividends during an attack.

Follow these simple tips to start getting some confidence around your security posture, and build on each item as threats and systems change.

Securing Windows 10

A Windows 10 laptop right out of the box is not a truly secure laptop. Building a secure laptop using Windows 10 will take a little work. Microsoft has done a good job balancing usability and security, making sure the device is mostly compatible with what an average person wants to do without security getting in the way.

If you want a secure laptop there are some tweaks you need to make to get your laptop to the next level of security.  Some are done by default, but you should make sure you have the settings correct, and some of off by default so you’ll need to configure the settings and turn them on.

I’ll go through some of the settings to show you how you can go from default settings to secure, but you have to understand there are always more things you can do to make your Windows 10 device even more secure. Continue reading “Securing Windows 10”

Best Hacking Tools Of 2017: ADBrute

If you have an Active Directory environment, you want to make it as secure as possible. ADBrute allows you to test the security of your Active Directory users. When a users network account of a domain user expires or when the user account is locked due to incorrect login attempts, the domain administrator may reset the password to the default password based on company policy. If your users do not change their password after it has been reset by the administrator, it creates a major security hole in your security.

A malicious user could easily use the default password to login into the victim’s user accounts, delete, read and send mails or access other resources on the network.

ADBrute is simple to use:

  1. Run ADBrute.
  2. Enter the name of the domain controller and valid login credentials to connect to the Active Directory. The user can be any user on the domain.
  3. Click on Login and wait till the entire user list for your organization is populated from the AD.
  4. You can double click on a User to view additional information.
  5. Enter the default password for your organization and press the start button.
  6. Sit back until the program scans and enumerates users who use the default password.
  7. You can export both the lists, the entire user list as well as the weak user list to three different file formats, .csv, .txt and .xls.

You can get more information and download the tool here.

Hashcat Now Cracks 55-Character Passwords

Hashcat is a freely available password cracker. It can be used by security auditors to stress-test company passwords and by criminals to crack lists of stolen passwords. One of the biggest issues with this utility has been an inability to handle passwords in excess of 15 characters. The latest version can now handle passwords and phrases typically up to 55 characters in length.

The latest version of hashcat, released last month, is a significant update to the program. Jens Steube, lead developer, says the update is “the result of over 6 months of work, having modified 618,473 total lines of source code.”

What the new version of hashcat should show you is that size is no longer as important as it used to be – it’s what the user does with the characters that matters. Length is still important but more important is using a mix of characters, like numbers, special characters,  and punctuation symbols to make the process of password discovery too slow even for a determined hacker.

You can learn more and download the free program here.

Threats to Corporate Security

There are things that employees do that can present serious treats to corporate security, and you might not even realize that these simple things can undermine your security efforts. If you are responsible for security at your company, you need to start investigating these issues as simple ways to improve the corporate security at your place of business by educating your team about these risks.

  1. BYOD – Bring Your Own Device is something that almost everyone does today, even at places that specifically ban this process. With smart watches, personal cell phones, cheap tablets, etc. it is almost impossible to keep employees from brings their own devices into the workplace. Many companies don’t even have format policies around what devices are allowed or what systems these devices are banded from being connected to in their environment. The risk is an employee brings an infected device into the office and connects that device to one of your corporate assets like a laptop or server. The infected device is then able to bypass the typical network security and attack that device, potentially stealing corporate secrets or customer data. Education and formal policies are the best security against this type of dangerous behavior, as well as updating your security profile to detect rogue devices.
  2. Social Media – A post on social media may seem harmless to most people, but if the post includes information about a new business project, issues with a new business system, how many servers recently we re infected with a virus, etc. these posts can be used by your business completion to gain an advantage or even used as a source of technical information for international hackers to target your business for a cyber attack. Education is your best weapon against this type of issue.
  3. Poor Technical Security – Your technical team has to always be thinking of system security. This includes assuming responsibility for securing the business systems from both internal and external attacks. The obvious security measures include strong perimeter security through firewalls and intrusion detection, but not so obvious steps around keeping systems updated with security patches, education around recent security threats,  and monitoring vendor sites for announcements about newly discovered vulnerabilities. Make sure the technical team has formal policies and procedures around periodic security checks, and that there is some oversight into the process to it stays important to the entire team.
  4. Social Hacking – Hackers and scammers don’t always attack your assets through remotely hacking your computers, sometimes they just hack your employees. It can start as a simple telephone call asking someone in your office to download a vendor update because their system is outdated and causing a data issue. That seemingly harmless update is really a program that installs an backdoor into your system that allows the hacker access into the secure network. A scammer can also call someone in accounting acting as the CEO, requesting an emergency wire transfer to an off-shore account of $50,000. You need to make sure there are policies and procedures in place that will capture these types of unusual events and route them to someone who can ask the correct questions to uncover a scam and block silly mistakes like these.
  5. Anti-Virus Software – Just because your computer is behind a firewall doesn’t mean it can’t be infected with a virus. Computer viruses can do harmless and annoying things, but they can also do some really serious damage to your corporate computer systems and even shut down your business. While anti-virus software isn’t the most important part of your network security, it is just one part of an overall security infrastructure that will help keep your network secure.
  6. Weak Passwords – Any secure computer system starts with good passwords. A weak password is useless and puts your entire network at risk. Verify the business systems your company uses require strong passwords, and make sure you educate our team to always avoid weak passwords. This education should extend past internal corporate assets to include personal email accounts, social media sites, and their personal banking accounts.

 

6 Ways Employees Bypass Security Policies

As an Information Technology professional, one of the things you will find yourself doing is creating and enforcing security policies. You will need to support good technology security by creating policies at outline the things a good employee must do to support good corporate security. All the other employees are hired for what they are good at doing, and that usually means finding ways to get the job done, regardless of your security requirements. That means good employees may be your biggest security threat.

You can hopefully understand the reason for this effort to ignore the tedious security requirements published by various technology professionals. The average person has to now memorize numerous user accounts, understand document transfer policies, deal with applications with missing or buggy functions, and working with web site filtering. They must deal with all your controls and rules while trying to get their job done, and they know there is a “better” way. So what are some of the most common workarounds used by your company employees?

  1. Offline BypassMany security features are only enable while the device is online. In one case, users were blocked from attaching USB devices to their computer or laptop. The software was only able to alert the security team if the device was connected to the corporate network. The users simply disconnected the device from the network when they wanted to connect their USB hard drive or cellphone to copy files from their local PC to the external device.
  2. Bypass Session Time-out – Most systems and applications have automatic session time-out features, based on a defined idle period. Some organizations take this security feature a step further by using proximity detectors that time out a user’s session as soon as they step out of range of the detector. Many users of these systems “beat” this security feature by placing a piece of tape on the detector, or by placing something over the detector to defeat the security offered by these simple devices. Vendors will also employ utilities to make connections seem used, even if the vendor isn’t using the connection, so they don’t have to restart VPN connections.
  3. Simple Passwords – The average person today has scores of personal and professional accounts. Changing 30 or 40 passwords every ninety days (what is commonly recommended) results in creating and recalling more than 100 passwords each year. It’s understandable that people use easy-to-remember passwords, but simple passwords neutralize much of the security benefit of password-based authentication. Studies have shown people are horrible at selecting secure passwords. And beware of the clever users that bypass the password-reset problem altogether by calling the help desk claiming to have forgotten their password. Administrators will often reset problem user’s passwords by bypassing the regular password reset requirements. Some people my use various bypass methods to keep the same password for several years.
  4. Post-It Notes – One survey found that many people record their passwords somewhere, sometimes in a spreadsheet or text files, but usually on simple Post-It notes. This means someone with access to the device probably has access to the Post-It note with the users login information written down of them to use without delay.
  5. Internet Document Storage – You have strict security settings on network shares and documents stored on your network. You may think you have met corporate requirements on who gets access to specific data and information, but you probably don’t have any idea of the volume of data transferred outside the corporate network. Users will find ways to get the data to their coworkers, and that probably means storing the files on the internet. The mobile workforce demands anytime-anywhere access to their documents and data. Many mobile workers aim to streamline their productivity by circumventing your security protocols: emailing sensitive documents to themselves, storing files in a personal Dropbox account or other public cloud, and even taking photos/screenshots with a smartphone and texting those images to friends or vendors.
  6. Disabling Security – One of the most popular security workarounds is simply turning off security features that hinder your productivity. With the growth of BYOD environments, where employees have greater control over the enabled security features, it is common to find even the most basic security features disabled.

As an IT professional you need to assist the hard-working and well-intentioned employee get their job done without putting the network at risk. Your security policies should avoid restrictions without any explanation, leaving the end user with productivity loss and no apparent improvement to their lives. Your organizations should implementing security training for all employees, showing your team specifically how security protocols protect against data leakage, data breaches, and other threats while highlighting how workarounds put data (and their jobs) at risk. This will help the typical employee keeping security top-of-mind with regular communications and meetings with staff.

Inside Target After 2013 Credit Card Breach

In a recent article by Brian Krebs, we get a little more insight into the credit card breach at Target back in late 2013. In the attack that led to over 40 million credit card accounts being compromised and has cost Target about $100 million, we are now seeing some information coming out as a result of the lawsuits making their way into court. In this article we get some helpful tips on what they did wrong, so you might not make the same mistakes. Verizon was hired by Target as the breach was discovered, and their report is the most detailed information about the breach we have seen so far:

  • No controls limiting their access to any system, including devices within stores such as point of sale (POS) registers and servers
  • HVAC vendor given 24×7 access to the network, without limits to systems or network segments
  • Target has a password policy, but the Verizon security consultants discovered that it was not being followed
  • Within one week, the Verizon security consultants reported that they were able to crack 472,308 of Target’s 547,470 passwords (86 percent) that allowed access to various internal networks
  • Penetration testers also identified many services and systems that were either outdated or missing critical security patches
  • Networks were internally tested using Nessus, but issues were never remediated

This makes for an interesting read.

6 simple tricks for protecting your passwords

In an interesting article by Maria Korolov, she offers some basic tips on ways to select secure passwords. Some of these you may have already tried, but some might be new to you.

1. Letter substitution cipher: a=b

Letter-substitution ciphers have been around almost as long as alphabets. Each letter is replaced by either another letter, a number, or a symbol – just like the cryptogram puzzles in the Sunday newspaper.

2. Letter substitution cipher: a=s

This one works great if you’re a touch typist. Simply move your fingers one key to the right when you type in your passwords. “Cat” becomes “Vsy.”

3. Never write down encrypted passwords; banana, not nsmsms

It might seem more secure to write down, say, “nsmsms” instead of “banana,” then enter “banana” as your password into the actual website, deciphering the code in your head.

4. Use earworms to your advantage: Wheels on the bus go round and round

You can use a prayer you’ve memorized, or speech, poem, or song. If you can’t memorize any at all, you can use one you can easily look up online. But really – you don’t have a single song memorized?

5. The mnemonic code: a=alpha

But why bother writing down a list of words when you can use a memorization trick that stage magicians have used for centuries – mnemonics?

Start with an alphabet you know well, such as “a is for apple, b is for banana” or “a is for alpha, b is for bravo.”

Then use the word that corresponds with the first – or the last – letter of the site you want to memorize the password for.

6. Add site name to end of password: banana-twitter 

To ensure a unique password for every single site – without having to write anything down – add the name of the site to the end of the password, suggests Luis Corrons, technical director of cloud security vendor Panda Security.

7. Expiration date trick: banana-q1-14

Simply add the year and the quarter to the beginning or the end of the password. So, if your base password is “banana,” you’d have “banana-14-q1” or “banana-14-q2” or “banana-2014-h2.”

You can read her complete article here.

Passwords You Shouldn’t Be Using – 2015

The recent breach of major providers user account data shows people are still using simple or common passwords that you shouldn’t be using. The list of common passwords grows with every system breach, but here are common passwords that you should not be using. The top 10 most common passwords are:

1. 123456

2. password

3. 12345

4. 12345678

5. qwerty

6. 123456789

7. 1234

8. baseball

9. dragon

10. football

It doesn’t matter how complex your password looks, if it is on this list it will take seconds for a hacker to compromise your account. You can get additional information here.

 

 

Passwords You Shouldn’t Be Using

The recent breach of the iCloud service points to user accounts using simple or common passwords that you shouldn’t be using. The list of common passwords grows with every system breach, but here are 500 common passwords that you should not be using. The count of the times the password was found, then the sample password. You can see that Password1 was the most found password, with Anthony11 coming in at 500th place. It doesn’t matter how complex your password looks, if it is on this list it will take seconds for a hacker to compromise your account.

449 Password1225 Princess1218 P@ssw0rd207 Passw0rd173 Michael1144 Blink182129 !QAZ2wsx126 Charlie1111 Anthony1103 1qaz!QAZ102 Brandon1100 Jordan2391 1qaz@WSX89 Jessica181 Jasmine180 Michelle180 Diamond179 Babygirl178 Iloveyou276 Matthew174 Rangers172 Pa55word70 Iverson368 Sunshine166 Madison164 William163 Elizabeth162 Password12359 Liverpool159 Cameron158 Butterfly157 Beautiful157 !QAZ1qaz55 Patrick153 Welcome152 Iloveyou152 Bubbles150 Chelsea149 ZAQ!2wsx49 Blessed148 Richard147 Danielle146 Raiders146 Jackson145 Jesus77745 Jennifer145 Alexander144 Ronaldo744 Heather144 Dolphin144 Destiny144 Brianna143 Trustno143 1qazZAQ!42 Precious142 Freedom142 Christian142 Brooklyn142 !QAZxsw241 Password241 Football141 ABCabc12340 Samantha140 Charmed138 Trinity138 Chocolate138 America137 Password0137 Natalie136 Superman136 Scooter136 Mustang136 Brittany136 Angel12335 Jonathan135 Friends135 Courtney135 Aaliyah134 Rebecca133 Timothy133 Scotland133 Raymond133 Inuyasha132 Tiffany132 Pa55w0rd32 Nicholas132 Melissa132 Isabella131 Summer0731 Rainbow131 Poohbear131 Peaches131 Gabriel131 Arsenal131 Antonio130 Victoria130 Stephanie130 Dolphins130 ABC123abc29 Spongebob129 Pa$$w0rd29 Forever128 iydgTvmujl6f28 Zachary128 Yankees128 Stephen128 Shannon128 John3:1628 Gerrard828 Fuckyou227 ZAQ!1qaz27 Pebbles127 Monster127 Chicken126 zaq1!QAZ26 Spencer126 Savannah126 Jesusis126 Jeffrey126 Houston126 Florida126 Crystal125 Tristan125 Thunder125 Thumper125 Special125 Pr1ncess25 Password1225 Justice125 Cowboys125 Charles125 Blondie124 Softball124 Orlando124 Greenday124 Dominic124 !QAZzaq123 abc123ABC23 Snickers123 Patches123 P@$$w0rd23 Natasha123 Myspace123 Monique123 Letmein123 James12323 Celtic188823 Benjamin123 Baseball123 1qazXSW@22 Vanessa122 Steelers122 Slipknot122 Princess1322 Princess1222 Midnight122 Marines122 M1chelle22 Lampard822 Jesus12322 Frankie122 Elizabeth222 Douglas122 Devil66622 Christina122 Bradley121 zaq1@WSX21 Tigger0121 Summer0821 Princess2121 Playboy121 October121 Katrina121 Iloveme121 Chris12321 Chicago121 Charlotte121 Broncos121 BabyGirl121 Abigail120 Tinkerbell120 Rockstar120 RockYou120 Michelle220 Georgia120 Computer120 Breanna120 Babygurl119 Trinity319 Pumpkin119 Princess719 Preston119 Newyork119 Marissa119 Liberty119 Lebron2319 Jamaica119 Fuckyou119 Chester119 Braxton119 August1218 z,iyd86I18 l6fkiy9oN18 Sweetie118 November118 Love4ever18 Ireland118 Iloveme218 Christine118 Buttons118 Babyboy118 Angel10117 Vincent117 Spartan11717 Soccer1217 Princess217 Penguin117 Password517 Password317 Panthers117 Nirvana117 Nicole1217 Nichole117 Molly12317 Metallica117 Mercedes117 Mackenzie117 Kenneth117 Jackson517 Genesis117 Diamonds117 Buttercup117 Brandon716 Whatever116 TheSims216 Summer0616 Starwars116 Spiderman116 Soccer1116 Skittles116 Princess0116 Phoenix116 Pass123416 Panther116 November1116 Lindsey116 Katherine116 JohnCena116 January116 Gangsta116 Fuckoff116 Freddie116 Forever2116 Death66616 Chopper116 Arianna116 Allison115 Yankees215 TrustNo115 Tiger12315 Summer0515 September115 Sebastian115 Sabrina115 Princess0715 Popcorn115 Pokemon115 Omarion115 Nursing115 Miranda115 Melanie115 Maxwell115 Lindsay115 Joshua0115 Hollywood115 Hershey115 Hello12315 Gordon2415 Gateway115 Garrett115 David12315 Daniela115 Butterfly715 Buddy12315 Brandon215 Bethany115 Austin31615 Atlanta115 Angelina115 Alexandra115 Airforce114 Winston114 Veronica114 Vanilla114 Trouble114 Summer0114 Snowball114 Rockyou114 Qwerty12314 Pickles114 Password1114 Password1!14 November1514 Music12314 Monkeys114 Matthew214 Marie12314 Madonna114 Kristen114 Kimberly114 Justin2314 Justin1114 Jesus4me14 Jeremiah114 Jennifer214 Jazmine114 FuckYou214 Colorado114 Christmas114 Bella12314 Bailey1214 August2014 3edc#EDC14 2wsx@WSX14 12qw!@QW14 #EDC4rfv13 Winter0613 Welcome12313 Unicorn113 Tigger1213 Soccer1313 Senior0613 Scrappy113 Scorpio113 Santana113 Rocky12313 Ricardo113 Princess12313 Password913 Password413 P@55w0rd13 Monkey1213 Michele113 Micheal113 Michael713 Michael0113 Matthew313 Marshall113 Loveyou213 Lakers2413 Kennedy113 Jesusis#113 Jehovah113 Isabelle113 Hawaii5013 Grandma113 Godislove113 Giggles113 Friday1313 Formula113 England113 Cutiepie113 Cricket113 Catherine113 Brownie113 Boricua113 Beckham713 Awesome113 Annabelle113 Anderson113 Alabama113 1941.Salembbb.4113 123qweASD12 abcABC12312 Twilight112 Thirteen1312 Taylor1312 Superstar112 Summer9912 Soccer1412 Robert0112 Prototype112 Princess512 Princess2412 Pr1nc3ss12 Phantom112 Patricia112 Password1312 Passion112 P4ssword12 Nathan0612 Monkey1312 Monkey0112 Liverpool12312 Liverp00l12 Laura12312 Ladybug112 Kristin112 Kendall112 Justin0112 Jordan1212 Jordan0112 Jesus14312 Jessica712 Internet112 Goddess112 Friends212 Falcons712 Derrick112 December2112 Daisy12312 Colombia112 Clayton112 Cheyenne112 Brittney112 Blink-18212 August2212 Asshole112 Ashley1212 Arsenal1212 Addison112 Abcd123412 @WSX2wsx12 !Qaz2wsx11 zaq1ZAQ!11 ZAQ!xsw211 Whitney111 Welcome211 Vampire111 Valerie111 Titanic111 Tigger12311 Teddybear111 Tbfkiy9oN11 Sweetpea111 Start12311 Soccer1711 Smokey0111 Shopping111 Serenity111 Senior0711 Sail2Boat311 Rusty12311 Russell111 Redskins111 Rebelde111 Princess411 Princess2311 Princess1911 Princess1811 Princess1511 Princess0811 PoohBear111 Peanut1111 Peanut0111 Password711 Password2111 Passw0rd111 October2211 October1311 November1611 Montana111 Michael211 Michael0711 Makayla111 Madison0111 Lucky12311 Longhorns111 Kathryn111 Katelyn111 Justin2111 Jesus1st11 January2911 ILoveYou211 Hunter0111 Honey12311 Holiday111 Harry12311 Falcons111 December111 Dan1elle11 Dallas2211 College111 Classof0811 Chelsea12311 Chargers111 Cassandra111 Carolina111 Candy12311 Brayden111 Bigdaddy111 Bentley111 Batista111 Barcelona111 Australia111 Austin0211 August1011 August0811 Arsenal12311 Anthony11

When news of a tool known as iBrute showed up in connection with the iCloud breach, speculation turned to a vulnerability in iCloud’s Find My iPhone feature as a possible source for the cache of nude photos. And while it’s not clear if iBrute, or a similar tool was used, the weakness of simple or common passwords should be of concern to you.

 

%d bloggers like this: