LetMeIn101: How the Bad Guys Get Your Password

by

Passwords are essential to your cybersafety. You know it, but if you’re like the rest of the digital society, you probably have dozens of passwords to remember. It’s a lot. So, you might take shortcuts. Taking advantage of your laissez-faire attitude is one way bad guys access your passwords.

Incredibly, there are still people out there using “password” or “123456” in their access credentials. Some people don’t change the default passwords on their devices. So, anyone can pick up a router, look at the sticker identifying the password, and access that network.

Tip: Avoid the obvious passwords! When you have to create a password, make an effort. When it’s time to update a password, do so. Steer clear of simple, easily guessed patterns.

Cybercriminals can also guess your password. With a little bit of research about you online, they can make some informed guesses. Common passwords include pet names, birthdays, and anniversaries. These are all easy to find via your social media accounts.

Tip: Be careful what you share on social media! Don’t befriend strangers, as you are giving them access to a goldmine of info for personalizing an attack on you.

If that doesn’t work, criminals may try brute force. They might script an automation bot to run thousands of password permutations until they get a hit. The software will try a long list of common passwords and run through dictionary words to gain access.

Tip: Use a complex password with numbers, letters, and symbols or a passphrase. A passphrase is typically at least 19 characters long but is more memorable, as it unique to you.

The criminal may also be working with info from a data breach. In early 2019, a security researcher found more than 2.7 billion email/password pairs available on the Dark Web. Criminals accessing that database could use the data as a starting point, as many people duplicate their passwords across accounts.

Tip: Use a unique password for each site. Yes, that’s overwhelming to remember, and that’s also why you should use a password manager to keep track of it all for you.

Criminals can also access your account if you’ve used a hacked public computer. The bad guys may have installed a key logger on the computer. The logger records every key you press on the keyboard. Or they might have compromised a router or server to be able to see your information.

Tip: Be cautious about your online activity on computers or networks you don’t trust.

Of course, there’s one more method of getting your password that we haven’t addressed yet. It’s the familiar phishing attack. For instance, you get an email that looks like it was sent by your bank. Phishing typically has an urgent message and a link that directs you to what looks like a credible page.

Tip: Pay attention to who is sending the email and hover the mouse over the link to see where it goes. If you are concerned about your bank account, for example, open up a browser and type the URL manually rather than clicking the link.

These tips can help you to protect your valuable passwords. Still, setting up a password manager and amping up your internet security can help too. Need support getting ahead of the cybercriminals?

Contact our experts today! Call us at (515)422-1995

Time to Refresh Your Passwords

by

We often tend to be creatures of habit, particularly when it comes to technology. Passwords are a prime example. Many of us use the same logins for multiple websites and applications because we don’t have a photographic memory. A large percentage of users aren’t aware that this is one of the most significant security dangers they can face online. It has a simple fix too.

Regularly, in the news today, there are stories about major companies being hacked, their customer data stolen, and their customers left stranded. Hackers commonly use data stolen from one site to access others where login credentials have been reused between accounts. In some cases, access to bank accounts has been gained simply by using a compromised email account.

Businesses and individuals can face significant losses simply because a third party outside their control has been hacked or compromised.

The Danger Of Old Passwords

MySpace is a key example of why old and possibly forgotten services pose a security danger when passwords haven’t been regularly changed. Once a thriving popular network, the use of MySpace services declined drastically from 2007 onwards. While many people moved to new social networks, old accounts typically remained abandoned on their servers. Hundreds of millions of accounts remained on MySpace servers many years past the firm’s peak.

In 2016, MySpace suffered a data leak which exposed usernames, emails, and passwords of 360 million user accounts. Shortly after the hack, these details were published online for anyone to see. Many were used to access email accounts, servers, and accounts that shared the same details.

Shared Responsibility

Even if you have never had a MySpace or social media account personally, how many of your employees or coworkers have one or more? Many have had more social media, forum, or game accounts than they care to remember. Have their passwords been updated since 2016?

Your business network protects your systems, work, and intellectual property. For many firms it’s the single most critical component, the backbone to business operations. Keeping it secure regardless of the number of people, staff or clients using it is a crucial task.

Consider how many people currently have access and how many of those may reuse their password on another website or service. Just reusing your password once can expose you to the hacking of a third party entirely out of your control.

Password Management

Good security practice is to use a unique and strong password for every login you use. A strong password should include, where possible, capital letters, lowercase letters, numbers, and character symbols. Many consider this impractical or even impossible, but it is entirely achievable for every firm.

It is clearly impossible to manually remember a strong password for each one of the dozens of logins needed today. Few would even attempt to. A password manager makes storing, retrieving, and using unique passwords easy.

When using a password manager, an individual is required to remember only one single strong password to access a database which contains a different login password for each service. This database can be synced between multiple devices, saved and backed up to the cloud, and even used to create strong passwords for you.

Strong Protection

Password managers can be used to implement security policies that demand zero password reuse, between services or over time, and set strict limits over the duration a password can last. With the right policies in place, both your business and your employees are protected against attacks from hackers that have compromised third-party sites.

The maximum recommended lifetime of a password for any service is a single year. Make the start of the calendar year the time which you refresh your passwords and start new.

To help keep on top of your security and make sure your firm is safe well into the new year, give us a call at (515)422-1995.

Don’t Get Hooked by Spear Phishing Attacks

by

Phishing attacks have been around for a long time in IT. Designed to steal your credentials or trick you into installing malicious software, they have persisted in the IT world precisely because they have been so devastatingly simple and effective. Today, a more modern and more effective version of the same attack is commonly used.

A typical phishing attack involves an attacker sending out a malicious email to hundreds of thousands, if not millions of users. The attacker’s email is designed to look like it comes from a bank, financial service, or even the tax office. Often aiming to trick you into logging in to a fake online service, a phishing attack captures the login details you enter so an attacker may use them to enter the genuine service later.

By sending out tens of thousands of emails at a time, attackers can guarantee that even if only one half of one percent of people fall for it, there is a lot of profit to be made by draining accounts. Spear phishing is a more modern, more sophisticated, and far more dangerous form of the attack. It’s typically targeted at businesses and their staff.

A Convincing, Dangerous Attack

While a traditional phishing attack throws out a broad net in the hope of capturing as many credentials as possible, spear phishing is targeted and precise. The attack is aimed towards convincing a single business, department, or individual that a fraudulent email or website is genuine.

The attacker focuses on building a relationship and establishing trust with the target. By building trust and convincing the target that they are who they are pretending to be, the user is more likely to open attachments, follow links, or provide sensitive details.

Consider how many times you have followed a link or opened an attachment just because it has come from a contact you have trusted before.

A Trusted E-mail

The malicious email can appear to come from a vendor you deal with regularly. It may even look like an invoice you are expecting to receive. Often attackers can simply substitute the vendors’ banking details for their own, hoping the target will not notice the difference.

Such an attack is very difficult to detect. It takes a keen eye, strong working knowledge, and constant awareness to keep your company protected. Even a single small mistake by an unaware member of staff can compromise your business accounts.

Defending Your Business

The key to stopping a spear phishing attack is education. Learning attack techniques, and how to protect against them is the single biggest thing you can do to enhance business security.

Whenever you deal with a vendor in a business transaction, you should always consider important questions before proceeding. Are you expecting this email? Is the vendor attempting to rush you into a quick decision or transaction? Have you checked all the details are correct and as you expected? Sometimes a simple query to the vendor can protect you against worst-case scenarios.

In many cases, a phishing attack can be halted in its tracks with a strong IT security package. Web filtering prevents malicious emails and links from entering the network, shutting attacks down before any damage can be done.

Good Security Practice

As with many types of IT threat, good security practices help mitigate damage. Locking down security to ensure employees only access the systems they need helps to prevent damage spreading across the network.

Enforcing unique and strong passwords prevents leaked credentials from affecting systems related to the one that has been compromised. Getting employees set up with a password manager and good security policies can do the world of good to boost your security to the level it needs to be.

Give us a call at (515)422-1995 to audit your security practices. It could be the difference that secures your firm against sophisticated spear phishing attacks.

Is Your Physical Security as Good As Your Cybersecurity?

by

Headlines are often made by firms that have been hacked by “elite” cybercriminals. These events sound high tech, sophisticated, and interesting. The truth is almost always an amateur attacker chancing their luck with an unpatched security hole or bad password. Physical break-ins affect businesses far more commonly and cause much more damage, but get talked about far less.

Similar to technology hacks, most physical security threats come from criminals that chance their luck on businesses that look poorly secured. On a rare occasion, they may strike a business owner that has forgot to lock up or failed to set the security alarm.

By breaking in, these criminals exploit poor physical security to cause damage and steal valuables. Typically, by destroying or taking critical assets, a criminal may make a few hundred in profit while the total damage done to the business is counted in the tens of thousands.

While most IT security packages act automatically and always remain on, physical security needs to be made a daily habit and require periodic updates.

Threats Starting from Within

Every business should have secure locks protecting their doors. Many use an alarm system to add protection to valuable assets. However, there are common threats that neither of these can protect you from. How would your business be protected if the attack came from within your firm?

A disgruntled employee, or even a former employee, can do an enormous amount of damage to a business. Attacking their own business, an employee can likely do more damage during the day than a criminal could breaking-in overnight. Misplaced trust in the wrong individual can result in devastating consequences.

Employees typically have access to one of your business’s most valuable assets: data. A criminal may steal computer hardware to sell on for quick cash because most don’t fully understand the value of the data stored on it.

The value of the data in a business machine can easily exceed the cost of the hardware one hundred times over.

Physical Security Heists

For criminals who do understand the value of data; physical security can be the weakest spot in a business’s armor. In 2013, media streaming service Vudu suffered a break in where criminals stole server hardware to obtain credit card information stored within.

A technology savvy streaming firm is highly likely to have up-to-date IT with excellent security measures. Thieves looking for easy cash recognized that the best way to get to the data was through their comparatively weak physical security.

The best security packages in the world are completely infective if the keys are left in the door and physical hardware is easy to remove. This challenge of securing your data can be made even more difficult when using a location that must remain open to the public.

Securing Your Data with Good Security Practices

Keeping your customer data safe is one of the most significant responsibilities small business owners take on. It requires a duty to employ the best possible security practices to keep your customers safe. For a customer to have the trust to use your business over the competition, they have to see their concerns put to rest.

Locking down data access for employees so they can only view and edit what is strictly needed, protects both customers and the business against many kinds of damage; both accidental and malicious. Limiting device access, such as disabling USB ports to thumb drives or storage devices, helps to prevent data being copied and carried offsite.

Physically locking down a server in the location it sits is one of the best deterrents available to prevent against theft. Locked server racks are an excellent piece of physical security that works on top of the building security already in place.

Make sure your business is up to the task of securing its data. Give us a call at (515)422-1995 to audit both your digital and physical security.

Click to see our BBB Report

VISIT US