By Kevin King
We are deep into a global pandemic, confined to our homes and only talk to friends through video, email, and maybe even Zoom. This is a big change for the ordinary person, but for Black Hat Hackers (the bad kind), it’s an opportunity.
Health IT Security reported in an April 9th article, that:
Cybercriminals and advanced persistent threat (APT) groups are exploiting the Coronavirus pandemic with COVID-19-related scams and phishing attacks, according to a joint alert from the Department of Homeland Security Cybersecurity and Infrastructure Security Agency and UK National Cyber Security Centre (NCSC).[i]
These threat actors are taking advantage of the SARS-CoV-2 virus just like they would take advantage of a virus they wrote themselves. This causes us to have to fight COVID-19 as well as evil humans—a two-front battle.
In fact, just yesterday I got an email from a “CEO friend of mine” asking for help. He apparently wanted me to purchase PlayStation gift cards for his nephew while he was under doctor’s orders sick at home from COVID-19. This is a very common scam by attackers taking on the identity of a high-ranking manager to get an employee to buy gift cards. I wasn’t fooled. I texted the real person and helped him protect his email.
In this blog, we will go over the first of the top three changes you should make during this crisis while we are still in lock-down to help your business win the two-front battle: your password policy. Part II and II (encryption and making backups ransomware-proof) to follow shortly.
Change your password policy
Did you know that the National Institute of Standards and Technology (NIST) has changed their advice regarding passwords? They have changed it a lot.
If your organization is still using the old advice of creating 8- to 16-character passwords using uppercase, lowercase, number, and symbol and change every 30 days, you are behind the times. According to NIST, your password should look more like this “Monday Taco Buccaneers 2020” than this, “G1nglv1ti$.“
With the former, it is easy to remember just by thinking the phrase, “Every Monday I’ll buy a Taco if the Buccaneers even play in 2020.” Whereas, the password “G1nglv1ti$” with all of its substitutions and complications is difficult to remember and therefore lends itself to being forgotten and written down on post-it notes for attackers to find.
In addition, “G1nglv1ti$” at a length of 10 characters, and only providing 46.1 bits of “entropy[ii]” would take a medium size botnet about 6 days to crack[iii]. However, “Monday Taco Buccaneers 2020” at 122.2 bits of entropy would take medium size botnet about 726 nonillion years to crack. And you would have probably changed your password by then. Probably.
While hiding out in your COVID bunker, it is a good time to change your password policy. This is assuming that you already have a password policy to change. A good small business needs a well-designed, maintained, and periodically reviewed set of IT policies. If you cannot measure against a policy, you have no visibility to the effectiveness of your organization’s goals.
- First, how do you create a password management policy? A good place to start is the Tech Republic website. You can download a Password Management Policy template and modify it according to your organization’s needs. The template costs $99 to download but for about $300 you can access any of the templates in Tech Republic’s library and modify it according to your organization’s needs. Here’s the link: https://www.techrepublic.com/resource-library/downloads/password-management-policy/.
- Second, the complex NIST password/identity policy information can be found on the NISTsite[iv]. But if reading a dizzying storm of government and IT acronyms is not your cup of tea, you can find an article by Alvaka Networks, entitled “New password guidelines from the US federal government via NIST[v]." It neatly summarizes the main points.
- Third, once your policy is solidified, post the policy to your internal HR site, or review it with employees in one of your periodic meetings so that they can begin implementing the changes. Discuss it with your IT support people. Set calendar dates for quarterly or semi-annual policy reviews, and review with your employees.
Now that you have a handle on passwords, next blog, we’ll discuss the extreme importance of encryption.
Kevin King is a Certified Security Analyst, and holds many IT and Cybersecurity Certifications. He teaches ethical hacking and does security and infrastructure consulting.