Jonathan Cogley is founder and CEO of Thycotic Software, a leading Washington, D.C. security software firm. Follow the company @Thycotic.
In August, the Senate voted down the Cybersecurity Act of 2012 with a vote of 52-46, just shy of the 60 votes it needed to pass. The bill was an effort to ensure hackers couldn't gain access to the computer networks of private companies. It would have also made it easier for private businesses to share critical data and information with the government regarding cyber threats.
The types of businesses that would have been affected by the bill included any that contained "critical infrastructure," which means that access to the company's assets could lead to the halt of life-sustaining services (such as food, energy, or water), widespread economic damage, or the degradation of national security capabilities in general.
Even though the bill stalled in the Senate, and in spite of the growing and obvious cyber threat, not all businesses are taking even basic preventative steps. Without proper preparation, these companies risk losing critical data. Below are a few things any business can do to improve its security now.
1. Translate Security Answers to Another Language
Many times, security questions such as "What is your favorite book?" are much easier to break than passwords because they are susceptible to social engineering. Consider translating your answers to another language by using free online translation tools. Switching this up can serve to deter a hacker who may assume you're sticking to only one language.
2. Start Passwords with a Space
Many modern password cracking tools, like Cain & Abel, do not take spaces into account simply because they aren't common in passwords. Adding one to your password can throw off complex hacking software. Spaces carry other benefits, too. If you need to write your password down, only you will know a space is also needed at the front or end of it.
3. Don't Depend on Just AES 256 Encryption
With just a few clicks, AES 256 encryption allows anyone using a PC or Mac to encrypt their files and protect them with a password. That said, there are holes, because AES 256 encryption is only as strong as the master password being used for the encryption. For example, if no randomness is used on data encrypted with AES 256, it is susceptible to the TLS CBC IV attack.
4. Do not use NTLM if the Underlying Protocol is Insecure
If you are accessing a site via HTTP or FTP both protocols for exchanging files over the internet never enter your credentials in a Windows authentication popup. Unlike HTTP or FTP, HTTPS and SFTP ensure data being sent from the host computer to the receiver isn't available in plain text. HTTPS and SFTP ensure the entire transmission is encrypted, so no outside eyes can access usernames and passwords.
5. Use Drive Encryption Software
Use drive encryption software such as BitLocker on all machines. Even if you format your hard drive, sensitive data can easily be recovered from a machine if it is lost or stolen. Drive encryption software is a simple way to prevent this from happening, because it encrypts every bit of data on a storage volume.
6. Create the Right Strong Password
Know that modern computers can break long passwords if they aren't complex. Creating a strong password is more than just using a longer password or replacing letters with similar-looking numbers. The reason that some passwords take longer to crack is because the "key space" (number of possible permutations) is larger if a password is longer. For instance, a password like "123456789" can be cracked in 15 minutes on a desktop computer, or instantly on a "super" computer. A password like "r3Dcr0W5" takes six years to crack on a desktop and 31 minutes on a super computer. Something more complex, like "%ZBGbv]8g," takes three years to crack on a super computer.
Image courtesy of iStockphoto, alexskopje
No hay comentarios:
Publicar un comentario