By Daniel Cabarcos,
StillSecure SOC Analyst
I’ve gone through the typical New Year’s resolution of eating healthier and losing some weight gained from the holidays (yes, I blame the last few decades on the holidays), so I decided that this year’s resolution will be to educate my friends and family on some good old information security. The beauty of this resolution is that something so simple can make such a huge difference all around and it is something that I know that people with an information security mindset take for granted at times. So many thoughts came into mind when I started to think of all the simple steps the average person can take to be more secure this year while prompted me to realize that some of these things I have taken for granted at times. Now, these things may sound so simple and yet they can make a monumental impact on a user’s Internet well-being. That’s why passwords and spam emails are at the top of my list.
I wouldn’t want to count to see how many times while helping someone with a computer issue that they would tell me their password and it would be something that would take a dictionary attack seconds to break. I plan to explain to them why passwords should not be a known word even with a number behind it, not a name with a date, not a password from last month with a 1 added at the end and then the next month a 2 then 3 etc… and definitely not “PASSWORD”. I will show them the image below on how long it takes to crack passwords and while I am aware that the new methods to use a GPU to enhance the amount of passwords attempted that dramatically lower the amount of time needed to crack a password it would still take about 1 year for a password with 8 characters long. So, I plan to explain to them that they should have a password with at least 8 characters long with lowercase, uppercase, numbers and symbols. At the same time we should not be using the same passwords for multiple sites and should use a program or a phone app to store their passwords. Not a sticky on your desk or monitor or somewhere in the line of sight.
Thank goodness for junk mail folders and spam folders but not all spam emails get caught by the filters in place and this is where so much damage can take place. A 15 letter password can be compromised with a simple email that has you looking into a fake site. Spam emails come in so many sneaky forms that anyone not paying attention can be caught by them. We have the Scams, the Adult, Financial, Stock, Pharmaceuticals, Phishing, educations (diplomas, degrees, certificates and any other type of training programs), replicas ( that purse she always wanted), software, gambling, dating, video games and others that have been crafted to steal your information from you and give it to the attacker. The rule of thumb I would explain to my friends and family is that if you do not know from who it is, not only a link in the email, not a file, not a free something you just won and not from someone guy across the world that died and just left you all his wealth and when I said around the world I meant it. Most of the spam comes from other countries and come from bot-nets as well. The image below displays statistics for spam sources by countries for the week of December 25th.
While these two policies if followed would make life much easier for my friends and family but also myself by not having to fix so many computers and leaving me with much more time for my hobbies. These are simple steps that could help the average person yet, would even help myself and others who take simple security polices for granted. What good is a strong password if your phone has no password on it to access your email and this goes with the ever so expanding world of the tablets? The biggest vulnerabilities are usually something simple and that’s why they are such a threat. We usually overlook them and/or don’t practice them at all. Following these policies would also make anyone’s place of work much more secure as well. The last thing I would recommend is that if they hear of ABC Company was compromised to go change their password for that site. So my 2012 New Year’s resolution is educate my friends and families and make sure I myself follow them. Who knows maybe this year my inbox will have less Fwd:Fwd:Fwd:Fwd emails and less calls to fix someone’s computer oh yea and lose some weight (another gym membership not used).
References
- Hack Attack: All You Need To Know [Infograph]
- http://www.m86security.com/labs
- http://en.wikipedia.org/wiki/Password_strength
