Cyber Hygiene Basics
Last month, we published a blog post on the four main reasons to secure your website. This month, given it is European Cyber Security Month (ECSM) we’d like to focus on four simple tips that can help you improve your cyber hygiene. Cyber hygiene is a term that refers to improving your practices and technologies to stay safer online. With businesses growing their online presence, cyber hygiene is more important than ever. Here are some simple ways in which you can strengthen your cyber hygiene:
Create Strong Passwords
Passwords have been a key focus in cyber security education for almost as long as computers have been around, and for good reason, passwords can often be seen as the keys to the kingdom when it comes to your IT estate. Password strength is often seen as a product of two factors: password length and password complexity. Creating long passwords that contain a variety of characters, numbers and symbols will make it more difficult for attackers to crack them and recover the plain-text password. For every extra character in your password, the feasibility of cracking vastly decreases.
|Password Length||Cracking Time|
|8 characters||5 hours|
|9 characters||5 days|
|10 characters||4 months|
|11 characters||1 decade|
|12 characters||2 centuries|
The content of the password also makes a difference in cracking time. A password of ‘Password’, as expected, takes a mere 90 microseconds. However, a password of ‘zxBfr%3A’ would take around 14 years.
Our password recommendations are as follows:
- Find the right balance between length and your ability to remember passwords. There is no point in creating a 32 character password that you will have difficulty remembering.
- Add symbols and numbers to your password to increase its complexity.
- Your password should not be a dictionary word. Dictionary attacks, in which attackers attempt to crack passwords based on words found in the dictionary, are prevalent.
- Look into a password manager. Password managers are pieces of software used to generate and store passwords for multiple accounts, locking them behind a single, strong master password.
- Enable Multi-Factor Authentication (MFA) on all accounts that allow the use of this. Multi-Factor Authentication will generate a random token which you will also need to supply to login to your account. These tokens can be sent to your phone via SMS or can be generated through an app such as Google Authenticator.
Know Your IT Infrastructure
As your business grows, it can be difficult to keep track of your IT estate. You can’t begin to secure your systems if you’re unaware of exactly what you have. We recommend that you begin by identifying what you consider to be your critical assets. What defines criticality in this context depends entirely on your organisation, but basically, these are the IT systems, processes or data that you could not continue to do business without. Once you’ve identified these, compile a document with a list of these resources and their relevant details including resource owners, administrators, operating systems and purposes. What defines criticality in this context again can depend entirely on your organisation.
This is a limited form of what is known as an asset register. As your organisation's security capability matures, you can consider expanding this asset register to include non-critical assets as well as detailed information on each asset.
Change Default Configurations
Many applications and devices come pre-configured with administrative accounts used for setup. These accounts often have simple and guessable usernames and passwords, like admin/admin or admin/password, for example. These username and password combinations can be easily discovered through the manuals and on manufacturer websites.
The danger arises when users fail to change these default passwords. Attackers and bots alike will scan the internet for interfaces with known default passwords and attempt to login. This could lead to information disclosure, or even an attacker gaining an initial foothold in your network. Thankfully, this is quite easy to remediate all you need to do is simply change the passwords of the default user accounts when you are finished setting the device up or reviewing your devices and services running and changing the default usernames and passwords in place.
The Principle of Least Privilege
This tip is more abstract than the others, and presents a general policy change as opposed to a technology change. In IT security, there is an idea known as the principle of least privilege.
This is the idea that all users and programs should only have the rights necessary to carry out their duties, no more, no less. This is to ensure that, in the event of the compromise of a low-level account or system, your critical business assets aren’t easily compromised.
To enact this, conduct a review of the user access controls you have in place. Determine if users actually need the rights and permissions they have to carry out their BAU tasks. If not, consider removing these rights to improve the security of your systems. We would advise the creation of a User Access Control matrix. An Access Control Matrix is a security document that categorizes users into specific roles, and describes the rights of these roles to access systems. An example of an access control matrix for file shares is detailed below:
|Payroll File Share||IT Share File|
|Finance Dept.||Read, write||none|
|IT Dept.||none||Read, write|
This simple matrix describes the rights of two departments and the file servers they can access. Finance and IT have been allowed access to read and write their respective file shares based on their business needs. The access control matrix for a fully fledged organization will be much larger, but the principle remains the same - the matrix should allow stakeholders to quickly reference what rights a specific user role has, and should make the implementation of the principle of least privilege much easier.
How can we help?
We hope that these tips provide some quick and easy wins for your organization. However, these simple recommendations can only go so far. Secora Consulting provides a range of services that can help you to assess the security of your organization. Our baseline assessments focus on quickly bringing your systems in line with best practices by identifying missing patches and known issues in your systems. If you are interested in a more in-depth assessment of your infrastructure, ask us about our penetration testing services , where we will identify and exploit vulnerabilities in your network, showing just how far an attacker could get. Get in touch today and discuss your options.
All of Secora Consulting's assessments are tailored to our client's needs.
Using our experience, we can help you determine which services are right for you.
We have arranged our services into four groups based on the objective of the tests.