In this article, we will examine three information security factors you, the end user, control and should take seriously.

Password Protection

I’m sure many of you have moaned and groaned when your organization has you reset your various passwords every 30, 60, or 90 days. Now you must come up with another unique word or phrase that you can remember until the next time you have to change it. You’re not being harassed for no reason; Your organization is merely following best practices when it comes to protecting their systems and/or data. Bad actors are hoping you’ll get lazy and slip up so they can gain access to the information your passwords protect. With your username and password, they can potentially steal personal information and proprietary or financial data. This can be devastating to whomever is the victim.

So let’s look at some basics of password protection and why it’s necessary.

  • Choosing a password:
    • When choosing a password, try to make it as impersonal as possible.  A bad actor sees on social media that your birthday or anniversary is September 18th and plugs variations of that date into a password cracking program.  This dramatically decreases the time necessary for them to break the password.  They can do the same with pet names, addresses etc..
      • What not to use:
        • Important dates
        • Pet names
        • Addresses
        • Family names
        • Anything that is readily discoverable about you
      • What works best:
        • Use a minimum of 10 or more characters as permitted.  More characters equals more secure.
        • Make your password complex.
        • Include uppercase and lowercase alphabet characters.
        • Include numbers and symbols.
        • Don’t repeat more than 2 characters in a row.
        • Use meaningless words or phrases.
        • Use a random password generator.
  • Securing your passwords:
    • The security of your passwords is vital.  Having a complex and difficult-to-break passwords is useless if you don’t also secure them.
      • What not to do:
        • Do not write passwords down and store them near the computer or anywhere that is non-secure.
        • Do not use the same password for multiple programs or systems.
        • Do not share passwords with colleagues.
        • Do not reuse old passwords.
      • What you should do:
        • Use a password manager like LastPass to manage your passwords securely.  This may not be allowed by your organization.
        • Even if it’s not required, change your passwords regularly on work and home devices.
        • Pay attention to those legitimate notices that say you should change your password.

Two-Factor Authentication (2FA)

If you aren’t familiar with the term “two-factor authentication”, it is just as it sounds; It is a method of ensuring the user of a system or program is authorized by using two criteria.  This can be a combination of things such as something you know, something you have, or something you are.  Most of you are probably familiar with this from notices you may have received from your banking app asking you to setup two-factor authentication to better protect your financial data.

So let’s breakdown what constitutes the various forms of authentication that may be used.

  • Something you know:
    • This would typically be your password we talked about earlier but could be something else such as:
      • PIN – A personal identification number that only you know that is associated with the account.
      • A key word you chose at some point like your mother’s maiden name, your first pet’s name or your favorite color.
  • Something you have:
    • This would be something you have physically in your possession such as:
      • A token that has your information on it.  For government employees, that would be your Common Access Card (CAC).
      • A key generator – This is a small device or program that generates an encrypted key (number) that you then input to validate your session.
      • Sometimes you’ll be asked to enter your phone number or email address from a trusted source that then sends you a code for verification.
  • Something you are:
    • This means something unique to only you such as:
      • Your fingerprint
      • Your retinal scan
      • Facial recognition
      • Voice recognition

System Updates

New vulnerabilities are discovered every day and companies work diligently to fix them as soon as possible. These fixes will typically be released as an update that you are prompted to install. There are different types of updates and some may require you to perform an action without being prompted. It is vitally important that you perform these updates as soon as you are able.  Whether you’re using a computer, a mobile phone, or a tablet, it is essential to keep that system up to date.

Things to consider regarding system updates:

  • Always perform the updates as soon as possible.
    • Most company computers will be managed by the administrators. Updates and installs happen automatically with very little user intervention.
    • Don’t continue to put off those updates when the reminders pop up.
    • Set your system to check for system updates automatically.
      • Checking for updates involves little to no interruption in your work.  Updates can be scheduled to be completed during non-work hours.
    • For non-Operating System updates, check often.
      • If not enterprise managed, programs such as Google Chrome can be manually updated by going into the settings/about/check for updates(depends on the program)
  • For mobile phones or tablets:
    • Updates for mobile devices are typically pushed by your mobile service provider.
      • When you receive a notice that an update is available, be sure to perform the update as soon as possible.
      • For non-mobile devices, you may need to check for updates manually.
        • This is typically done via settings/software update.

While a good starting point, this is by no means a comprehensive list of ways to keep your information secure.  Bad actors are always evolving and coming up with new ways to bypass these security measures.  If you follow the guidelines above, you should feel comfortable that your data is protected but don’t let down your guard.  Remember to be suspicious of things that don’t seem right, especially phishing emails. Even if you’ve done everything else right, clicking on a bad link in an email can bypass all this security.

Here are a few resources I recommend for more detailed information:

https://www.tomsguide.com/reviews/lastpass

https://www.zdnet.com/article/best-security-keys/

https://www.pcmag.com/how-to/two-factor-authentication-who-has-it-and-how-to-set-it-up

https://krebsonsecurity.com/password-dos-and-donts/

About Tom Goodman

Tom Goodman is an Information Systems Security Analyst with Sentar, Inc. where he is involved in all aspects of the Cybersecurity Lifecycle. Tom has been an IT professional for over 30 years.  His career began in 1988 with the US Air Force, where he served for four years including Ankara AS, Turkey and Offutt AFB, NE.  He was honorably discharged in 1992. Tom has done a little bit of everything in the computer field, from hardware and networking to sales.  He had his own consulting business for many years and was involved in an Internet Service Provider (ISP) startup in 1996.

Like many people with his background, Tom ended up in the Cybersecurity realm.  He has been a Cybersecurity Analyst for the past seven years working as a contractor for the US Government in Stuttgart, Germany and Charleston, SC where he currently lives with his wife of 23 years and his 3 children, 2 dogs and cat. Tom is an avid soccer fan and spends most weekends catching up with the Premiere League and Bundesliga matches.  He loves camping, fishing, golf and spending time with his family.

Share This Post

Stay up to date with the latest news.