CURRENT STATE OF CYBERSECURITY - AICPA · Is your Facebook password the same a對s your GMail, or your LinkedIn? If so, then if one account gets compromised then expect that all of
23
CURRENT STATE OF CYBERSECURITY Big Spending – Widespread Vacancies – Increasing Losses
Research Efforts Focusing on the Human –Security Paradigm
INFORMATION SECURITY TRAINING
Legislative Information Services
Presenter
Presentation Notes
This is an example of an actual phishing attack that targeted the Legislature just a few days before this past New Years. This message, designed to look like it came from our own IT department, asks that you click on the link included (bad) and enter your email and password (worse) to prevent you from being locked out of your account. This message actually came from another internal account which was compromised by the same “phishing” campaign, which is why the From address is redacted.
Presenter
Presentation Notes
Sadly, many users ended up clicking on that link which ended up taking them here – to a page which looks almost exactly like our own Outlook Web App login page.
Presenter
Presentation Notes
The website address does not point to mahouse.gov, masenate.gov, or malegislature.gov. Actually if you look closely, the domain name ends in .es which means that the site is actually hosted in Spain. If you’re unfamiliar with domain names, we’ll discuss those in a few minutes. Luckily, very few users actually tried to login to this, but for the few that did – their accounts were then taken over by the attackers.
PHISHINGPhishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details (and, indirectly, money), often for malicious reasons, by disguising as a trustworthy entity in an electronic communication.
Presenter
Presentation Notes
Now that we’ve seen a few examples, lets formally define phishing. Phishing is the digital form of social engineering – pretending to be someone/something that you’re not in order to trick someone into handing over valuable information.
PASSWORDS“At least make them have to try harder”
Presenter
Presentation Notes
If you had to walk away from this talk with one thing, then this section would easily be the most important. Passwords are the primary mechanism which we use to access our computers, email, Facebook, banking and credit card information, taxes, etc. Likewise poor password standards are more often that not responsible for those accounts being compromised.
DO NOT REUSE PASSWORDS
Presenter
Presentation Notes
Password reuse is by far one of the best things that a hacker can rely on to get into your accounts. Most people in some way or another use the same password, or a variation of that password, across multiple accounts. Is your Facebook password the same as your GMail, or your LinkedIn? If so, then if one account gets compromised then expect that all of your accounts will be compromised. Do NOT use the same password across multiple accounts – its just asking for bad things to happen.
DO NOT USE POST-ITS FOR PASSWORDS
Presenter
Presentation Notes
Now having worked in the building for a few years now I can say for a certainty that almost every office is guilty of this in one way or another. Generally speaking writing down passwords is discouraged. Writing them down then adhering them to objects in public places is a particularly bad idea. Unless you have absolute control over your physical office space, which no one does, then you can’t guarantee who will be able to see these notes. Particularly in a building which serves the public, for those of you who often meet with constituents, lobbyists, staff from other offices, etc having a post-it note on your desk or next to your monitor with passwords written on them (including passwords for intern accounts) is asking for trouble. So you might be asking, “If you can’t write them down, how am I supposed to remember passwords for multiple accounts?” and that’s a valid question. We can shed some light on that by looking at how passwords are created.
PASSWORD CONSTRUCTION
Bad PasswordsRedSox2004Patriots!NewEngland2015Boston617Bruins2017
On the left we have list of just generally terrible passwords. Password rules require a capital letter, so we capitalize the first character of a fairly common word or name, then because password policy requires integers, we end in some sort of number, usually either a single integer, a year, an area code, etc. Hackers and security professionals are very much aware that this is how most people tend to construct their passwords. On the right we have a list of passwords that from a hacking perspective are certainly much more difficult to guess than those on the left, but they’re absolutely impossible to remember for normal human beings.
PASSPHRASES
Presenter
Presentation Notes
From a technical standpoint, hacking into accounts with weak passwords can be fairly straight forward. You download a list of words, names, places, etc, then you use a free program to guess the password of an account until it finds the right one. What this means is that if you’re using any of the passwords in the previous slide, then it’s really only a matter of time before your account gets hacked. The numbers, capital letters, and exclamation points might slow things down a bit, but it’s really only a matter of time. Given this reality, if you want to really make things difficult for the attackers, and easier for yourself to remember, then you’re much better off using passphrases instead of passwords. Something like “correct horse battery staple” is significantly harder to guess (using a computer) than one of those crazy looking passwords – and you have the added benefit of it being much easier to remember.
PASSPHRASES“Dictionary words are okay so long as the words are unrelated and spaces are included.”
Good Passphrasechair queue3 Avaya
docket!
Bad PassphrasesMarry me Tom Brady07!
Presenter
Presentation Notes
Passphrases are great so long as you don’t use related words – since it makes them significantly easier to crack.
PASSWORD RECOMMENDATIONSPassphrases are significantly stronger than
passwords. Avoid password reuse across multiple accounts.If you must write them down, store them in a secure
location.Periodically change your passwords.Enable two factor authentication for accounts
which offer that service.
Presenter
Presentation Notes
Just to review, weak passwords makes it easy for an attacker to get into your account. You already know that there are all kinds of people out there trying to get into your accounts for many different reasons. Don’t make it easier for them by using passwords with things like “RedSox” or “Patriots” or using your family member’s names.