Blog / Computer Security Basics Are Always Evolving
What’s considered common sense in computer security is always changing.
In fact, if I had to describe the world of computer security in one word, it would be ‘volatile’. Unfortunately too many people think this just means the bad guys are constantly evolving their tactics. Too often they forget that, in this context, volatility also means the good guys need to regularly change up their tactics as well.
As a result, what’s considered to be good security advice is always changing and evolving. Even if you haven’t noticed this on your own, it’s easy to see once it’s been pointed out. For example, think about how the advice on passwords have changed over the years.
In the beginning (20+ years ago), the maximum password length was limited to around ten characters, and the best practice standard was to make passwords as complicated and randomized as possible. Something like *u4V=@jq would have been considered an excellent password back in those days. This was also before password managers so it would have been easy to forget and a pain to type, but it would have been considered a safe password.
Today that same password would be considered unsafe because, regardless of the complexity, it’s just too short. Brute forcing a password with only eight characters would only take a couple of hours these days. That’s why modern best practices recommend a minimum length of 14 characters for passwords to be considered secure. I’m not talking about the minimum regulated length for industries like health care or government offices either; everyday cyber security recommendations are for passwords that are almost twice the length as before.
So, unsurprisingly, the industry as a whole keeps changing, and so to do basic computer security recommendations. Instead of just monitoring new attack types and vulnerabilities from the bad guys, it’s important to watch out for new practices and updated standards from the good guys. A great example of this in action is the US Cybersecurity and Infrastructure Security Agency’s (CISA) recent update to their list of ‘bad practices’ should be avoided.
Item 1: Don’t use unsupported or EoL (End of Life) software
This has been part of general good security advice for a long time so it’s not exactly an update, but sadly it still needs to be said. Windows 7 is a great example of software that hasn’t received security updates for roughly five years now, but new vulnerabilities are still being discovered. Despite this lack of updates in the face of new vulnerabilities, Windows 7 is still in wide use, and I know because almost every security audit TRINUS conducts for new clients finds at least some of their machines still running it.
Item 2: Don’t use default passwords or accounts
Again, this has been standard security advice for a long time also. Default accounts are public information and can easily be found with a simple Google searches. You always need to change them up, especially for any device that can access the internet. Even if its only access inside your network, don’t assume your perimeter defenses are perfect and your default accounts are secure.
Item 3: Stop using single-factor authentication for remote access or admin accounts.
Two-Factor authentication (TFA, sometimes also written as 2FA) is a great example of updating standards. Although TFA has been a general recommendation for a while now. CISA’s updates are the first time I’ve personally seen a government agency organization come out and straight up declare that TFA is the new standard and not using it is considered bad practice.
You wouldn’t think the first items would need to be restated since they’ve been common security advice for a long time now, but the truth is they absolutely do need to be repeated. When I perform security audits I regularly find unsupported software still using default logins, which means the recommendation to use TFA was either unknown or often ignored even before it got upgraded to an agency standard. It’s a great demonstration of how easy it can be to fail to keep up with changing basic standards. After all, technology changes rapidly, and the bad guys do too. It’s easy to see how what’s accepted as basic computer security advice needs to change with the time or become worthless.
I’ll grab a line from Hamlet to round out today’s newsletter; “We know what we are, but know not what we may be.”
If you have any questions about proper computer security, please reach out to your TRINUS Account Manager for some stress-free IT.
Courtesy of your friendly neighbourhood Cyber-Man.