Blog / “I’ve Seen Things You People Wouldn’t Believe” – Mistakes on Fire; the Same Ones, Again and Again, and Yet Again…
It’s official: Time has finally caught up with “Blade Runner.” To be honest, we’ve gone past it a little, since it was set in November of 2019. We also went past “Back to the Future” (set in May of this year), so don’t go looking for Marty McFly anytime soon. All this ‘Timey-Wimey’ stuff can get a bit confusing and ‘Wibbly-Wobbly’ at times, to paraphrase the good Doctor. That should be enough pop culture references to finish off a Long Weekend in style, I’d say!
So, in a lot of organizations, computers are not properly understood. The role that they serve is grasped, because it’s easy to describe what you use them for, but that doesn’t mean that they are comprehended. Don’t for a moment think that I’m looking down on people who don’t understand computers. As a person with plenty of knowledge into their inner workings and machinations, I can tell you without any pinch of a hesitation, that computers are very complicated indeed…
The truth is, it’s okay not to understand them. Many who work in IT don’t, or they only grasp the portions they need to. So, given that even within the IT world not everyone fully groks computers, it’s no big surprise that Computer Security is also not wholly understood.
The hardest part about this job is watching people make the same mistakes, over and over. The advice to avoid this is out there and in abundance. It gets hard to watch and sometimes even disheartening.
Take the recent “hack” of the CRA accounts. I put the word hack in quotations because it’s hardly fair to call it a hack. The attackers got a list of usernames and passwords from somewhere (not the CRA) and just pointed that list at the website. As if by magic (or the fact that some people have missed the whole “don’t reuse passwords” thing), some of them worked. That’s all there was to it.
I figured, for today, I would put together a list of the three biggest and most often repeated mistakes that people make, which have a massive impact on overall Security:
Mistake #1: Re-using passwords
The advice here is clear. Don’t do it; just don’t. Why? Because CRA, because Tim Horton’s. I could list off half a dozen major “hacks” that only succeeded, because people made use of the same password over and over and over.
The problem isn’t the advice, which is sound and proven. The trouble is people feel that having to remember multiple unique passwords is hard. If it’s tough, that means you’re choosing your passwords poorly. Here is some advice on this, to help change your perspective:
a) Don’t say or even think “Password.” Use “Passphrase” instead. – Why? Keep reading. It’ll become clear…
b) Passwords can be long… VERY long. – Windows allows for a 126-character password length, which is short for a maximum length.
c) You can use full words. – Since you can use full words and they can be long, why not use a sentence instead?
d) Longer is better. – Randomly guessing a password, gets exponentially more difficult the longer it is.
Okay, so let’s say you have to go to work and they force you to change your passwords all the time. If we take all 4 pieces of information into account, then here’s a suggestion for a passphrase that could work:
This is the 3rd time they made me change my password in 2020!
– Upper case letters? Check!
– Lower case letters? Check!
– Numbers? Check!
– Extended symbols? Check!
– Length over the minimum amount? Well, at just over 60 characters, that’s a big Check!
– Easy to remember? Check!
The next time I need to change it, I can just adjust the number to how many times I have updated my passphrase (1st) and the year (2021), and it’s a whole new passphrase. This type of pattern would be perfect, and I could make good use of it for several consecutive password resets and still be secure. Sooner or later though, I’ll need to think of a new pattern. So, how about:
I’ve got a fresh pattern for this 1st password reset in 2021
Well, I shortened it slightly to 60 characters (since there’s no need for the !), so I’ve reduced the Security I suppose, but it’s still secure and I have a new pattern I could use for the next couple of password resets.
The same logic is true for passwords in your personal life. Ask yourself a simple question: “Is the information at the location I’m logging into important?” If the answer is “yes”, then figure out a unique phrase that you can use for the login; something easy to remember and associate with that location. My rule of thumb is anything to do with finance, like a bank or tax refund, or a bill, gets its own special passphrase. At the end of the day, not a lot of the places I go to fall into this category, and because I use them often, the phrases are easy to remember. If it’s something useless (like Facebook), then I have a standard junk password that I use for all those logins.
Mistake #2: Using Administrator Privileges for everyday logins
I see this used on home computers all the time. Usually this is because that’s how the computers are given to people and they don’t know enough about them to check that. The only reason they are distributed like this is because nobody wants to deal with someone who doesn’t understand computers being upset because “the machine they just purchased won’t install Flash without asking for a password and it’s such a hassle and it should just work properly” and so on…
What they say they want is Security, but what they expect is convenience. These two ideologies are almost in direct opposition to each other. The amount of Security you can get without impacting convenience is very limited. So limited, that it is almost non-existent. The trick is balancing things properly and getting decent Security, with a minimum of inconvenience.
I also see Admin users used all the time in a business setting. Now, in that sort of environment there’s no excuse for Administrators wildly running around all over the place. You have an IT person / department. It’s the job of IT to administer and take care of the computers. If you’re not in IT, then there are precious few reasons why you should ever be an Administrator to begin with. That being said, anyone who needs to have an Administrator account should get one. However, this means that user now has two accounts.
The first one is their day-to-day account. It’s used when they sit at their desk and login to perform normal activities, like checking email and stuff. If they need to do something that requires Admin level privileges, then they make use of that second account. This is true not just for Windows, but for network devices (like Firewalls, switches, etc.) They have multiple levels of user access as well. If someone just needs to login and look around (such as for example, an audit), they don’t need a user account capable of making changes.
The amount of damage that could be done, and the speed at which it could happen, simply because a user is an Administrator, is not to be underestimated. Caution should be exercised, and this level of access should be severely limited and closely monitored. The devices that these people are working on do not belong to them; they belong to the organization.
Mistake #3: Leaving Security devices and software unguarded
This is done all.the.time! All day, every day, just about everywhere. I know this. You know this. The bad guys know this (and count on it.) It’s probably the most common and most simple mistake that an outfit can possibly make. They put in a Firewall, install Anti-Malware software, and say: “Good job everyone.” After you set them up, those things only get any attention if they cause a problem or the right person gets a notification about a subscription expiry.
Keep an eye on your Security. Why? To make sure it’s still secure, obviously! When an organization puts in an alarm system, they make sure to contract a service to monitor it as well. They do that to ensure that if a problem is detected, there’s someone to respond to it. The same logic is true when it comes to your Computer Security. If you don’t keep an eye on it, how do you know it’s still working properly, or that there’s not a problem? The answer is: You just don’t.
So, if you don’t know if your Computer Security is still working, then what was the point in paying for it in the first place? Any form of Security requires some level of human monitoring, to warrant that someone hasn’t found a way in. Let me say that again for the people sitting in the back: ANY form of SECURITY REQUIRES some level of HUMAN MONITORING to safeguard that someone hasn’t found a way in. As any good thief knows, the easiest time to get it in, is usually when their back is turned.
If you are currently doing any of these three things, stop. Don’t do them anymore. The improvement to your overall Security posture and the reduction to your risk will be immeasurable. The amount of effort it takes is insignificant. Mostly, it’s down to just a change of habits. Monitoring could potentially take some effort, depending on the size of your organization, but that can be mitigated by purchasing the appropriate Anti-Malware software in the first place.
If you have any questions about Computer Security, please reach out to your TRINUS Account Manager for some stress-free IT.
By Kind Courtesy of Your Friendly Neighbourhood Cyber-Man.