What is the best password strategy to pursue?

When it comes to passwords, there are a variety of opinions.

And that is the problem. Most people choose password is based on requirements brought forced to them by the system.

Still, on password breaches, data analysis shows that most passwords are very weak.

When asking user is why they choose week passwords the common answer is that they can’t remember complex passwords, and H presents too much of a challenge for them.

Yet even choosing a supposedly strong password based on requirements isn’t necessarily the best solution.

I could go into the mathematics of Y system required, strong passwords are weaker than actually choosing a common phrase that you can easily remember.

And that brings us to the solution to having a strong password, Which is not only easy to remember but is mathematically even more complex.

Take a phrase that you can easily remember: the sun is shining in my street at house number 17.

Running a brute force attack on the passphrase like that is very complex. Yet, it is very easy for you to remember because it’s going to be difficult to forget where you actually live.

This is obviously only and example. However, it shows that complex passwords don’t have to be complex and such a way that they are very difficult for a user to remember. Plus, the typing of such information is very easy.

Let me know what you think about this password strategy which is been around for quite a while.

Removable media control, Endpoint security and The Problem of transportability of data

One of the major problems in the digital age is the transportability of data. Even large quantities of files and papers can be moved on a device smaller than a coin. Therefore, removable media control is one of the essential things to include into your cyber security risk assessment.

One of the countermeasures was the tendency of endpoint security; meaning, that computers and servers were locked down in such a way that files cannot be copied to mobile devices and taking out of the office.

Approximately 10 years Ago I served on a project in which the lack of endpoint security lead to significant damage of the company. The client was a large law firm with the global footprint, and had repeatedly become victims of extortion of employees who were pressed into retreating sensitive data from the organization’s systems.

What we ended up doing was not only implementing an end point security scheme but went one step further and made the general moving files much more difficult, without limiting business operations.

Our solution was to make files available on The company server without making them copyable by any element. Obviously, 100% security could never be guaranteed but the point of the operation was that the possibilities of extracting a file in sensitive information from the corporate server was much more difficult.

Specifically this meant that files which were shared with employees are third-party assets were opened in a browser and could only be sent via link. The link within open the file for review, but classified files could not be downloaded, copied, or otherwise removed from the system.

While this didn’t entirely solve the problem, it took the edge off, and made it possible for the technical personnel to sleep a bit more comfortably.

Cyber insurance versus insurance companies

Getting cyber insurance cover is easy.

Getting cyber insurance coverage that is adequate and up to speed to current threats: totally different story.

Currently, very conservative and traditional insurance companies are trying to deliver top-of-the-line products; mostly to customers who don’t need them.

So what’s up with that?

While ago, I tried to sign an e-commerce business with an insurance company that appeared to be very advanced in signing cyber insurance contracts.

During the negotiations however, it turns out that they generally ruled out e-commerce businesses.

The main argument was that an e-commerce business could fall victim to a denial of service attack.

My counter argument was that any conventional business could burn down, and still they wrote insurance policies for the buildings of this client.

I went on to argue that denial of service attack’s are easily mitigated through various means; the most important one of which is a content distribution network.

Still, the insurance company wouldn’t budge.

Having close connections inside the insurance company I went ahead and looked at their exclusion list. And it was terrifying!

I ended up working with them to reduce the general exclusions, and softened up some of their strict policies towards certain types of businesses. And now, they are doing tremendously well and signing up risks, which are manageable.

Cyber Insurance: What is a DDoS attack and how to mitigate it?

I don’t know how often I had to answer the question what a DDoS attack is. Yet one of the most prominent questions was when I was confronted by an insurance company offering cyber insurance products.

Together with a friend I run a cyber insurance brokerage. Obviously, the clients have to be signed by the insurance company. The products most of the companies have are crap.

And if they are not, their underwriting policies are… well, worth getting used to.

A client of mine operates a rather large e-business, particularly an e-commerce shop.

Like pretty much all of the e-commerce sites, this one was also concerned about the safety of their site, and wanted insurance if they got taken down.

We did my famous analysis of their operation and ruled out most of the obvious risks.

This would give me an easier stance trying to pitch it to the insurance company.

None the less, the first thing the genius underwriter tells me with a frown on his face is that the risk is not coverable because it’s an e-commerce operation relying too heavily on the income from the website.

His main argument, however, was that the risk of a DDoS attack was too big, before resting his case, and trying to send me off.

I asked him if he was even aware of what a DDoS attack was, upon which a large discussion erupted which was mainly focussed on me having crushed his ego.

However, it was fruitful from the angle that I was able to find a “noob” explanation to the issue, which I outlined by explaining to him that it was like a million people trying to exit an aircraft after it had landed, and all of them had to fit through the door. (very short version).

Against all odds, he understood what I was trying to convey to him; yet now came the bigger problem… explaining the solution fo fighting off a DDoS attack.

You see, probably one of the most easiest things to do is to put a content distribution network Infront of your operation. A CDN will take malicious traffic and deal with it differently than with legit traffic coming to a site.

So: bye bye DDoS attacks.

I told him the we could make this a prerequisite for the client to receive insurance coverage… yet the discussion was and burned.

 

 

Why is it important to have a BOYD policy

BOYD, or bring your own device describes the scenario in which an employee is encouraged to bring their own computer hardware to the office, and use it for productivity purposes.

Obviously, this has benefits for the company. The company does not need to invest into equipment for the employee to be productive. Also, the employee will be more familiar with their own hardware, then they would be with a computer or telephone provide it for them.

However, a bring your own device policy brings along certain risks.

The company will have less influence on the hygiene of the devices. Also, there are certain drawbacks in terms of control the company has over the device.

A majority of users will – if they bring their own device Dash feel as if the company has no influence on the device.

Why it’s a good idea to isolate EOL applications/software with insufficient patches, and how to do it

Software and applications are the Achilles’ heel of the information technology; when they reach end of life which is inevitable, or when they are not updated in high enough frequency, protocol suggests to stop using them altogether.

However, a lot of applications are mission critical for an organization.

In this case, and as I have seen and applied in the wild, one of the ways to continue using them is to isolate them from the rest of the network.

Isolating specific pieces of software or applications from the rest of your IT environment is by running them inside dedicated virtual machines there by cutting them off from most of the rest of the network.

Why you don’t want your RJ 45 sockets available in the wild

A few weeks ago I had friends visiting from Thailand. Being the good host I try to be I took them to see several A few weeks ago I had friends visit from Thailand. Being the good host I try I took them on a variety of sightseeing tours; one of them was inevitably to one of the castle switch around here.

While we were strolling through the facility I couldn’t help but see a wire running throughout the complex, which obviously didn’t exist back in the 1800s.

Lo and behold it was a network cable.

This network cable was not only connected to the sprinkler system and the fire alarms, the exit signs and alarm system; it was also the same cable that ran to the cashier. Meaning, that the entire network infrastructure was exposed to interception.

Technically, it would be possible to separate the cable and install a device which will give you permanent access to the network.

As if this wasn’t bad enough, I found at least half a dozen RJ 45 sockets throughout the complex which would have made my work even easier; had I been a criminal.

It’s important to understand that these sockets were at locations where I would have been undisturbed four hours.

After this startling experience I kept my eyes open for rogue RJ 45 sockets in the wild.

A few days after the visit I mentioned, I had to go to a public and ministration building: and what was the first thing that smiled at me? Right! Another rogue RJ-45 socket.

Now, unless you have very specific MAC address filtering in place, rogue sockets will allow criminals to get a very good scan of your organization. If the access to systems is limited to, even then would it be possible to conduct a scan of the network, Which would reveal devices that are vulnerable, and allow for penetration of the network through that device.

Well this may seem obvious to a lot of us, they’re obviously a lot of people out there in our profession that do not take such Warnerville it is as a given fact.

Therefore, I dedicated an entire part of my cyber security risk assessment checklist to not only wrote RJ-45 sockets in the wild, but also to their placement, the mapping of the placement in case someone tampers with the box, and a variety of other issues.

Contact me if you’d like to get a copy of my checklist for your work.