What is the best password strategy to pursue?

When it comes to passwords, there are a variety of opinions.

And that is the problem. Most people choose password is based on requirements brought forced to them by the system.

Still, on password breaches, data analysis shows that most passwords are very weak.

When asking user is why they choose week passwords the common answer is that they can’t remember complex passwords, and H presents too much of a challenge for them.

Yet even choosing a supposedly strong password based on requirements isn’t necessarily the best solution.

I could go into the mathematics of Y system required, strong passwords are weaker than actually choosing a common phrase that you can easily remember.

And that brings us to the solution to having a strong password, Which is not only easy to remember but is mathematically even more complex.

Take a phrase that you can easily remember: the sun is shining in my street at house number 17.

Running a brute force attack on the passphrase like that is very complex. Yet, it is very easy for you to remember because it’s going to be difficult to forget where you actually live.

This is obviously only and example. However, it shows that complex passwords don’t have to be complex and such a way that they are very difficult for a user to remember. Plus, the typing of such information is very easy.

Let me know what you think about this password strategy which is been around for quite a while.

Cyber insurance versus insurance companies

Getting cyber insurance cover is easy.

Getting cyber insurance coverage that is adequate and up to speed to current threats: totally different story.

Currently, very conservative and traditional insurance companies are trying to deliver top-of-the-line products; mostly to customers who don’t need them.

So what’s up with that?

While ago, I tried to sign an e-commerce business with an insurance company that appeared to be very advanced in signing cyber insurance contracts.

During the negotiations however, it turns out that they generally ruled out e-commerce businesses.

The main argument was that an e-commerce business could fall victim to a denial of service attack.

My counter argument was that any conventional business could burn down, and still they wrote insurance policies for the buildings of this client.

I went on to argue that denial of service attack’s are easily mitigated through various means; the most important one of which is a content distribution network.

Still, the insurance company wouldn’t budge.

Having close connections inside the insurance company I went ahead and looked at their exclusion list. And it was terrifying!

I ended up working with them to reduce the general exclusions, and softened up some of their strict policies towards certain types of businesses. And now, they are doing tremendously well and signing up risks, which are manageable.

Why is it important to have a BOYD policy

BOYD, or bring your own device describes the scenario in which an employee is encouraged to bring their own computer hardware to the office, and use it for productivity purposes.

Obviously, this has benefits for the company. The company does not need to invest into equipment for the employee to be productive. Also, the employee will be more familiar with their own hardware, then they would be with a computer or telephone provide it for them.

However, a bring your own device policy brings along certain risks.

The company will have less influence on the hygiene of the devices. Also, there are certain drawbacks in terms of control the company has over the device.

A majority of users will – if they bring their own device Dash feel as if the company has no influence on the device.

The most complex case of CEO Fraud… yet; and how to mitigate it.

CEO fraud was probably one of the most devious forms of cyber crime. Above that, it is the highest form of social engineering.

Do you know that feeling when you get to a project and you’re thinking: how in the hell could this have happened?

Recently happened to me in the form that I was called, and sitting in a helicopter being airlifted to a midsized organization in which The most complex case of the CEO Friday I’ve seen today it had happened.

In short: the perpetrators head injected malware into the email server of the organization, thereby being able to monitor both the CEOs and the CFO$ mailboxes permanently.

The CEO was about to contact to deal with an organization in London, and all of his itinerary was in his mailbox; even The telephone number of his hotel.

Long before this happened, the perpetrators had hired someone with a similar voice to that of the CEO, and above that spoke his native language. The CEO used Voice Memos frequently, which allowed the perpetrators to also copy a style of speaking.

The CEO arrived in London, and the deal did not come to fruition. However, the perpetrators called the CFO and the organization, and the impersonator they had hired claimed that the deal had in fact been signed.

The impersonator then gave the CFO the bank details upon which DCF I will execute the transfer of €25 million.

Upon the CEOs returned to the organization into the office A day later to see if I congratulated him to the deal closure.

The CEO then replied that the deal had not been closed, and the things started to unravel

The damage turned out mildly, and we put the necessary precautions and methodology is in place so that the kids like that can never repeat again; at least not with this organization.

Why it’s a good idea to isolate EOL applications/software with insufficient patches, and how to do it

Software and applications are the Achilles’ heel of the information technology; when they reach end of life which is inevitable, or when they are not updated in high enough frequency, protocol suggests to stop using them altogether.

However, a lot of applications are mission critical for an organization.

In this case, and as I have seen and applied in the wild, one of the ways to continue using them is to isolate them from the rest of the network.

Isolating specific pieces of software or applications from the rest of your IT environment is by running them inside dedicated virtual machines there by cutting them off from most of the rest of the network.