by Christian Boulet
If you follow the news of the computer, you hear about security almost every day, major loopholes, hacked sites, companies in danger, new methods to trap innocents, and even completely useless antivirus according to some. Your business is not the size of Target, Sony or Chase Morgan, but you can still ask questions.
What to do ? How to protect yourself?
And above all, why protect yourself? In fact, many ask me "what" to protect me?
The first step, in my opinion, is to understand why passwords are so important. In the past, important files were "filed" in a locked "workbook". This binder was also in a barred room, in the company premises which were also locked. We protected ourselves from thieves but also from malicious employees. Sometimes security guards and camera surveillance were added to intimidate those with bad intentions. Then came multiple means of electronic protection all a little more complex than the others.
Finally, digital files appeared. Today, we want to ensure that only authorized persons have access to our files. To do this, we use a digital identity: the user code. But only this information does not protect against prohibited access, it must be validated that the person who uses this access code is indeed the right, hence the famous password. It has the distinction of being a secret that only the user can know, normally at least.
In a good system, even the server does not know the password, it knows the borrowing of the password and it will compare it to that of the password produced by the one who requests access. This is excellent protection, but it may be insufficient.
In some cases, we also ask for a second authentication factor, a one-time password (like the famous RSA securID or the Google Authenticator code), or a secret question for example. This second factor makes it possible to guarantee better protection in the event that the password is compromised. Currently all sites really serious impose this type of security, you must take these methods seriously, they can save your identity.
In recent years, several companies and government agencies from around the world have been hacked. Often, it is the complete list of user codes and passwords that has been stolen. Systematically, these companies encourage their users to replace their passwords quickly. Your reflex should also be to replace this password wherever it has been used. A good hacker will create a program able to test your code and password on all known websites, such as facebook, gmail, twitter, Netflix and even tou.tv ...
Its purpose is to gather all the information needed to steal your identity and then commit other petty crimes on your behalf or worse, make transactions on your behalf.
Now that we know why, let's analyze how to protect ourselves.
How to protect yourself
You must protect your identity and your financial information at all costs ...
There are of course the "traditional viruses", those who try to break your equipment, or who do it by mistake ... But they have become marginal, it is to install an antivirus and keep it up to date and you are protected. Which is not the case for identity theft. For that you need to be vigilant, lit, cautious and especially to understand the why and the how.
The first rule that I propose to you is to "trust no one" a priori, or to observe the TNO (Trust no one) as taught by Mr. Steeve Gibson of Gibson Research (responsible for the podcast Security Now). This principle means that you must take the means to protect yourself at all times because no one has won your trust yet, and few will win.
We usually start with your passwords. Several techniques or rules can be used. I show you two profiles, which can inspire you.
The cautious: It chooses a limited number of passwords, for example 3, which will be used according to the degree of protection desired for the sites. The limited number of passwords simplifies the task and the rules on their use limit the damage.
It will use the first password for all sites that do not contain personal information (or really very little) like Twittter or Pinterest. He will use another for moderately-risk sites like Facebook and Gmail. And the third will be used for its financial institution, I even recommend using a separate one for each bank or payment service like Paypal.
The more a site needs to be secure, the more complex the password will be and the more its use will be limited. This method has the advantage of reducing the risks, if one of the unreliable sites had to be hacked he would not be worried that the criminal could use the same password to enter his banking site. By not trusting most sites, you protect your important information at the same time.
The paranoid: It will never use the same password twice ... Two techniques can be used, design a password including a base and the last 4 characters of the website (eg "orce" for the site of Multiforce.com and "b0uBou" as a base).
The other technique involves the use of a password management tool like Lastpass.com, which provides a secure vault for storing passwords and a small tool for generating secure passwords, but especially for find when a known site is visited. It's the latter that I use.
What to do with sites that ask us to identify us using an external service like Trello that allows me to authenticate using Google. I recommend that you do so, provided that the site in question (Google or Facebook usually) is protected by an excellent password, and if you are a little paranoid, use two-factor authentication. You will have peace of mind.
HOW TO PROTECT YOURSELF ON THE PROFESSIONAL PLAN
For this point, I will have to cover two situations: that of the employee and that of the employer ... Simply because they are sometimes in conflict ... The NWT principle applies even more, because the information to be protected is also corporate. And all the personal rules also apply here.
The employee: He has the responsibility to protect the important information in his charge but also to make sure not to inadvertently or recklessly pass on information that should remain private. I often take the example of health records. An employee who is responsible for transporting and storing patient health records should not leave a stack of files on the corner of the office, especially if it is accessible by passers-by. This is important personal information to protect.
The same rules must apply in the digital world. It is clearly dangerous to share the password of a protected filing cabinet between several individuals, even worse to leave a "post it" on the screen with the password clearly written ... You already know it but many do it again.
Every employee has the responsibility to protect information, you do not want your actions (or inactions), the information on your salary can be found on "Internets" ... We must remain vigilant, comply with the rules of replacement of password and adhere to company policies for file classification. Finally, when using the Internet at your workplace, do not take risks, do not visit high-risk sites and trust no one.
Employer: It must protect the personal information of its employees, it is an important responsibility. And it must also protect certain business information, such as customer lists, technical drawings, contracts and important documents. We want to protect them against theft but also against destruction or modification.
Several books already deal with various protection methods to be applied according to the scenarios. Senior management must be aware of the risks and must demand that the necessary methods be applied and documented. The first step is often to identify risk asset classes. By "active", we speak of goods, which can be material and digital.
The physical file of the client files is a risky asset, the accounting system in which the salary information of the employees is entered is also a risky asset. Once the risks have been identified, the protective measures often come on their own. It's about setting them up and validating regularly that they are always respected
and appropriate. We must also empower our employees, make them understand the risks and give them the means to put in place the appropriate protections.
I will always repeat it, be vigilant! Criminals have always used increasingly complex means to gather information to help them commit their crimes.
Social engineering is a well-known method that allows someone to play comedy for important information. I strongly suggest you read "The art of deception" by Kevin D. Mitnick, a very interesting book on this technique ...
And now, what will be your method of protecting your passwords ??
Christian Boulet, Your IT Director