This information is important to you if you use a browser and an internet connection to gain access to a service that contains information related to you, your friends, colleagues and your connections. This applies to services such as Office 365, Google G-Suite, Dropbox, Facebook, LinkedIn, Netflix, Snapchat, Slack and others. Which is pretty much everyone these days!
- do not use a password generator to generate your passwords (and consequently a password manager to store them) or
- do not know what multi factor authentication (MFA) is or do not use it
- are not one of the lucky users using a single sign on (SSO) service
then you need to read this and act.
What Has Changed?
Or, in other words, why has the good old password suddenly become so ineffective? Without starting at the Big (Internet) Bang and working forward, it is a numbers game.
- The number of Cloud based services we use for work and play on a daily basis, has more than doubled in the last three years. This means that on average our credentials (usually an email address and password) are stored in twice as many company databases, we have twice as many to remember and twice as many places to be attacked using stolen credentials.
- The number of username and password records exposed through data breaches of these and other company’s databases has also grown massively. The numbers are hard to quantify however a Google search for “data breach records” leaves no doubt.
Check for yourself if your email address was exposed in one of the known data breaches so far using this site https://haveibeenpwned.com/.
This all means that the probability that your good old credentials (email address and password) have been exposed to cyber criminals has increased significantly and the chances of those credentials being used for criminal activities against you or your associates has consequently increased to the point where continuing to ignore the risk is, at the very least, reckless behaviour.
there is nothing there to steal!
There is. Your identity and reputation. The people you communicate with and share information with, get to know you and trust you and how you communicate. Imagine if a criminal could initiate and carry on a conversation with a friend or colleague through one of your communication services without your knowledge. How much information of value could they extract by leveraging your hard-earned trust with the person at the other end?
Real world example
This happened recently to an associate.
- Small business with four users
- Office 365 Email account
- Using a nine character password with three character types
- Criminal using a hacked computer located in Sydney, Australia thereby avoiding geographic login alerts which are a basic protection used by many business class cloud services.
- The first 45 minutes.
- Criminal successfully logs in and sends a test email
- The criminal then gathers close to 500 email addresses from contacts and sent items in just under 40 minutes and prepares the web email client to hide the conversations related to this and related topics from the account owner (using inbox rules).
- The criminal then sends an email, using the victim’s identity, to the stolen email addresses (in the space of 15 seconds) with a link to a malicious credential capture site (a hacked website in the USA)
- The criminal then uses a second hacked connection (again a connection in Sydney) and the victim’s identity (and reputation!) to carry on conversations with the original recipients who respond (just over 10%), attempting to have them unknowingly surrender their credentials to their accounts by logging into the hacked website (in a vain attempt to open the fictitious document).
- The next 45 minutes
- Source of the hack is confirmed, victim’s access is disabled and all active logins reset.
- After-event clean up (over several days)
- Investigations are then initiated taking several hours before returning services to normal
- Account owner and other employees
- Estimated between 16 to 20 man hours unable to access email and documents
- Several days answering emails and calls from recipients of the emails
- IT support charges remediation and investigation (>$1,000)
What Can I Do?
About your password being stolen – nothing, the horse has bolted. You can however, greatly reduce the effectiveness of these stolen password databases, the criminals that use them and the overall strength of your online credentials with some simple practical steps. The good news is that at the same time, you will most likely improve your online productivity and really start to leverage the benefits of Cloud based services.
- Stop using the same password or similar passwords for multiple services. No……just stop it.
- Use a password manager and password generator for all but your master password (use a passphrase and MFA for that). Learn how to use your preferred password manager. If you do I guarantee you will see significant productivity gains.
- Use MFA or Second Factor Authentication as it is sometimes called with services that support it. The latest MFA systems used by services such as Office 365 and Google are very easy to setup (with great online guides) and they easy to use.
- Use federated or social sign in options where available (e.g. use your Microsoft live or Google account to sign in to another service)
Spend a few uninterrupted minutes setting the services up and ask for help (from trusted person) if anything is unclear. Remember what you are doing is securing your identity you don’t want to lock both the criminals and yourself out when you lose or drop and break your phone for example. You also want to make sure you can trust the services you are trusting with your identity.
Where to start?
- Arrange some training on Cyber Security for you and your users. It will be much easier to convert changes to ingrained practices if the need for the change is clear. Pivotal Data Solutions can attend your staff meetings and run through the current threat landscape and the most effective ways to protect yourself.
- Turn on MFA on your cloud based email and document service
- Office 365 – Set up multi-factor authentication for Office 365 users
- Google G-Suite – Set up 2-Step Verification
- Minimise the number of password prompts you encounter daily by taking advantage of trusted devices options for devices you own and operate exclusively.
- Investigate Password Managers and chose one you are comfortable with. Below are some examples of good ones (there are many more):
- Use a passphrase as your master password and turn on Multifactor authentication especially if using a cloud base one such as LastPass or DashLane.
- Turn off password management function in the browser/s you use. It just gets in the way and ties you to a single browser and in some cases, is insecure.
- Eliminate passwords where possible using technologies such as Windows Hello.
Further Information or Support
Any questions contact: