Cybersecurity 101 – Part 2: Downloads, Passwords, and Multi-factor Authentication
This series of articles will explore cybersecurity concerns in the modern workplace. We’ll explore the myriad of potential risk factors facing today’s organization, and look at tools and solutions to help your company fend off the bad guys.
If you missed Part 1, you can find it here. In this entry, we’ll discuss the dangers of unauthorized software downloads, the importance of good password management policies, and multi-factor authentication.
Software Download And Installation
Companies should establish strict software download and installation practices, as malicious software can lead to a serious compromise. Unauthorized software programs can introduce trojans and viruses that aid hackers to obtain a company’s proprietary and confidential data.
A risk assessment worksheet should be used to help identify potential weak points in the company’s network. The results of that worksheet will be very helpful in developing the company’s security policy, a primary purpose of which is to ensure that anyone and everyone involved within the company’s organization understands and agrees to abide by specific guidelines that include the installation of a software or program.
Password Management Policies
The first computer password was developed at the Massachusetts Institute of Technology (MIT) in the year 1961. At that time, password authentication was used for the Compatible Time-Sharing System (CTSS), which gave rise to the many computing functions we know and use today. The design of the CTSS represented the beginning of the idea that operating systems can work on multiple threads and processes.
Password compromise, typically as part of a larger data breach, is one of the biggest problems of modern cybersecurity. Reports of stolen password data seem to come regularly – this past year saw over 5,000 data breach incidents, representing a whopping 7.9 billion compromised records. Theft of credentials aside, about 80% of hacking attacks are the result of weak, easy-to-guess passwords. Because of this, cybersecurity goals must include strong password practices, such as enforcing long passwords (ten characters minimum, more is better) containing a mix of letters, numbers, and special characters in random sequence, and regular password changes.
Using a secure password manager makes it easier to generate and store stronger passwords that are unique to each platform for which a user has credentials. Hackers use scripts and programs designed to scan thousands of IP addresses at once, attempting logins with dictionaries containing millions of common passwords and password fragments. With advanced computing power technology, they can try billions of password combinations, so obviously, strong password practices are vitally important. If there is any indication that a password has been compromised or stolen, a risk assessment spreadsheet can help with the critical steps that need to be taken to close the vulnerability and contain the damage.
Multi-factor authentication (MFA) requires end-users to complete two or more methods of verification to gain access to their systems, applications, files, or networks. Access is not granted until the user successfully presents multiple factors of confirming evidence for authentication. An example of MFA that is becoming quite common: the user provides username and password credentials at a login screen, after which a personal identification number (PIN) is automatically texted to the phone number on file for the account. The user must then type the PIN into an on-screen field to complete their login. The more layers of authentication factors are in place, the more difficult it will be for criminals to gain access. MFA is rapidly becoming a vital tool in securing IT infrastructure.
Authentication is based on three factors: who you are, what you have, and what you know:
- Inherence: What you are, associated only with the end-user, typically involving biometric methods like voice, face, iris, or fingerprint recognition
- Knowledge: What you know, such as credentials that are remembered by the user, and security questions
- Possession: What you have, such as a security token, a phone, or a key
Keep in mind that the safest forms of MFA would also require significant sacrifices in terms of convenience and privacy since the information needed might be a bit more invasive. Security systems may require details such as your location, personal information, biometrics, or more exotic data, such as the patterns of your speech. As MFA continues to evolve, so will the need for more of your personal information.