Recommended practices – Part-3: Password security

This is a multi-part series on recommended practices for organizations and their end-users.  Additional parts will be included in upcoming newsletters.

October is National Cybersecurity Awareness Month, and to help you celebrate, we have compiled a list of best practices for password-strength optimization.

Passwords are the primary tool for online authentication; as such, they are targeted information for cybercriminals looking to gain access to your workstation, mobile device, and/or personal records.  Proactive measures are vital to prevent online identity theft, network infiltration, system crashes, and the spread of malware.  By following the practices described below you will fortify yourself against these malicious cyber threats.

1. Create a “strong” password:

A strong password is one that cannot be easily identified by a cybercriminal.  When creating your next password, here are the do’s and do not’s of password strength:

  • Do not draw from the obvious: When selecting a password, do not draw from obvious sources – your name, your child’s name, not even something as seemingly ambiguous as your favorite flavor of ice cream or a random word.  With social media, today’s cybercriminal can easily aggregate personal information and crack obvious passwords.  Even if you feel that your password is obscure and/or unconnected to yourself, if the password is simply a word or phrase, dictionary attacks – programs that plug in every word from a database – can still compromise you.
  • Do use a mixture of letters, numbers, and special characters: Make your password complex and you help make it secure.  Random placements of letters, numbers, and symbols will make it very difficult for cybercriminals to hack into your accounts.
  • Do not use the same password: Using the same password for every login is a recipe for disaster:  A cybercriminal now only needs to crack one password for unlimited access to all of your online accounts.
  • Do use longer passwords: When it comes to password security, the longer the better.  According to online security experts, a password 15 characters in length could take up to two trillion years to crack.  However, password length isn’t everything:  You must be sure to utilize a mixture of letters, numbers and special characters.

By creating long, complex, and unique passwords for every one of your authentication accounts, you will guarantee password strength.

2. Change your password regularly

It is very important to create strong passwords, but even strong passwords can be discovered by expert cybercriminals – especially if they are given ample time for discovery.  That is why it is essential for you to get into the practice of routine and mandatory password changes.

A perfect time to schedule updates is with the change of seasons as they divide the business year into obvious and unforgettable quarters.  And, as it is now fall, it is the perfect time to begin this excellent practice.  You can start by announcing a mandatory password change in the next few weeks and update your business calendar for three more alterations for the winter, spring, and summer.

3. Keep written reminders secure or use a Password Manager

Long, complex, constantly changed passwords are hard to remember.  You may need to write them down as a practical safeguard.  Just be sure to avoid the bad habit of keeping these written reminders close to your computer – or even worse, taped to your screen for all to see.

If you need written reminders, keep them in a secure area away from your workspace, such as at home or in the glove compartment of your car.  Better yet, consider using a Password Manager to record and manage your passwords.  (See the July 2014 Bryley Tips and Information for a review on Password Managers.)

4. Keep reset information up-to-date

There will be moments when you simply cannot remember a password and will need to request a reset.  As a precaution you should always be certain that your online accounts have your relevant email address on file so that when reset information is sent, it is sent to you and not to an abandoned account that has the potential to be exploited.  It would be best to get into the practice of checking reset information on the scheduled dates for password changes.

5. Review your organization’s password policy

Take the time during your quarterly password changes and reset information checks to review and/or update your organization’s password policy, which has the rules and procedures employees are required to adhere to in order to ensure password and network security.  If your organization does not already have such a policy, be sure to create one and distribute it to all technology-enabled employees.

6. Expunge temporary usernames and passwords

If you recently employed any temporary staff or summer help, be sure that their usernames and passwords no longer access your system.

 

Bryley Basics: Surge protection

A surge in power can occur at any time, but is often caused by high-powered equipment or storms that disrupt the normal flow of electricity.  Surges can also occur after a power-outage, when the power comes back on.

Surge protectors are electro-mechanical devices that sit between power-sensitive (electronic) equipment and the wall outlet; their purpose is to protect the power-sensitive equipment from the effects of a sudden increase in power voltage.  (Tom Harris has a terrific primer: “How surge protectors work”, at howstuffworks.com.)

Suggestions on purchasing a surge protector:

  • Get one with an indicator light that signals proper operation
  • Verify it is a “transient voltage surge suppressor” and meets UL 1449
  • Expect to spend at least $15-25 to ensure proper quality and better ratings

Plan on replacing periodically; always replace when the indicator light fails (even if it is still providing power to the attached equipment).

We are pleased to announce the addition of two, new employees:

Shelbea Moulin, Administrative Assistant

Shelbea resides in Worcester.  She has a BS in CPA Accounting and Finance from Syracuse University and is currently pursuing an MS in Accounting.

Shelbea brings experience in technical support, having worked as a Student Computer Consultant; she also has exposure to finance and auditing practices from two recent internships.  In recent years, Shelbea has held leadership roles at two non-profit organizations.

Eric Rainville, Technician

Eric resides in Worcester.  He holds an AS degree from the New England Institute of Technology.  He was a Certified Easy Technician at Staples, Inc. and has worked as a Computer Technician since 2010.

More ergonomics from Marty Reed

Marty Reed of Top Enterprise, an ergonomics specialist, visited Bryley early in September for a demonstration on proper ergonomics.  She then visited our cubicles and made individual recommendations.

Her overall suggestions included:

  • Monitor:
    • Set distance at one arm-length from body to monitor.
    • Set height so eyes focus at about 2” below top of monitor.
  • Keyboard:
    • Use wrist rests to get hands up and over keyboards.
    • Keyboard should lay flat on the desktop; do not tilt up back.
  • Chair:
    • Use chair arms periodically to rest arms.
    • Forearms and thighs should be parallel to the ground.
    • Adjust for lower-back support or add a lumbar-support device.
  • General:
    • Look away into the distance at least every hour to reduce eye strain.
    • Get up from your workstation periodically and walk around.

For details, Marty can be reached at reed167@verizon.net.

Recommended practices – Part 2: Web browsing/Internet usage

This is a multi-part series on recommended practices for organizations and their end-users.  Additional parts will be included in upcoming newsletters.

End-users browse the web; it’s usually the fastest way to get an answer, search for an item, or make a purchase.  But, browsing comes with some risks:

  • Potential liability from browsing ill-advised sites at work
  • Inadvertent or unintentional download of malicious software
  • Waste of company resources: Internet bandwidth, employee time, etc.

To reduce browsing risks, we recommend have these recommendations:

  • Set an Internet usage policy
  • Monitor and enforce browsing behavior
  • Train staff members on safe-browsing habits

A fourth recommendation, configure and patch/update end-point components (operating system, anti-malware software, Internet browser, etc.), will be covered in future articles.

Set an Internet usage policy

Unless we know what is acceptable, how can it be enforced?  Some organizations, to limit unproductive time, might restrict access to social-media sites (Facebook, Twitter, etc.), while others (police investigators) may need access to pornographic sites; without a policy, what sites do we monitor and restrict and for whom?

An Internet usage policy should define the dos and don’ts of Internet access; it should be included in the Employee Handbook with a sign-off acknowledgement and should also note that the organization reserves the right to monitor and limit this usage, without restriction.  (See a simple Sample Internet usage policy fromGFI.  Or, review an in-depth Internet usage Policy from the SANs Institute.)

Monitor and enforce browsing behavior

Paul Wood of Symantec™ studied browsing habits of end-users with these findings1:

  • About one-third of users followed the organization’s Internet-use policy,
  • The second one-third generated less than 10% of browsing violations, and
  • The final one-third had over 90% of browsing violations; about 20% of this group actually had more violations than legitimate usage.

Basically, about 66% of end-users follow an organization’s Internet usage policy most or all of the time, but there is a small group that abuses this policy, which suggests that enforcement efforts should focus on the abusers.

To protect an organization, basic monitoring and enforcement of Internet usage is recommended; a typical monitoring/enforcement software application for small to mid-sized organizations should provide, at a minimum, these capabilities:

  • Cluster related sites together (ie: gaming, sports) to set policy by site-groups
  • Combine users by department or functional area to enable group restrictions
  • Whitelist specific sites (or site-groups) to permit unlimited access
  • Blacklist specific sites (or site-groups) to prohibit access

Once deployed, you must continually review the results to inspect what you expect.

Example:  Bryley Systems offers our Secure Network™; an onsite, Unified Threat Management (UTM) tool with monitoring and enforcement of web browsing.  The results are periodically reviewed and reported by Bryley Systems to the client.

Train on safe-browsing habits

It is important that staff know and understand the importance of an organizations’ Internet usage policy; they have a significant role to play in this effort.

Basic rule is to not click on any site that you do not trust.  However, even some trustworthy sites can be hijacked and route an unsuspecting user to an unintended site with unexpected consequences.

Some browsing tips2:

  • Do not click on pop-ups
  • Do not open links within spam email
  • Check a site’s actual address in the address bar; this address should always match the expected site-name (URL)
  • When in doubt, shout it out (call for help)

There are also many online, security-training options; we offer a video-training package on a per-user basis through our business partner, Deadbolt Security.

REFERENCES:

  1. See Paul Wood’s article “Employee browsing habits, the good, the bad, and the ugly” at Symantec Intelligence.
  2. Dylan Herix offers “An idiot’s guide to good browsing habits” at AppStorm Guide.

 Winner of our business-card raffle at the Central Mass Business Expo (CMBE)

Congratulations to Maureen Raillo, CEO at W Limousine in West Boylston, MA!

Maureen_Beats Audio Winner_web

Maureen won a Beats Pill™, and a Beats Pill character stand.  (Beats Pill is a lightweight, portable, and wireless speaker that lets you bring music wherever you go; combined with the character stand, the value is over $250.)

Bryley Basics: Get ready for USB Type C

USB (Universal Serial Bus) has been part of the computer world since 1998; it typically connects peripherals (printers, scanners, cameras, etc.) to computers.

A new USB cable, USB Type C, should hit the shelves next year.  It will use the USB 3.1 standard, which is backward-compatible with USB 3.0 and USB 2.0 and permits data transfer at up to 10Gbps.

USB Type C will have these features:

  • Smaller connector ports at 8.44mm by 2.6mm
  • Connectors are the same on both sides of the cable (allowing cable reversal)

For details, please visit Dong Ngo’s write-up “USB Type-C: One cable to connect them all” from August 22nd, 2014 on CNet or see Steven Shanklan’s article “Meet the next-gen USB cable that could sweep away all others in the April 1st, 2014 write-up on CNet.