Is your company allowing employees to bring their own devices and use them to log onto the corporate network? If so, do you know what is happening on your network as well as how many devices are on your network?

Recently, I ran a network discovery at a company and found some interesting things. First, I ran the discovery during the “off hours,” meaning there should have been no one in the facility and only the automation and security systems operating.  Instead, the scan showed 70 computers, instruments, and printers running on the network.

Next, I ran the same scan during business hours ― full production and full staff – resulting in 120 devices being found on the network.  What were the additional devices?  Some of the devices were corporate workstations which get turned off overnight, and the remainder of the ‘new’ devices were personal cell phones.

Now, depending on how your networks are configured, that might not be a problem. In a properly segmented network, company-owned devices would have their own segment, and employees’ personal cell phones, laptops, and tablets would be on one or more additional segments. In this case, however, the staff members’ devices were also on the production network, introducing significant risk for the organization. Phones are susceptible to all the same types of malware and viruses as computers. Yet, phones and tablets are much less likely to be running anti-anything (e.g., anti-virus, -malware, or -spyware).

Additionally, a lot of cell phones support tethering, which would allow the user to exfiltrate data via the cell phone to another computer, server, or cloud repository without the company being able to detect it.  This would be done by connecting the device to the internal network and then tethering the device to the external network.  Once connected, data can flow both directions, e.g.: Good data (company confidential data) going out and Bad data (viruses, malware, spyware) coming in.  Or worse yet, someone else could establish a presence, which would allow them to attack other companies while disguised as your company or establish a server from which they transmit spam and porn from your network.

The lesson to learn is that things are never as easy or as secure as you think they are. Be diligent about policies, processes, and knowing what should be flowing where on your network.

If you have concerns about your cyber security and would like to improve your cyber confidence and compliance, please contact us at:  info@thirdrock.com

Building a Cyber Confident℠ World

After much research, the National Institute of Standards and Technology (NIST) has determined that we have been doing passwords all wrong!

Traditionally, best practice for password use has been a minimum of 6 characters composed of a combination of letters, numbers and symbols, which had to be rotated periodically. To make things more complex, companies typically added rules about how frequently a password could be reused – or prohibited reuse completely.

What NIST’s research showed is that all the rules simply pushed more people into predictable password patterns. Patterns like  Jan18!, Feb18!, Mar18!, which satisfies the no reuse rule, the minimum length rule and the content rule. However, it is completely deducible with only a small amount of social engineering or programming.

So, based on this behavior, what did NIST recommend?

• Minimum length of 8 characters
• Maximum length of 64 characters
• Mandatory change based on enforced minimum length
• Check against dictionary of known bad passwords
• No composition rules
• No recovery hints

Now that we know what is to be done on the server or application side, how does the end user make use of the new best practices?

The best solution is to use a password vault with generation capabilities, which gets you down to a single password for access to the vault.  Password vaults are programs that securely store large numbers of passwords protected by a password. For Windows, some of the popular ones are LastPass, Dashlane, KeePassX and Sticky Password. For MacOS, some of the popular ones are 1Password, KeePass, LastPass, and SplashID Safe.

If you are new to password vaults, then your next step is to visit all the websites you use and use the password vault to generate a new password for each one.

Alternatively, picking phrases that strike a chord with you from songs, movies, plays or books make good passwords, but make sure they are as long as you can remember – 20, 30…64 characters, with a minimum of 16 characters.

Once you have password habits that are cyber secure, it is time to secure your whole environment so you can become cyber confident.

If you have concerns about your cyber security and would like to improve your cyber confidence and compliance, please contact us at:  info@thirdrock.com

Building a Cyber Confident℠ World