Security

Short and pithy IT security tips for users

Dominic Vogel came up with 10 short security tips for users that he thinks will do the most good without overwhelming them with too much information.

Ever since Moses received the Ten Commandments (in the original tablet form), mankind has resorted to using top ten lists to summarize (and prioritize) key principles and ideas. When it comes to expressing security awareness concepts, security professionals tend to overwhelm their business peers with information and best practices. In trying to tell them everything about security awareness, we end up telling them nothing.

Delivering security awareness tips in bite size top ten chunks increases the likelihood that your colleagues will absorb and understand foundational security awareness concepts. With apologies to David Letterman (and to Moses), the following top ten presents practical IT security tips for employees:

  • Never give out login credentials (over the phone, in person, email). Any competent IT department would never ask for your login credentials in any circumstance.
  • Roll the mouse pointer over a link to reveal its actual destination, displayed in the bottom left corner of the browser. In Microsoft Outlook it is displayed above the link.
  • When using public Wi-Fi, refrain from sending or receiving private information.
  • Report any loss or theft of your company issued smartphone/tablet/laptop immediately to IT.
  • Be leery of items from unknown sources or even suspicious links from trusted sources. When in doubt, chuck it out!
  • Stop. Think. Click. Think twice before clicking that link.
  • Report any security incident (ex. responding to a scam email with your login credentials) to IT immediately. Do not fear reprisal or be ashamed, such incidents are expected given today's threat landscape.
  • Use a different password for every website. If you have only one password, a criminal simply has to break a single password to gain access to all your information and accounts.
  • If you have difficulty remembering complex passwords, try using a passphrase like "I love getting to work at 7:00!" Longer passwords are harder to crack than shorter complex passwords.
  • Never leave your smartphone, tablet, or laptop unattended in a public place.

What quick security tips have you shared with your co-workers and fellow employees? Which ones would you add/remove from the security top-ten list? I'd love to know your thoughts!

About

Dominic Vogel is currently a security analyst for a financial institution in beautiful Vancouver, British Columbia.

13 comments
rasilon
rasilon

I don't agree with the blanket statement that "Any competent IT department would never ask for your login credentials in any circumstance". I routinely have to set up laptops for our nurses to use remotely. This involves logging onto the netwotk (we do domain logons), logging onto our Citrix farm and synchronizing the medical database that they use in disconnected mode. Theo nly alternative would be to reset all their passwords and that would be a major impact on their ability to do their jobs. I consider us to be relatively "competent". Hank Arnold (MVP)

Deadly Ernest
Deadly Ernest

Moses was actually given twelve rules, but when he pointed out he could only tick of ten on his fingers God dropped to so it was easier for him to count them off. Now, as to the article emails were originals done as plain text documents, and there is NO VALID reason why they should be anything except plain text documents. I do NOT regard being able to include a fancy graphic to look nice as a valid reason. So set your email client to send and receive as plain text documents, and if you have a webmail, set a local mail client up to download it and display it as plain text. This gives you the following advantages: 1. The URL for ALL links is clearly shown with the link, and any funny business is obvious. 2. Certain complex malware scripts do NOT make the translation from hidden html code to plain text and are rendered inoperatable in the process, some don't even display. 3. It makes it very damned easy to ID and kill off those stupid little scare games and idiot e-cards a lot of people send around. 4. It's a damn sight easier to train the anti-spam software in a mail client like Thunderbirds than it is to train the webmail ones to suit just you. When anyone asks for my log on ID and password over the phone or by email, I reply with a fake set. When they contact me back I blame them for stuffing it up. Great fun. I noticed you missed out on the best for using a browser, set it to NOT accept third party cookies or run third party scripts, as that's a very common way to distribute malware. If a valid website designer uses third party scripts and cookies, then he's NOT a web designer, but a lazy graphics artist pretending to be a web designer. I make an exception for a situation where a known and trusted child site is calling stuff from their parent site the way TR makes some calls on ZDNET. I also like the idea of having the one repository for ALL my emails, and it being on MY computer.

ernied
ernied

That's very true, but that can easily be extrapolated into "use a different password for work and your bank's website than you would use for the sites you don't really care about." Also, people would figure that one out on their own pretty quick. They're good at determining the things that aren't *that* important from the things that are. But the overarching rule "a different password for every site" and the reason why is good enough. And if your users complain like you just did, you can explain that. You can also explain that a good strategy would be to use a slightly *different* password for every site, but have a strong base password. For example, I use passwords that start with the same 10 random letters and numbers, but end with something related to the site. This ensures that my passwords are long enough and complex enough to not be cracked by brute force in any reasonable amount of time, while having something I can easily memorize for everything, and compartmentalizing things enough so that some stupid website that gets compromised doesn't affect my Starcraft account.

communications
communications

Use a different password for every website? Why do I need a unique password for websites like TechRepublic? I'm signed on to dozens of websites like this.

Kenton.R
Kenton.R

Since you ask for their password, how can you prove any action taken with that account is really the nurse and not the administrator or someone else who knows the nurse credential? How can you share passwords and still meet HIPAA requirements? From the HIPAA admin simplification document, section 164.312: "Unique user identification (Required). Assign a unique name and/or number for identifying and tracking user identity." Also, "(d) Standard: Person or entity authentication. Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed." Does your facility treat MA residents? If you have PII from residents of MA, you may also want to review http://www.mass.gov/ocabr/docs/idtheft/201cmr1700reg.pdf, specifically 17.04(2)(b) which states: "assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls;" The key word in those regulations is "unique." If more than one person can log in using the account, it is not a unique login. If you need to convince management to support a policy change away from shared credentials, the threat of massive fines for HIPAA violations usually gets their attention.

Neon Samurai
Neon Samurai

I'd love to get my users sticking to plain text email with document attachments when something has to be formatted but "our recipients don't want to click twice to open and email then an attachment" and or internal staff have there own habits and opinions. If you can do it though; plain text email. It's email, just stick to plain text and send a PDF if you need formatted, embedded, blinking content.

Deadly Ernest
Deadly Ernest

and to do things like replace some letters with numbers, but not all such option, and to run the phrases together. An example I often site is for the site for your favourite restaurant - use the phrase 'they also serve who stand and wait' - options here are first letter of 'taswsaw' then numerbise to 't42wsaw' or 'tasw24w' - - makes that part a bit hard. If this comes out too short, you than add something relevant that is easy for you to remember - thus the one for the steakhouse becomes 'tasw24wbull' etc.

Kenton.R
Kenton.R

A guy at a recent security conference told me he uses your technique of base + pattern. While that method stops an attacker who is blindly trying the credentials elsewhere, it still leaves me uneasy -- if two or more databases with your account get popped, the pattern used on all your other accounts can be exposed. I prefer two factor when possible such as Google Authenticator, sites that challenge logins from new IPs or w/o a stored browser cookie, etc. Barring that, "minor" sites like ZDnet get a very long randomly generated password stored in an offline open source password manager like Keepass. I never know the password to ZDnet - I just cut and paste. Of course, there are still weaknesses to using a local password manager (compromise of the local machine being the big one), but I still find it preferable to password reuse - even partial password reuse. If they've got your local machine, you can have keystrokes logged and lose the passwords either way. "...people would figure that one out on their own pretty quick. They're good at determining the things that aren't *that* important from the things that are." I would argue that people are often NOT capable of accurately assessing risk. Bruce Schneier gave a great 2011 TED talk on how people make security decisions, and how their logic often goes awry. http://www.ted.com/talks/bruce_schneier.html

LedLincoln
LedLincoln

I do something similar for websites I don't care about. Be aware, however, that someone who obtains your password could create a lot of mischief by posting spam, inflammatory or lewd remarks, etc. in your name. [I disclaim any such posts here, as they must have come from someone else!] :-)

Neon Samurai
Neon Samurai

As was pointed out before, if your common password becomes known, it will be tried against every other place you may have an account. You don't just risk your TR account but every place that password is re-used. It gets worse; "clever" is dead. Whatever clever "swap letters for numbers" or "letters taken from phrases" trick you use to create a memorable password - all those tricks are known and the dictionary files for them are already well known and used. Complexity makes a difference but length is what really makes the difference. A truly randome 20+ letter/capital/number/lower/symbol is going to keep you good now and for a good while into the future. "oh, but no one can remember one of those let alone a different one for every place" - get a password manager. Keepass, Lastpass.. get one, get comfortable using it. Your not remembering a 20 character password different for each website, you are remembering one strong long passphrase and the PW manager remembers and types the rest of your passwords for you. Now you can have a different truly strong password for everything and with less effort than it takes to remember a few different shared passwords.

Kenton.R
Kenton.R

Let's pretend I'm a bad guy and ZDnet's unencrypted user database just got uploaded for all to see. Scenario 1: You use unique passwords on all accounts. It sucks that your ZDnet account is compromised and you'll need to create a new password, but the pain ends there. Scenario 2: You use the same password on ZDnet as you do elsewhere. I take the credentials from ZDnet and start trying to log into PayPal, Newegg, Facebook, iCloud, Yahoo/Gmail/Hotmail and various major banks. That might take a bit more effort to clean up. http://www.computerworld.com/s/article/9217646/LulzSec_s_Sony_hack_shows_rampant_password_re_use highlights the dangers in password reuse.

Neon Samurai
Neon Samurai

In terms of keeping compliant or showing that the staff account was not miss-used by the tech, change it. Change to a shared password while to do your work then have the user reset the password to something unknown. In the logs, if it happened prior to the user password reset then blame the tech who was sitting beside the staffer for that setup time. This is one of my own complaints. Why can't Admin take over a user account on Windows? I'm the system admin, why can't I "Su User" and be logged in as that user? On my *nix systems it's a non-issue.. if I need to setup something inside a user's environment or work as another user, I can simply "Su Username" and get my work done. With windows, I have to accept poor security practices and interupt the user to do what Admin should already be able to do. (And in related complaint.. why is Admin not the top level account? It is insane that System account can block Administrator from working with files.

Neon Samurai
Neon Samurai

It's just too cheap and easy to set up a cracking rig or use a spare machine. Change letters for numbers, swap letters, add numbers to the end.. it just doesn't matter unless it's a long enough string of truly random characters. "can try on average an astounding 8.2 billion password combinations each second" "The advances don't stop there. PCs equipped with two or more $500 GPUs can achieve speeds two, three, or more times faster, and free password cracking programs such as oclHashcat-plus will run on many of them with little or no tinkering." http://arstechnica.com/security/2012/08/passwords-under-assault/

Editor's Picks