It’s Time for More to Implement Two-factor Authentication (Week 3)

That dreaded day has come when you are being forced to change your password.  The system you are attempting to login into will not authenticate you until you change it.  The new password must be complex, not one you have used in the past, meet the minimum length requirement, and contain a variety of different characters.  Oh, the pressure of developing an acceptable password and one that you can remember without writing it down no less.

After much thought, you finally accomplish the dreaded task, but then a few weeks later you are informed that your account may be one of many that has been compromised. You did your part by developing a strong password, didn’t write it down, etc.  So, why was your account among the others that were compromised?  Bottom line is passwords are only as strong as they are protected by you and the organization storing them.

Slack, a company that developed an application that simplifies and facilitates workplace communication, recently discovered that their database containing user profile information was accessed by hackers.  The hackers had access to an array of sensitive information that included user names, email addresses, and encrypted passwords.  It is undetermined if the hackers were able to decrypt them, since they were encrypted.  Regardless if the hackers were unable to decrypt them, they have still been comprised.  In response to the attack, Slack decided to implement two-factor authentication (Toth, 2015).

So what is two-factor authentication?  Two-factor authentication is an additional authentication step that requires something you have.  When users attempt to access a system they are prompted to enter their user name and password which is something you know.  After the correct user name and password information is entered, users will be prompted to enter in a one-time use token that is sent to something they have such as the user’s phone (What is 2 Factor Authentication?, n.d.).  The additional required authentication step adds an additional layer of security making it more difficult for hackers to compromise a user’s account if they somehow obtain the user’s user name and password.

The additional security measure sound great, right?  It does, however, that does not mean you will be able to implement two-factor authentication for every web service account you have.  Two-factor authentication is limited to web services that provide it.  I know that is some bad news, but there is some good news that goes comes with it.  The good news is many of the web services you current use may offer two-factor authentication and you just don’t know about it.  Some services that you probably use that offer two-factor authentication are: Google, Facebook, LinkedIn, and Twitter.  Do you have other web services and are interested in implementing two-factor authentication for them too?  Find out by visiting the following Website: https://twofactorauth.org/

References

Toth, A. (2015, March 27). March 2015 security incident and the launch of two factor authentication [Blog post]. Retrieved from Several People are Typing website: http://slackhq.com/post/114696167740/march-2015-security-incident-and-launch-of-2fa

What is 2 factor authentication? (n.d.). Retrieved March 28, 2015, from http://stopthinkconnect.org/2stepsahead/about-two-factor-authentication/

Cybersecurity Internet Resources

Throughout my journey towards earning a Master’s Degree in Cybersecurity I have used a number of websites to aid me in my studies.  The websites I am about to share are not just resources for educational purposes, but they are resources that can be used by security professionals to stay abreast on current vulnerabilities, scams, and other cybersecurity related news.

http://nvd.nist.gov/

The National Vulnerability Database is maintained by the U.S. government.  Users can search the database to obtain security checklists, security related software flaws, misconfiguration information, product names, and impact metrics.

http://cve.mitre.org/

The CVE website is a database containing Common Vulnerabilities and Exposures (CVE).  It is a tool security professionals can use to assist them with vulnerability management.

  

http://www.cvedetails.com/

CVE Details is another database that can be easily searched by users to locate security vulnerabilities and assist them with vulnerability management.

https://isc.sans.edu/

The ISC is a website maintained by an all-volunteer force of security professionals.  Their goal is to provide information on the latest Internet security threats.

http://www.honeynet.org/

The Honeynet Project is a non-profit security research organization that collects data about attackers and malicious software.  The data is then used to develop open source security tools and to educate the users on the latest attacks.

http://www.mcafee.com/us/threat-center.aspx

The McAfee Threat Center is a great security resource to obtain information on IT security threats.  The site provides information on the latest Internet threats, security updates, security awareness, threat trends, and threat predictions.

http://www.symantec.com/security_response/

The Symantec Security Response is website similar to the McAfee Threat Center.  It is another resource for security professionals to use obtain information on IT security threats.

http://www.darkreading.com/

InformationWeek’s Dark Reading Webpage contains various articles ranging from attacks/breaches to vulnerabilities and threats.  It is a valuable resource for security professionals to peruse through to stay current on the latest cybersecurity news.

https://www.schneier.com/

Bruce Schneier highly respected security technologist.  His website contains information that security professionals can use to assist them in their career field.

http://blogs.bellevue.edu/cybersecurity/index.php/2014/10/31/what-to-do-about-malware/#comments

Last but not least is Bellevue University’s Center for Cybersecurity Education Webpage.  It contains links to other resources including a link to a blog maintained by Bellevue University’s Cybersecurity Program Director, Professor Ron Woerner.  Professor Woerner writes about various cybersecurity topics that keep readers informed on current issues and trends.

There are many Internet resources available for security professionals to use.  With so many available to use the possibility of conflicting information on one or more of the sites could exist.  One way to address the situation is to contact the maintainers of the Website and ask them to verify and/or clarify the information that is in question.

Life Long Learning

The creation of this blog marked the beginning of my efforts towards earning a master’s degree.  Over the course of the past two years I wrote about various information security and cybersecurity topics. Sharing the information I learned has been very fulfilling and I hope it has helped a few readers with improving their information security practices.

The class I am currently taking, Current Trends in Cybersecurity, is the last class I require to earn a Master of Science in Cybersecurity from Bellevue University.  This does not mean my drive to remain curious and continue learning is over.  I will continue to share what I learn as my journey continues to become a well-rounded security professional.

Thank-you for reading my posts and be sure to check back often.

Are They Harmful? Virus Hoaxes

Security professionals and organizations spend a lot of time researching and informing users about virus characteristics and security practices to prevent from contracting them.  All the awareness and training is enough to make most question the validity of content found on the Internet and e-mails received from various parties.  So when information pertaining to a new viruses is released and distributed we have a tendency to devote a good portion of our time learning about them.  Learning about new viruses is not such a bad thing, unless we are wasting our time learning about a virus that does not exist.

Messages containing information about viruses that do not exist and are intentionally or unintentionally circulated by users are known as virus hoaxes.  At first, they may seem harmless.  The fact of the matter is, virus hoaxes can be as costly as or more costly than a true virus.  It is has been calculated that a single virus hoax can result in monetary damages totaling $41.7 million.  In other calculations, it has been estimated that a virus hoax can cost an organization $100,000 or more (Grocott, 2001).

So how does an organization accrue monetary loses if their employees receive a virus hoax?  It’s relatively simple.  The organization will begin to lose money as soon as employees receive and begin to spend their time reading and interrupting the virus hoax message.  Money will also be lost as network resources are used to forward the message to others or delete it.  An organization’s reputation can be effected as users forward the message to others, which can also result in the organization losing money.  Last, users can become complacent as they are exposed to more and more virus hoaxes.  The increased complacency may cause users to disregard valid virus warnings and expose the organization’s network resources to malicious content (Grocott, 2001).

The best way to mitigate virus hoaxes is to educate users on identifying them.  Some of the telltale signs of a virus hoax are: Sender is not a trusted source, a warning message about a destructive virus is displayed, contains many words in all caps, instructs users to forward to everyone they know, message states a credible source issued the warning, states the virus is very severe, and/or the virus is described using simple technical terminology (Taylor, Fritsch, Liederbach, & Holt, 2011, p. 131-132).

Another way to assist with mitigating virus hoaxes is to develop and implement a virus hoax handling policy and methods to increase user awareness.  At a minimum, a virus hoax handling policy should state that emails suspected as being a virus hoax are only to be forwarded to a designated person.  Awareness for virus hoaxes can be created through the use of newsletters or regular correspondence from the IT department (Grocott, 2001).

References

Grocott, D. (2001). Virus hoaxes - are they just a nuisance? Retrieved March 8, 2015, from http://www.sans.org/reading-room/whitepapers/malicious/virus-hoaxes-nuisance-30

Taylor, R., Fritsch, E., Liederbach, J., & Holt, T. (2011). Digital crime and digital terrorism (2nd ed.). Upper Saddle River, NJ: Prentice Hall.