TCT is committed to helping you keep your organization secure and compliant. Every quarter, we publish compliance and security insights that you can share with your employees to fulfill periodic security reminder requirements your organization may be subject to.
As an added bonus, we’ve highlighted some developing security trends and featured a quick tip to get more out of your compliance management.
Password Best Practices to Pass Along
If you think you have a clever system for remembering your passwords, I have some bad news for you: the bad guys can spot it more easily than you think.
Most people think their passwords are more secure than they really are. A single password may be a good, strong one — but if you’re using a pattern for remembering passwords, you’re giving hackers the key to your locks.
Let’s say your login information gets exposed to a hacker. The good news is that it’s a benign account — say, an online coffee bean supplier. There’s no critical information that has been compromised there. The bad news is that your password has a pattern to it: your spouse’s name + your birthdate + the last two letters of the website. Hackers know you’re probably using a pattern, and they can take that password as a starting point to access your bank account or your work email.
Want to avoid that nightmare? Here are some password best practices that could keep you out of hot water.
- Store all of your passwords in a password management system, like Keeper or LastPass.
- Never use the same password for more than one account.
- Don’t use a pattern that gets tweaked from account to account.
- For password security questions, don’t answer the question that’s asked, because chances are you’ll answer the same question with the same response every time. That’s another vulnerability. Instead, enter a nonsensical answer instead, and record it in your password manager, noting which question you selected with the associated response.
- If a website gives you the option of turning on two-factor authentication option, DO IT. If an attacker gets ahold of your username and password, that secondary authentication will still keep them out of your account.
I once had a client fall victim to a phishing attack, and he gave them his login information. The only thing that saved him was the fact that he had two-factor authentication turned on. The bad guys couldn’t get into his account.
Password managers put you in a much stronger position, because they make it easy to set every one of your passwords uniquely and differently, across the board. You no longer need to remember any of your passwords.
As a benefit of using a password manager, you can choose a password with the maximum length the site will allow. In fact, I have some passwords of 200 characters! That’s what I call a strong password. But it’s no less convenient than having an eight-character password, because I can copy and paste it just as easily.
Quick Tip: Skip the Guesswork for Passing Muster with Your Auditor
If you’ve been using TCT Portal and you’re in Year 2 (or later) of a particular certification, you can use the Explanations and Attachments feature to easily reference evidence from the prior certification track. This makes it easy to look back at the previous year and see what evidence passed muster last time. It’s a great way to quickly understand what to gather this year.
If you’re already using TCT Portal and want this capability enabled, send an email into TCT Portal Support. To learn more about the TCT Portal, request a personalized demo.
What’s Going on in Security Today
Via Secure World. Special CISA and US-CERT bulletins were presented on March 8th regarding Microsoft Exchange vulnerabilities. This vulnerability was against all Exchange servers, even Microsoft 365 servers. Patches were automatically rolled out and fixed by Microsoft, but if you have on-premise exchange servers, you should download and apply these patches as soon as possible.
Via Cyware. A threat actor has been using the “watering hole” technique to mount a zero-day exploit on Windows and Android users, using a total of 11 zero-day flaws. The first four flaws only targeted Windows and Android. It is still unknown who the threat actor is, or even how many devices in total have been affected by these flaws being exploited.
Via Threat Post. Purple Fox malware is at it again. The developers have added new functionality to the malware, specifically targeting Windows machines, with Worm-like capabilities. The malware used to require some kind of user interaction or a tool to infect Windows machines and to spread, but the new functionality uses brute force without interaction.
Via DarkReading. COMB is a massive compilation of breached usernames, passwords, emails, other data that was released on February 2nd. Upwards of 3.2 billion pairs of credentials were compiled. An unknown attacker used these credentials to breach Oldsmar water plant in Florida and then attempted to manipulate the pH levels in the public water system. COVID, remote working growth, and IoT within remote working homes are putting organizations at even more at risk.
Via The Hacker News. Some flaws have been discovered within General Electric’s Universal Relay. If these vulnerabilities are exploited, attackers could gain sensitive information, reboot the Universal Relay, or even cause Denial of Service conditions. If an attacker were to craft a request to the device in a special way, they could bypass security features. This means attackers could have the ability to potentially shut down utility stations, causing power outages and other damage.
Via Cyware. MacOS threats and attacks are on the rise. In 2020, macOS malware production is up by as high as 1,092%. A security researcher has uncovered a security flaw in Sudo, which is an app used by not only macOS, but Linux and BSD based devices as well. There were programming security flaws in the Big Sur operating system recently discovered as well. MacOS is still safer than Windows, but cybercrime on the Tech Giant’s equipment is quickly on the rise.