Blake’s presentation,was full of practical information and even scary! Here are some of his truth about information security:
- We are all targets if we are connected to a network.
- Things go wrong, and incidents will happen.
- Being the good guy is hard and requires constant vigilance. The bad guys need to succeed only once!
- Right now, the bad buys are winning.It’s easy for them to find the holes, and holes are getting harder to fix and defend.
- Attacks are getting smarter, faster, and more personal.
- The bad guys chase the path of least resistance. Therefore none of this is about being unhackable, it’s about making the difficulty of doing so not worth the effort.
Little things can make a big difference. Keep your system updated and quickly install patches when they become available. Most modern operating system providers have departments of people plugging holes and making them safer. Most hackers focus on Windows systems because there are lots more of them.
Passwords must be strong and long. We are trusting many of the most important things in our lives with nothing more than a short string of text–convenience has trumped security. Staying safe takes more than just a firewall and antivirus software. If you carry it, put a password on it, and don’t trust anything or anybody. See Krebs on Security for news about hacking and discussions of the latest threats, some of which are very well hidden.
Use second forms of authentication, such as the Google authenticator and similar systems. Most email systems can accept second forms of authentication. Email is especially vulnerable because if you own the email you own the person. Lots of passwords are buried in email messages. Don’t use passwords; use passphrases which are much harder to guess. Don’t use good English in your passphrases. The time it takes to crack a password is the only true value of its worth.
Passwords find their way on to the net because of big data breaches. Many websites offer lists of passwords. Even hashed passwords are not seccure; OCL Hashcat can translate hashes back into open language passwords. Bruteforce guessing has gotten easier. Lists of passwords continue to grow and reveal the thinking behind how we create passwords. Hardware has gotten faster; some computers can now do 350B guesses per second! The perfect password is either nearly impossible to deal with or too long to remember, and many password policies are easily compromised by users.
All passwords should be at least 20 characters long. Use a phrase not a word. Phrases are easier to remember. If you don’t use a phrase anywhere else, it will be a great password. The time to guess a password goes up exponentially with the number of characters in it. Assume your password will be stolen. Nobody is immune from getting hacked. Use a good password manager; LastPass is a good one. (I use Whisper 32 and like it. It’s free.)
Browser security. The bad guys are after plugins, add-ins, etc. behind the scenes. There are lots of holes in them. If you haven’t disabled Java in your browser, do it. Any good website can go bad at any time. 90% of undetected malware was delivered via web browsing.
Where does malware come from? Cisco’s annual security report lists the types of sites. We all go to these sites all the time.
If you are a system administrator, you need to watch web server security. Web servers are worth more because they are bigger, faster, and on all the time. WPScan is a great way to audit WordPress sites, plugins, themes, etc. Make sure everything possible is encrypted. Don’t limit the length of passwords. Lock down PHP as much as possible. Keep WordPress updated.
Adjusting file permissions will go a long way towards keeping things safer. Watch your logs…
Making your library defensible. We can’t make them secure. How many have notes like this in view?
Malware can be installed on printers!! Use a password manager. Somebody in the library should have security monitoring as one of their daily tasks. Level the playing field by hacking your library–all the bad guys’ systems are available. See what turns up. Quote from McAfee VP for threat research (photo).
Do something to make the bad guy’s job harder! Everything is worth something to someone.