HAPPY CYBERSECURITY AWARENESS MONTH!!

(This post was originally posted in Oct 2023)

GREETINGS PROGRAMS!!

October is upon us, and not only does that mean Halloween is right around the corner and Christmas decorations and displays are starting to appear in many stores, it also means we have officially entered Cybersecurity Awareness Month! Since 2004, the President of the United States and Congress have declared the month of October to be Cybersecurity Awareness Month, a dedicated month for the public and private sectors to work together to raise awareness about the importance of cybersecurity. (https://www.cisa.gov/cybersecurity-awareness-month)

At my job we will be spending the entire month sharing cybersecurity news, information and tips to our user community to help keep them aware of what threats are happening, what happens when attackers are successful in their efforts against companies and give them some good baseline knowledge that they can apply to their daily lives to help keep them safe.

Many people get nervous when discussing cybersecurity because there are so many ways bad actors can trick you and get into your files, system and/or network. While true it doesn't have to be scary. In fact, there are 2 primary security topics that can help prevent major security incidents. That's right, only 2! They involve strong passwords and identifying phish emails.

The first topic I always talk to our users about is creating a strong password. Every security measure implemented means nothing if bad actors can simply guess a user's password and walk right through the front door.

Every year we conduct a penetration test against ourselves. We hire a 3rd party to act as the attackers and try and gain access to our network. They employ many of the same tricks and tactics that attackers use: social engineering to try and get information from users; password attempts to guess a user's password; scanning our network devices to see if there are vulnerabilities we haven't noticed or patched yet. As part of the test we also allow them to run a password cracking program against our password files to see if any user passwords can be easily cracked. For user accounts that get cracked we disable them and have the user re-set a stronger password. But we send them an email first with some tips to help them create a stronger password that attackers won't be able to easily guess and password programs won't be able to crack.

I came up with this flyer to walk users through my process of creating a strong password. This is not the only way that works but it is simple and easy to remember. I always tell users you don't have to follow this if you have a better method. Find whatever method works best for you that gets the desired result and use that!

Another recommendation I make is to use a password generator site that automatically creates strong passwords. Users can set the length of the generate passwords and any options they would like to include (using letters, numbers, special characters) and the site creates random passwords.

Some of the more popular password generator sites include:

• LastPass
• 1Password
• Norton

Speaking of passwords, another strong recommendation I make is for users to use a password manager. A cybersecurity best practice is for users to use unique passwords for each account they have that requires them to log on. Unfortunately it is not an uncommon issue that users get hacked because someone gets one of their passwords and the attacker figures out that password is used to access multiple accounts. So a single compromised password means multiple compromised accounts.

A password manager is a program that stores a user's account usernames and passwords so the user doesn't have to memorize them all or create a possible security risk by writing them all down. Users only have to remember the one password to get into the password manager program. When the manager is configured the first time and users begin logging in to their site accounts, the password manager asks if they want to save the login info in the manager. Next time the user logs in to that site, it's a simply click to load the saved credentials from the manager into the login page.

I personally use 1Password but there are many different managers available. Users should do a little research to find the program that works best for them. Some are free, others are paid for versions. Some allow multiple user accounts be saved so each member of a large family can have their own password area for just their accounts. Some of the more popular password manager programs include:

• Dashlane
• 1Password
• NordPass
• LastPass

The second area I give a lot of advice about is phishing. Over 90% of all cyberattacks, security incidents, data breaches that occur all begin from a simple phishing email. 90%!!! Many companies now devote entire offices to IT Security to help educate their users about phishing attacks and protect company assets. To help users learn to identify the signs of a possible phishing email I send them flyers like this one:

Identifying a phishing email can help prevent all kinds of disaster but it requires users to take a few extra moments and review any unusual emails they receive. Most users get an email that "appears" to be from a co-worker and automatically act on any requests made. If they had taken a few extra seconds to look at the sending address and notice that it did not come from the co-workers proper email, it would most likely have raised red flags the user could have acted on instead.

The biggest advice I give users is take those few extra seconds and ask yourself a few simple questions about the email:

• Do I know the sender?
• Is this from an account the sender would normally use?
• Does the email contain a sense of urgency?
• Is this email requesting something this sender would normally request?
• When in doubt, report it as phishing!

In my opinion, passwords and phishing are the 2 strongest areas that users should focus on to help prevent security incidents from happening. Taking a few moments to create a strong password, using a password manager to help ensure each account has a unique password and being able to identify phishing emails can save companies hundreds or thousands of man hours and possibly millions of dollars that would be needed to recover from even a relatively minor incident.

Stay safe out there! If you have any questions or concerns please don't hesitate to contact me at CyberShamrock.Blog@gmail.com or your organization's IT Help Desk or IT Security offices.

Until next time.......Code Geek out!