Passwords: Improve Your Cybersecurity With These 8 Vital Tips

by Madhu Reddiboina | Nov 2, 2022 | IAM

Managing Your Passwords: Improve Your Cybersecurity With These 8 Vital Password Tips

Passwords… the more modern take on the traditional lock and key. As the first line of defense for the cybersecurity of any individual or organization, they’ve been at the center of our online security for years.

Yet, password best practices are still not followed – and it shows. With 80% of data breaches being linked to weak passwords, it’s time to brush up on your password-setting routines.

Let’s go through 8 password setting tips and best practices to keep you and your employees safe from cyber attackers.

1. Use a Long Password

As a rule of thumb, the longer the password, the more secure. And the numbers don’t lie:

A 12-character password with uppercase characters, lowercase characters, symbols (!, @, # etc.), and numbers take 62 trillion more attempts to crack compared to a simple 6-character password with only lowercase letters.

2. Never Use Personal Information
Using personal information such as your name, children’s names, or birthdays is bad practice. Yes, it makes them so much easier for you to remember but this generic information can often be found online and used by cybercriminals to gain unauthorized access to your system and accounts.

When you are next creating a password, think of something specific yet random:

A news headline that caught your attention that day
The menu item that you ate at a restaurant earlier
The song title and artist currently playing on the radio

3. Swap Letters With Punctuation and Numbers
Swapping letters with numbers and punctuation increases your security in two ways.

Firstly, it makes the number of attempts it would take to crack your password significantly larger, as swapping out letters for numbers makes the pool of options hackers have to go through significantly larger.

Secondly, if a potential intruder knew your password verbally, they still wouldn’t be able to gain access due to the change in the spelling.

Some examples of swaps could be:

a can be swapped with @
i can be swapped with !
s can be swapped with 5
t can be swapped with +
o can be swapped with 0
e can be swapped with 3

4. Make Deliberate Spelling Mistakes
Bad grammar is usually frowned upon but is an excellent way to deter cyber criminals that use brute force attacks.

This is a process that cybercriminals would use whereby they run through combinations of words in the dictionary using correct grammar and spelling until they crack the code.

If your passwords have incorrect spellings, this puts you at less risk of falling victim to these brute-force attacks.

5. Keep Your Passwords Secure
Now you would think this is straight to the point, goes without saying tip… Think again.

A staggering 79% of Americans share their passwords.

Never give up your passwords voluntarily, no matter how innocent it feels at the time. Also, avoid writing them down and leaving them in an unsecured place.

Often people give up their password involuntarily without even realizing it. One example of this is phishing scams in which a cyberattacker pretends to be from a reputable company and coerces the victim into handing over sensitive information.

For a full guide on recognizing and preventing phishing scams, check out our article on phishing.

6. Use a Unique Password for Every Account
Using the same password across multiple accounts sounds appealing, with fewer passwords to remember.

But, if a hacker gains access to one account, they gain access to all of them, which could be catastrophic in both a personal and work environment.

Never repeat passwords.

7. Use a Password Manager
The average user has 38.4 unique passwords to remember.

If they’re strong, long passwords with random characters, numbers, and misspellings, then those passwords are even harder to remember.

A password manager takes away that stress by keeping all of your passwords and login details in one secure place, often requiring multiple forms of authentication for access.

Which leads to our final and most pressing tip…

8. Enable Multi-Factor Authentication
Using multi-factor authentication (MFA) requires you to provide more than one form of authentication metric when gaining access to a system or account.

Microsoft claims that using MFA blocks 99.9% of attacks, which is a staggering statistic.

MFA usually comprises a password coupled with another verification such as SMS, email, or phone token, push notification to a verified device, biometric authentication, or a third-party mobile application code authenticator.

From a personal and organizational perspective, enabling MFA – or even better, passwordless authentication – is one of the most important things you can do to improve your cybersecurity.

For an organization, there are ample fantastic identity and access management solutions to choose from including Transmit Security or Okta. The only downside for an organization looking to implement MFA or passwordless authentication into their security strategy is the availability of expertise to implement that solution.

That’s exactly what we provide at Rediminds as your certified security implementation partner. Our team combines expertise in all of the core security solutions to support you from ideation to implementation.

Let’s create a safer online environment for your users, together. Get in touch to speak with one of our security specialists today.

Strengthen My Security

Phishing – 7 Tactics Hackers Use & How to Prevent Them

by Madhu Reddiboina | Oct 26, 2022 | IAM

Phishing – 7 Tactics Hackers Use & How to Prevent Them

A survey by Proofpoint reported that in 2021, ‘bulk’ phishing attacks were up by 12%, while more targeted attacks were up by approximately 20%.

Not only that, the success of those attacks were up year-on-year by over 45%.

The result is a staggering increase in the volume and effectiveness of phishing attacks on both an individual and a company basis. Which is why it’s imperative that combating such attacks should be top of mind in any cybersecurity strategy.

Before discussing how security professionals can combat these attacks, let’s look at exactly what phishing is and various types of phishing to be aware of.

What is Phishing?

Phishing is the act of someone pretending to be a reputable business or individual to either directly coerce a user into revealing valuable information like their credit card details and passwords or plant malicious software on the user’s infrastructure.

Attackers usually attempt this by:

Outright asking the user for sensitive information. For example, they may pretend to be a bank and asking for bank details and passwords for verification or send the user to a hoax website that resembles their bank or PayPal account where they are requested to input the information and their keystrokes are recorded

Or the user receives a link that when opened plants malicious malware such as trojans or ransomware on the user’s device

In this article, we’ll dive into 7 specific types of phishing to be aware of:

Email Phishing
Smishing
Search Engine Phishing
Vishing
Angler Phishing
Spear Phishing
Whaling

Types of Phishing

1. Email Phishing

The most common form of phishing attempt that attackers use, email phishing involves the attacker curating an email to appear as though it is from a reputable source.

They do this by registering a fake domain that resembles a legitimate business. This fools recipients as, at a glance, a small difference from the reputable company’s domain may go unnoticed. For example, instead of using an ‘m’ they may use ‘rn’ to look similar or they may register a domain that is “<credible company name>support”.

By designing the email in the typical format of the credible company and including identical branding, users can be tricked into trusting the phishing email unless they more closely inspect the email address it came from.

2. Smishing

Similar to email phishing, smishing attackers use mobile phones as a platform to attack individuals. The attackers send out masses of messages to potential victims that appear as though they are from a reputable company in an attempt to extract personal information such as credit card details from the user.

Text messages such as the one below claiming to be from Royal Mail (the British postal service) can fool consumers in this way. This particular SMS circulated in the UK following the surge in online shopping during the covid-19 pandemic.

While more recently in September 2022, the IRS has issued a warning to US taxpayers of a surge in smishing scams claiming to be the IRS.

3. Search Engine Phishing

In search engine phishing attacks, users are presented with offers or messages to lure them into clicking bad links. The attackers create fake websites and get indexed on legitimate search engines like Google to then lure consumers to enter their personal information and/or payment information to purchase deals.

Google reported that they detected 25 billion spammy pages every single day in 2020.

4. Vishing

Vishing scams use phone calls to defraud victims. The attacker calls their target, claiming to be a representative from a bank or other reputable institution in an attempt to extract personal information or even have them directly wire money right then over the phone.

Attackers take advantage of events to appear more persuasive and legitimate to their victims. For example, during tax season fraudulent callers whereby the caller impersonates an IRS representative are much higher because they’re more likely to be believed at this time of year.

5. Angler Phishing

In this relatively new method of phishing, attackers target social media users by posing as a customer service agent in an attempt to extract personal information from unhappy customers of a product or service.

Attackers create a fake account on platforms such as Twitter, Facebook or Instagram, ensuring that the fake account resembles a legitimate business page. The attacker then targets users who have publicly shared their unhappy feelings about a product or service the brand offers.

The fake account directs the victim to a link to connect with an agent and resolve their issue. In actual fact, that link will plant malware on the victim’s device or send them to a website that will attempt to extract information or money from them.

6. Spear Phishing

Rather than generic email phishing sent out at scale in the hopes that some recipients will fall for the scam, spear phishing is more targeted attempts to defraud specific individuals within an organization.

These emails are often more personalized and include believable context to lure the victim into trusting the sender. For example, the attackers may compromise the email of someone else in the organization, observe the conversations, and use this information to target someone else in the organization.

7. Whaling

Whaling, although very similar to spear fishing, only targets “big fish” in the organization such as c-suite executives rather than lower level employees – individuals who have access to more highly valuable and confidential information about the organization. If targeted as a specific executive level individual, email phishing, vishing, and smishing can all incorporate whaling tactics.

Tessian reported that in November 2020, the co-founder of Levitas Capital, an Australian hedge fund, followed a fake Zoom link that installed malware on the company network. The attackers attempted to steal $8.7 million using fraudulent invoices. They only got away with $800,000 but the reputational damage was done. Levitas lost its biggest client and ultimately closed.

Phishing Prevention – Keep Your Company and Employees Safe

Training and Awareness

Initiatives training employees to detect phishing messages, spot fraudulent links, assess whether the website they are using is secured, and make judgements on when to share personal or company data is absolutely critical.

This awareness could be the difference between reputational damage and financial losses versus safeguarding the cybersecurity of your employees and customers.

In fact, Microsoft reported seeing a 50% year-over-year reduction in employee susceptibility to phishing after simulation training.

However, more than 80% of companies surveyed by Proofpoint in 2022 said that at least half of their employees are working remotely due to the COVID-19 pandemic but less than half said they educate workers about best practices for remote working. The result is a workforce highly susceptible to cyber attacks, including phishing.

Keep Software Updated

The latest software updates for your operating system and applications across all devices will help protect your organization from any attacks. For example, malware sent in a phishing email and downloaded by an employee could be blocked by the latest update of your software, versus an older version not equipped with the right patches to combat the attack.

Check out our full article on Software Updates: Why They Matter to Your Cybersecurity.

Implement Multi-Factor Authentication

Multi-factor authentication requires multiple pieces of information for your customers or employees to login, and is an essential part of your identity and access management solution.

This helps protect against phishing attacks that convince the recipient to disclose their login credentials. The victim may disclose their username and passwords, but biometric data is much harder for the attacker to steal or replicate, rendering their phishing attack useless.

If you’re struggling to implement the most secure identity and access management solution for your business, RediMinds are the certified security implementation partner you can trust.

With a dedicated team, sharing years of experience implementing solutions like Transmit Security and Okta, we will help you define and execute the right solution that provides the highest level of protection for your employees and customers.

Get in touch today to find out how.

Tell Me More

Software Updates: Why They Matter to Your Cybersecurity

by Madhu Reddiboina | Oct 19, 2022 | IAM

Software Updates: Why They Matter to Your Cybersecurity

A 2020 survey found that missing patches and misconfigurations were one of the leading causes of company data breaches.

That means one of the most crucial ways to protect both yourself and your organization from malicious cyber attacks is regular software updates, including the operating system and every application that runs on your devices.

Why Outdated Software Leaves You Vulnerable

Cyber threats are constantly evolving and attackers are constantly searching for flaws in the system that they can exploit. Often, software updates include the fixes required to combat new forms of attack, but the success of these fixes relies solely on whether the software is actually updated by the user – whether that be at an organizational or individual level.

Failing to act on new updates leaves devices and systems extremely vulnerable to data breaches.

In fact, Microsoft reported in 2015 that most of its customers are breached via vulnerabilities that had patches released years ago, meaning they were completely avoidable had their customers simply updated their software. While in 2021, they reported yet again that there was a spike in attacks, with actors taking a “compromise first, monetize later” approach to take advantage of customer delays in updating their software.

How to Ensure Your Software Stays Up-To-Date

Never Delay

If you receive a software update notification, act on it as soon as possible. Whether it be the operating system on your mobile phones, tablets, and laptop, or application updates – especially your web browser and social media apps.

Or better yet, go one step further and…

Turn on Automatic Updates

Any legitimate software should include the option for automatic updates, so you receive the latest fixes to protect you from a data breach immediately upon their release.

This includes your operating system like Apple IOS and any applications like Microsoft Office or social media.

Only Download Software Updates From a Legitimate Source

Never download pirated or unlicensed versions of any software. They could contain malware that does far more harm than good.

This includes spotting and ignoring requests from fake pop-ups to download the latest update for a particular software. Pop-ups like this should never be followed.

Always check the legitimate company’s website for information on their latest updates.

Managing Software Updates as an Organization

37% of organizations admitted that they don’t even scan for vulnerabilities.

This number is staggering and leaves employees, customers, and the organization itself vulnerable to malicious attacks.

So how can companies tackle the threats posed by outdated software?

User Awareness

Creating understanding and awareness for cyber threats is a powerful way of tackling them by ensuring your staff are alert to potential threats.

Train staff on the importance of keeping their software up to date both at work and at home so they understand their role in maintaining the cyber security of themselves and the organization.

Maintaining Your IT Asset Inventory

As the essential foundation for effective cybersecurity in any organization, maintaining your IT asset inventory ensures your IT department understands the level of risk exposure and the devices that need to be included in automated updates.

Establish an Effective Security Testing Plan

Security testing uncovers vulnerabilities and weaknesses within your software and identifies the level of threat they present. This way, developers can prioritize the most pressing threats.

Without an effective testing plan, this process may not be undertaken properly, missing vulnerabilities in your systems. This goes hand in hand with ensuring everyone in your organization, and your customers, maintain the latest software versions, as once a threat is detected, the fix (patch) needs to be rolled out ASAP through a new software update.

Choosing the Right Security System

As an organization, the necessity to detect threats, roll out patches to combat them, and ensure the updates are carried out, are all part of your wider cybersecurity strategy.

If your current strategy isn’t providing your employees and customers with the highest level of security, RediMinds experts can assist you with implementing the right overall security strategy that suits your needs.

Get in touch today to find out more.

Secure My Organization

Multi-Factor Authentication: How Safe Is Your Login Process?

by Madhu Reddiboina | Oct 12, 2022 | IAM

Multi-Factor Authentication: How Safe Is Your Login Process?

How many passwords does the average consumer have to remember? 10? 20? No.

The average consumer has 38.4 unique passwords to remember. So it’s unsurprising that 80% of data breaches are linked to weak passwords.

That’s why multi-factor authentication (MFA) is more important than ever in every company’s access management system to cut the risks posed by weak and repeated passwords.

Gartner anticipates that 60% of global enterprises will implement some kind of passwordless authentication method by the end of 2022 – boosting cyber safety, improving the user experience, and driving consumer confidence.

What is MFA?

MFA is a login procedure, often backed by artificial intelligence, that adds an extra layer of security in an attempt to prevent fraudulent logins. This is achieved by requiring a user to use more than one authentication method to gain access to a system.

Right now, this is often a combination of a standard password and another authentication method. But, some companies have taken their digital transformation one step further and are progressing to complete passwordless authentication. This cuts out the use of standard passwords almost entirely, except as a fallback in case one of the passwordless authenticators fails.

Why is MFA So Important?

Technological advances don’t just benefit businesses in a positive way, they also benefit hackers as well – which can have disastrous consequences if businesses don’t remain a step ahead.

The standard ‘username and password’ login method is vulnerable to any number of attacks including:

Credential stuffing: Testing lists from database breaches against multiple accounts to see if there are any matches
Phishing: Hackers pretending to be from a reputable company coercing consumers to pass over their details
Password spraying: testing a list of common passwords in an attempt to gain access to someone’s account e.g. 123456, password123, qwerty, 111111
Keylogging: Recording keystrokes as a user types their login on a keyboard
Brute force: Using an algorithm to obtain the password in plain text
Local discovery: When a user writes down their password and it can be seen in plain sight
Extortion

And the list goes on.

But, MFA is so effective that Microsoft claims despite 300 million fraudulent sign-in attempts every single day, it can prevent 99.9% of those attacks.

Methods of MFA

MFA can be broken down into four authentication methods:

Knowledge: Something the user knows such as passwords, pins, and safety questions
Ownership: Something the user has such as a safety token
Biometrics: Something the user is such as fingerprints, retina, or voice recognition
Location: Where the user is using their IP address and possibly geolocation

Multiple authentication methods lie within these 4 categories. Let’s examine seven of the most common MFA methods.

1. Push Notification Authentication

When a user attempts to log into a system or process a transaction, a notification is sent to an authorized device (usually their mobile phone) so the owner of the phone can confirm the login is legitimate.

Due to the number of logins and transactions made through mobile devices, this is often the easiest and most convenient method for users.

However, it does mean that if the user’s mobile device is compromised, so are their accounts. And from a company perspective, only those who have their own app can enable this type of authentication.

2. Mobile Application Code Authentication

Similar to push notifications, app authentication works by sending an OTP (One Time Password) to a 3rd party app such as Google Authenticator. The user must retrieve the OTP from the app on their authorized device to continue their login or transaction, usually in addition to their own password.

The key difficulty for businesses is in the implementation of this process, requiring experienced DevOps to integrate it into their systems.

3. SMS, Email, or Phone Token Authentication

Often, users receive the option to choose which method of token authentication they would prefer to use. They designate either:

A cell phone number (usually their own) to which an OTP is sent via SMS upon every login attempt
A cell phone number on which they’ll receive a phone call with a spoke OTP
An email address to which they’ll receive the OTP

The limited lifetime of these passwords – usually only a few minutes- adds yet another layer of protection against fraud.

4. Physical Token Authentication

Physical token authentication is a “hard authentication” method, whereby the user must carry a physical item such as a swipe card or fob that generates an OTP for their login or transaction. For example, online transactions with some banks still require…
1) Online login details

2) Your debit card, and

3) A physical card reader to generate a transaction code

The downside? With so much of our online activity now on mobile devices, carrying a physical token can be inconvenient for users and easily lost. The cost to businesses of supplying these physical tokens can also be substantial.

5. Biometric Authentication

Arguably the safest method of authentication.

This is the process of using unique physical features to validate a user’s identity such as face recognition, fingerprints, and voice recognition.

Unlike standard passwords, biometric data is extremely hard to replicate and can’t be lost or stolen in the same way as standard passwords, which makes it unsurprising that it is quickly becoming the most popular form of authentication. Companies such as Apple and many banks have been leading the way on this and have already adopted it as a core part of their identity and access management strategy.

How to Implement MFA

Clearly, multi-factor authentication should be central to the security strategies of any company, for both their customers and employees. This can either support the traditional username and password login method as an additional layer of security or replace it entirely with passwordless authentication.

However, the implementation of artificial intelligence in cybersecurity is not straightforward. It requires specialist knowledge to successfully incorporate new authentication methods into existing systems without compromising the system, as well as ongoing maintenance and optimization to remain ahead of any threats.

If you need support to define and implement the right identity and access management solution for your organization, get in touch to speak with a RediMinds security specialist today.

Our team combines expertise in all of the core security solutions such as Transmit Security and Okta to support you from ideation to implementation.

Let’s create a safer online environment for your users, together.

Strengthen My Security

AI in Healthcare: 6 Applications of AI in Medicine

by Madhu Reddiboina | May 23, 2022 | Health Care

Passwords: Improve Your Cybersecurity With These 8 Vital Tips

Phishing – 7 Tactics Hackers Use & How to Prevent Them

What is Phishing?