Plain English cybersecurity advice in 3 articles, 2 statistics and 1 action.
This week: It’s not as simple as “Windows 7 = bad. Windows 10 = good” or “Password = bad. Passwordless = good”. But it certainly is as simple as “2FA = Good”.
This week’s action: Test your backups
>>>>> THREE ARTICLES <<<<<
1: HSE still has 30,000 Windows 7 devices. And?
Months after a cyber attack crippled the Irish health service, the Irish Independent reports that “there are still 30,000 out-of-date PCs being used across the health service”, and repeats the assertion by one senator that this shows Ireland’s cybersecurity is a joke.
30,000 machines running out-of-date software is certainly not ideal.
But until we know what these machines are used for, if / how they are connected to other devices and the internet, and if / how they are protected by other security measures, there’s very little we can say about the risk they pose. A Windows 7 device that is sitting in the corner of a secure room and not connected to a computer network is less of a cybersecurity risk than a poorly-configured Windows 10 device that allows the user to access, download and install whatever they like while also connected to the company network.
Threats, vulnerabilities, and mitigants: We can’t understand the risk until we know all three.
2: SEC fines 3 brokerages for not protecting their email systems.
“The US Securities and Exchange Commission has fined three brokerage firms on Monday for neglecting to secure employee accounts, incidents that led to the exposure of their customers’ data. [..] the three companies’ [cloud-based email systems] were hacked multiple times between 2017 and 2020, hid the intrusions, and failed to properly notify customers.”
I can only guess how the hacks happened, but based on this guess, my headline could have been: implementing two-factor authentication would have saved three brokerages an average of $250k in SEC fines (plus the unknown cost and disruption of the breach investigation).
The SEC fined these firms because they broke ‘the Safeguards Rule’, “which requires companies to protect confidential customer information from hacks or accidental data leaks.”
GDPR talks about “appropriate security measures”.
Different language. Same objective.
3: You no longer need a password for your Microsoft Account.
“Microsoft now lets you remove passwords from Microsoft accounts to embrace a passwordless future. Starting today, the software giant will let consumers sign into Microsoft accounts with its Microsoft Authenticator app, Windows Hello, a security key, or an SMS / email verification code instead of a password.”
Why do some people think this is a good thing? As the article describes, “most people create their own passwords, and it’s often a challenge to create something that’s secure and memorable. [..] People often reuse their passwords, too, allowing attackers to quickly log into a variety of compromised accounts after a particular organization is targeted and passwords are dumped.”
Why am I less sure? Because removing the password removes one of the two factors that you should have to protect your account. Without a password, if you can log in with just a tap on an Authenticator application, the security of your account is fully-dependent on the security of the authenticator app. With two factors, a weakness in one factor is not enough to compromise your account.
Who is right? It depends on your reference point: This new approach is more secure than just a password. However, it is less secure than two factor authentication.
>>>>> TWO STATISTICS <<<<<
65% of people use the same or similar passwords on more than one site, even though 92% know that this is a risk, according to a survey by LastPass (a password manager).
Yes, we know using the same password is very bold. And using a password manager is very good.
But, we also need to deal in realities.
There are plenty of sites that require us to set passwords even though we can’t do much on the site while logged in. Do we really care if someone guesses our password for these sites?
If you can’t protect everything, focus on protecting your most valuable accounts.
And use a password manager. And use two-factor authentication.
The amount of data (the equivalent of 600 million pages) lost by the Dallas Police Department after a staff member accidentally deleted (a lot of ) data during “a routine data migration”.
The issue only came to light four months later when the District Attorney’s office asked why “pending cases were missing files”. At least on man accused of murder has been released while they work out if evidence in the case has been lost as a result of the “city IT employee failed to follow proper, established procedures”.
Yep, blame the IT employee, not the clearly-faultless backup strategy.
>>>>> ONE ACTION <<<<<
1: Test your backups
Whether you are a city IT employee, or just the IT department of your household, now is a good time to check that you can restore your important files from your backups. (You do have backups, don’t you?)