Cybersecurity Without Insanity? It could be as simple as 3 – 2 – 1…
This week: Free supply chain risk training from the UK’s NCSC, WiFi networks are under threat from drones, and why 7 letters can make all the difference when it comes to your password.
3 – Free Supply Chain Risk Training
“Cyber attacks resulting from vulnerabilities within the supply chain can result in devastating, expensive and long-term ramifications for affected organisations, their supply chains and their customers. But despite these risks, many companies lose sight of their supply chains. In fact, according to the [UK Department for Science, Innovation & Technology] 2023 Security Breaches Survey, [only 13% of] businesses review the risks posed by their immediate suppliers.”
This is according to theUK’s National Cyber Security Centre (NCSC), which has recently launched free e-learning packages that will help “procurement specialists, risk owners and cyber security professionals to effectively manage risks across their supply chains”. (And my thanks to Cyber Rescue Alliance for sharing this on LinkedIn).
Key takeaway: Regulated financial services firms are ahead of the curve when it comes to supply chain management, as I am seeing an increasing number of security questionnaires being sent from these firms to their service providers. More importantly, I am also seeing these same firms refuse to accept weak or incomplete answers from service providers. The firms’ vendor managers are more knowledgeable, and the days of pulling the wool over their eyes are gone. Training packages like these from the NCSC will only add to their knowledge.
2 – Wi-Fi is under attack
“A cyber attacker could sit in the corner of an office parking lot to track an employee. Using a [$700 drone], the hacker could select the employee’s car and press a single on-screen button to lock on. As the employee drives away, the drone automatically follows and tracks the employee’s car while shooting 4k video as far away as seven miles. Once the employee arrives home, the drone could land on the roof and begin hacking the home [Wi-Fi] network used by the employee’s home office. From there, the attack possibilities are obvious.”
This is a scenario described in a recent Security Intelligence article, and shared by my friend Andrew Fenton (whose pursuit of Lifelong Learning opportunities hopefully does not include drone operator!). The article also describes a real case, where a financial services firm based in the US East Coast suffered a breach after attackers landed drones on the roof of its office building. The drones had been equipped with Wi-Fi equipment that mimicked the corporate Wi-Fi network, enabling them to gather the login credentials of employees.
Key takeaway: There is a concept in cyber security called “zero trust”. It looks like we should now have zero trust in the physical security of our buildings, even if our office is on the upper levels of a secure office building.
1 – Length matters.
If your password is 8 characters long, and includes upper and lowercase letters, numbers, and symbols, a cyber attacker’s automated script will guess it in about 5 minutes. If your password is 15 characters long, and only consists of upper and lowercase letters (e.g. a short English sentence that you will easily remember), it would take 27 years.
Key takeaway: What we have been told about passwords is wrong – Length matters. And if the account is also protected by something else as well, the password is not the only thing an attacker needs to get their hands on. Have I ever mentioned Multi-Factor Authentication before?