Rules to Better Security - End Users - 22 Rules
Watch the best security videos on SSW TV for free.
The 10 tips CEOs must know for both end-users and SysAdmins:
For more information see: https://adamcogan.com/2022/04/10/better-security-10-tips-for-ceos-and-sysadmins/
If you need to remember the password then a passphrase is best. Preferably these should be made up of 4 random words with a length of at least 16 characters. These eliminate the requirement for special characters and are incredibly difficult for a computer to guess.
A strong password would looks something like this:
OK example - A strong memorable password
However the best passwords in the world are the ones you can never possibly remember. Computer generated passwords, with a length of at least 16 characters, offer the most protection. A super strong password looks something like this:
Good example - A strong computer-generated password
This is obviously not something you can realistically type in every time you need to use it. Fortunately, the same tools that generate these for us also manage them, storing them securely and automatically entering them into websites and apps for us.
With a password manager, you don't have to remember that strong, unique password for every website. The password manager stores them for you and even helps you generate new, random ones.
It does not matter which one. There are many great tools out there:
Figure: Why you should use a password manager
In an Enterprise you should use an Enterprise password manager
- Keeper - Enterprise level password manager. Different groups of users can be given access to different passwords according to Business priorities.
- 1Password - syncs passwords and personal data across all your devices. It's not quite as slick or capable as many competitors, but it's still an easy-to-use utility
The best enterprise password managers provide a security score for all your enterprise passwords - fix them if your score is low.
They monitor your accounts, regularly checking if they have been released in a breach and notifying you of any problems.
They also allow administrative control of your accounts. In an enterprise you should be able to transfer any non-shared passwords if a staff member leaves (in case they forgot to share them). Lock their account and expire their master passwords. This is great when a staff member leaves but also super important if they lose a device.
You should use them for your personal security as well:
- Keeper - Password vault on unlimited devices and provides secure sharing if you need to give your password to someone else
- 1Password - Syncs passwords and personal data across all your devices. It's not quite as slick or capable as many competitors, but it's still an easy-to-use utility
- Lastpass - Matches the capabilities of other top paid password managers and is easy to use. Platform syncing limitations for the free version make it significantly less useful than it was
- BitWarden - Take control of your online password security and manage private data safely from any location or device
- Dashlane - Put passwords in their place, we'll take care of them for you.
The best way to protect your passwords is to never share them. However, in some cases, sharing passwords may be necessary. In these situations, it is essential to follow a strict password sharing procedure to ensure the security of sensitive information. The key to this procedure is having a powerful password manager to be able to share passwords securely and efficiently.
Learn more about the best password managers.
Do the following, in this order, to securely share passwords:
- Search for the password in a password manager - If you read the rule above, then you have set up a company-wide password manager. Users should be able to search for the passwords they need in the manager, directly. This method is considered ultra secure.
- Share the password via a password manager - Good password managers have one-time password sharing capabilities, e.g. generating a link to the record in the password manager, which can be shared with people who do not have access to the password manager. This method is considered super secure and efficient.
- Share the password via a secure message service such as onetimesecret.com - If you don't have a password manager, you can use free websites that generate links with a message that self-destructs, but this method is considered much less secure. We advise using different mediums to share the password, e.g. username via a Teams message, password via onetimesecret.com
- Share the password via SMS/text - If all previous options fail, we try sharing the password via text. However, this method is much less secure and should only be used as a last resort, if used at all, due to the password being saved forever in an SMS. We advise using different mediums to share the password, e.g. username via a Teams message, password via SMS. The password should be changed after it's all done.
By having a powerful password manager as the foundation of our password sharing procedure, we ensure that our sensitive information is secure and protected against potential data breaches or security threats. While it is always best to avoid sharing passwords, in situations where it is necessary, this password sharing procedure ensures that the sharing is done securely and efficiently.
Often an organization needs to share a password to a 3rd party. Perhaps a client or a vendor require a password. There are a few ways that this could be achieved but some are less secure than others.
Email - sending an email containing the username and password for anything is the worst thing you can do. If that email falls into the wrong hands it is immediately compromised.
Email + SMS - Sending a username via email and the password in SMS is slightly better but is still a little bit risky as both services could be compromised and often people sync their messages to their PC, so this is still too risky.
OneTime Sharing via a 3rd party - You could use a service such as OneTimeSecret to share the secret details. This is better but there is still a small risk that the 3rd party website could be compromised and your details are still leaked.
Share via your Enterprise Password Manager - This is the most secure way to share a secret with an external 3rd party. With products such as Keeper Enterprise all of your passwords remain safe inside your own vault and can generate a link or a QR code to send to your client.
Storing sensitive information such as credit card details and passport information in an unsecured location poses significant risks, not only for the individuals whose information is stored but also for the organization responsible for that data.
Ideally don't keep these kinds of details at all. However that isn't always practical; busy managers and CEOs often need to be able to share them with admin staff easily so that they can (e.g.) book flights and arrange travel for them. They don't want to be always getting out their cards.
- Credit card information and passport details are highly sought-after by cybercriminals. When this data is stored in an unsecure manner, the likelihood of it being accessed and misused by unauthorized parties increases significantly.
- Should a data breach occur, the organization could face severe reputational damage, legal consequences, and financial penalties. https://www.oaic.gov.au/about-the-OAIC/our-regulatory-approach/guide-to-privacy-regulatory-action/chapter-7-privacy-assessments
- Global and regional data protection regulations, such as GDPR in Europe, CCPA in California, and the Australian Privacy Principles (APPs) under the Privacy Act 1988 in Australia, mandate strict guidelines on how personal and sensitive data should be stored and protected.
- Storing such sensitive information in an insecure manner is a direct violation of these regulations, leading to hefty fines and legal action.
- Over time, unstructured and unsecured data can become outdated, redundant, or even be altered unintentionally.
Using Dynamics 365's notes field for such data means there's no systematic way to track its accuracy, validity, or history. ::: bad:::
Store details in an Enterprise Password Manager like Keeper
- End-to-end Encryption: Keeper ensures that sensitive information is encrypted both in transit and at rest, using advanced encryption algorithms.
- Role-Based Access Control: Only authorized personnel can access and manage sensitive data. This ensures that sensitive information is not accidentally or intentionally accessed by unauthorized parties.
Even better from an enterprise password manager like Keeper sensitive details can be OneTime shared for a short time period on an ad-hoc basis.::: good:::
- Auditing and Reporting: Keeper provides detailed logs and reports, allowing for complete oversight and management of all data stored within. ::: good :::
- Regulatory Compliance: With tools and features designed to aid organizations in complying with data protection regulations, enterprise password managers like Keeper ensure that sensitive information is handled according to global standards, including Australian Privacy Principles (APPs).
- Data Integrity: With structured data management, sensitive data stored in Keeper remains consistent, accurate, and up-to-date.
Storing credit card details, passport information, or any sensitive data in Dynamics 365's notes or similar unsecured fields exposes the organization to unnecessary risks. Leveraging enterprise password managers like Keeper ensures that this data is stored securely, is compliant with data protection regulations, including the Australian Privacy Principles (APPs), and is easily manageable.
Microsoft is constantly releasing updates for Windows and one of the most important things they do is patch viruses. Without these updates, users would be vulnerable to attacks from hackers. This is the same for MacOS.
So it is critical to always keep your operating system up to date.
Often users don't know how to properly secure their computer and open themselves to vulnerabilities. Windows Security solves this by ensuring that a PC is running all the best practices to keep it safe from harm.
The most important aspect of Windows Security is to check that you have the 5 green ticks. These ticks mean your computer is following the best practices for security.
Users are often exposed to viruses on their machines. Virus scans help identify and remove potential threats on your machine. Windows comes with built-in protection called virus and threat protection that is suitable for most situations.
Make sure to regularly run a quick scan on your computer to check for vulnerabilities. These quick scans don't take long and make sure the most common threats are addressed.
If it is suspected that a machine has a virus, then it pays to be extra certain about possible infections. In that case, do the following:
- Run a quick scan - This scan will quickly identify and isolate threats
- Run a full scan - This scan takes a few hours and will do a deep check on your PC to remove problems
- Once you don't need to use your PC, run an offline scan - This scan will take your PC offline to do a scan and ensures viruses can't reinfect you during the quarantine process
Complexity requirements are valuable in that they offer a little protection, but not as much as you think. Attackers generally use 2 methods to get people's passwords: brute force, and social engineering.
Brute force means they try different combinations until they find one that works. But before trying random combinations, they start with well-known lists of words called dictionaries and rainbow tables, and the whole process is automated. Using cheap scalable cloud hosting, attackers can try billions of combinations in seconds.
When people see complexity requirements in password rules, they usually do 1 or both of 2 things:
- Transforms - when you ‘transform’ a dictionary word in some way, like changing the word
- Substitutions - when you substitute one character for another, like changing the word
The problem with these rules is that the majority of people use similar transforms and substitutions, so the dictionaries and rainbow tables that attackers use are filled with what are called well-known transforms and substitutions. This means that
password123, and many other variations are in their dictionaries, and therefore offer no more protection that the actual word itself.
It's not worth the effort trying to get clever with these... if you can think of a transform or substitution, it's almost certainly already on the books.
If you are using complexity, a better approach is to come up with a reusable, easily remembered scheme of your own. For example, inserting
!#@between every 3rd letter which would yield
pas!#@wor!#@dis significantly better than
Better example (however never use this password - the fact that this has been published here has made it untrusted!)
- Transforms - when you ‘transform’ a dictionary word in some way, like changing the word
Passwords are a legacy technology that is not fit for the purpose that we use them today. We're working our way towards a post-password world, in particular the FIDO alliance, and many biometric technologies, including fingerprint and face recognition that you may have in your phone. But for now, passwords are something we all need to live with.
We're used to seeing lists of password requirements, such as:
- Minimum length
- Complexity (e.g. must include upper and lower-case letters, numbers, and special characters)
- Minimum age (e.g. you can’t change it more than once in 24 hours)
- Maximum age (e.g. you must change it every 30 days)
The most important of these is length.
Look at this graphic:
This table clearly shows that adding complexity (mixing upper and lower case, adding numbers, adding symbols) does increase the time it takes an attacker to brute forces your password, but not by much, and only in conjunction with a password of sufficient length.
In 2022, 10 characters should be the absolute minimum for a password. 12 characters is a better baseline, and 16 is what you should aim for.
Minimum password age and maximum password age rules are not useful and do more harm than good. Passwords are already difficult to manage, and forcing people to change them at specific times encourages poor password practices, such as using well-known transforms and substitutions, or writing them down.
Research shows that these negative effects don’t yield any benefit. To illustrate why, imagine a password policy that forces a change every 30 days (or worse, 90 days). The logic behind this is to mitigate the effect of a compromised password, meaning that if someone does gain your password, they can only use it for a maximum of 30 days before it is no longer valid.
There are 2 key problems with this logic. The first is that a lot of damage can be done in 30 days. The second is that attackers generally become aware immediately that they have a working password, and the research tells us that to have the desired effect, a user would have to change their password every 8 milliseconds. Anything longer than that is ineffective.
The available list of 10, 12, or 16 (or better yet in terms of length, 20) character words is limited. So if you pick one of these words you don’t afford yourself much protection.
Possible combinations of words, or phrases as we call them, are almost infinite. While we still use the term ‘password’, you should use a short phrase rather than a word.
Note: Ideally you should not need to remember any password, instead use a password manager.
There’s a now famous web comic from XKCD that explains this:
The specific advice in the comic about how to pick a good passphrase may not be relevant to you, but the resulting impact on security is.
To choose a good passphrase, use a combination of words that are unique and memorable. For example, you may have a distinct memory of a cat licking your ice cream when you were 4 years old. So 4yearicecreamcat might be a memorable phrase for you.
You might think a favorite sentence from a book might be better, given that it’s longer. While this is true in the context of time taken to brute force a password with procedural character combinations, as attackers adapt to their techniques to longer passwords, it’s important to remember that a combination of words known to anyone in the world other than you is bad to use as a password.
Bad Example – It's a word that other people know
Bad Example – It’s the opening to one of Shakespeare’s sonnets so is known to other people (and painful to type in)
OK Example – It's 16 characters, composed of 5 words, is not a phrase that is known by anyone else, and is easy (for you) to remember
Before Haveibeenpwned, there was LeakedIn. LeakedIn was a website set up in 2011 following a high-profile breach at LinkedIn where passwords were leaked. The website operated like Haveibeenpwned, letting you check whether your account was in the breach, but only for LinkedIn.
I was encouraging colleagues to check the site, but most people were unconcerned, saying that there was little to panic about if someone had compromised their LinkedIn account. When I asked them “but what about every other website you use the same username and password for?” they would often go pale and run to their computer to check.
Using the same password everywhere may seem like a convenience, but the impact of a compromised password can be orders of magnitude greater if you reuse it.
If there is a breach at a website you use, and you only use the password there, then you have to change one password, and the scope of the issue is limited to that one website. If you reuse the same password everywhere, and any one of those services is breached, the attacker now has access to everything – your bank, your work, your social media, everything.
Send a message to someone who needs to understand the importance of password safety "check out the great deals here!" and watch them https://discountpal.cheap
Use a unique password for everything.
Employees with a compromised account should immediately contact their SysAdmins for help. This is whether it is a personal or a work account.
A personal account (e.g. Gmail) breach should be resolved by a System Administrator with the same priority as a work account. Employees should expect the same level of service on a personal breach as you would on a corporate breach.
Why? If your Gmail has been hacked this can have implications for the company.
Once you have informed your Systems Administrator of a potential breach send an "As Per My Conversation" email.
The best protection you can provide for your password is to not solely rely on it. Multi-factor authentication (MFA) lets you use a mix of techniques when logging into an account. Typically this is made up of something you know (your password) and something you have (your phone - older people will remember RSA tokens).
Your phone can provide a second factor either through an installed authenticator app, or by receiving an SMS with a one-time password. Authenticator apps are recommended, as they are more secure than SMS.
We are now seeing biometric security using facial recognition, fingerprints, or in more advanced scenarios palm-vein scanning (and plenty of others too). While biometrics offer convenience and reduce our reliance on passwords, they usually replace username and password altogether (although rely on accounts that use them behind the scenes), rather than providing an additional factor (e.g., username + password + fingerprint).
Nearly any service you use now will support MFA, either through an authenticator app, SMS, call or even email if you have no other option. Ensure that it is enabled for everything you use.
If you use the Microsoft Authenticator app, you can go one step further and get rid of the need to type a password. To enable passwordless sign-in:
- Open the Authenticator app, and tap on the account you want to enable it for
- Tap Enable phone sign-in and tap Continue
Now that it is enabled, you will need to change your default - next time you need to sign in:
- Instead of typing your password, select Use an app instead or Other ways to sign in
- Select Approve a request on my Microsoft Authenticator app
Note: The above option "Use an app instead" takes some time to reflect on your login prompt after you have made changes in your Authenticator App.
Keeper is a password manager which has an awesome feature inbuilt to store our MFA codes. Keeper has developed a fully-integrated security layer that adds two-factor codes directly to vault records.
Keeper works as a password entry authenticator with support for Google Authenticator, Microsoft Authenticator, and other Authenticator apps. To set up this integration, go to your password entry and click the Add Two-Factor Code button under the Custom Fields and File or Photo options. You can then upload a QR code or manually set up a connection to your account to authenticate via a time-based one-time password app.
Read the article Best Ways to Keep your Recovery Phrase Secure.
Sometimes passwords can be compromised through no fault of our own. There have been several high-profile breaches of password databases.
The project haveibeenpwned is a free database that aggregates data from breaches, and you can use it to check whether your account has been included in a known breach.
You can enter your username (usually an email address) and it will tell you if your email address has shown up in a known data breach. If it has, that password is compromised and should be changed immediately.
You can also subscribe to haveibeenpwned, so that if in the future your email address shows up in a breach, you can be notified straight away.
When an organisation has a security breach, passwords are compromised and there is no visibility of the problem. This problem means that hackers can gain access to people's accounts without anyone realising what has happened! The project haveibeenpwned is a website that addresses this problem...
haveibeenpwned keeps a record of all known hacks and accounts that have been affected.
It is a good idea to regularly check haveibeenpwned to see if any of your passwords have been exposed. If one of your accounts has been affected, then make sure to change the passwords you use for that account and anywhere else you use that password.
Even better, if you are a superstar 🤩 then the gold standard for password management is to use a password manager.
The most common attach vector for hackers to either compromise our computers or deliver malware is email. Some of these attacks are sophisticated, perpetrated by well-funded criminal organizations. But these are rare, and usually targeted at a specific individual for a specific purpose.
Most email scams are actually quite easy to spot, and this is deliberate. People who fall prey to simple scamming techniques are easier targets, whereas people who require more sophisticated techniques to fool, are more likely to recognize a scam later in the process.
These simple techniques will help you identify scams and avoid falling prey to attackers.
An unsolicited email is an email that you weren’t expecting. For example, a popular scam a few years ago was to send an email purportedly from the postal service, claiming you have an undelivered package. The recipient was directed to click on a button or link in the email to arrange redelivery.
Another popular scam was an email claiming to be a parking or speeding fine. While these can be scary, and often people want to resolve them as soon as possible, it’s important to take a breather and remember that neither these nor missed delivery notifications get sent by email.
When you send or receive an email, the recipient lists an email address and a friendly name. The friendly name can be changed to whatever you like, without impacting where the email comes from.
It’s important to note that this is just one tool in your arsenal. Attackers can spoof email addresses too, so if you have any doubts, you should ask your SysAdmins to help you check the message headers, or do a message trace for you. But an incorrect email address is a dead giveaway.
If you receive an unsolicited email asking you to open an attachment you should delete and ignore it (or report it to your SysAdmins or security team if you have additional concerns).
There may be some cases where you have a suspicion that the email may be legitimate. In these cases, DO NOT reply to the email asking them to confirm (see the section below on checking mailbox rules). Instead, contact the sender via another means (e.g. call them on the phone or on Teams). Only open the attachment or click on the link if you are 100% certain, having verified with the sender, that the email is legitimate.
Malicious emails these days often include a link that the recipient is directed to click on. This can sometimes be to a phishing site, and sometimes it’s a link to some malware (e.g., ransomware which will encrypt all the recipients’ files, plus those on any shares they have access to, demanding a ransom to unencrypt them). Linking to malware avoids them having to worry about the malware being stripped out by malware filters in the email system.
Before clicking on a link in an email, hover over it to see where it goes.
You will never receive a legitimate email asking you to disclose your password (or any other sensitive information for that matter). An email that asks for your password, or asks you to click on a link to ‘confirm’ your password, is a scam and should be deleted immediately (and reported if advised to in your corporate security policy).
A particularly nefarious scam is for an attacker to take control of your mailbox, but hide rather than changing the password and locking you out. By not alerting you to their presence, they can squat there for longer and do more damage. A common scenario is to email your contacts and ask them to change their payment details for any invoices to an account controlled by the attacker.
When they do this, they will often create a sub-folder in your mailbox that you don’t know about, then set up a rule redirecting any incoming mail to that folder. That way, if someone replies asking them to verify the legitimacy of the email, the attacker can intercept it and reply without you even knowing.
If you have any reason to suspect any strange activity in your account, check your mailbox rules for anything suspicious. If you discover any rules, delete them, check the sub-folder they were directing messages to, and check your sent items for anything they may have sent out without you knowing. And, of course, change your password immediately.
The Australian Cyber Security Centre (ACSC) leads the Australian Government's efforts to improve cyber security. They monitor cyber threats across the globe 24 hours a day, seven days a week so they can alert Australians of cyber threats.
Visit and register on ACSC website to receive alerts for the latest cyber threats.
Visit https://phishingquiz.withgoogle.com/ and test how good you are at recognizing a phishing email.
Phishing is a form of social engineering where an attacker tries to convince a victim that a resource they are in control of is a legitimate resource. This is usually achieved through the use of deceptive email messages or websites.
Attackers will often craft a website that looks like a legitimate one for the sole purpose of stealing your username and password (or some other sensitive information). They might, for example, build a website that looks exactly like LinkedIn, so that you think you are logging into LinkedIn, but are in fact giving an attacker your username and password.
A URL is made up of a fully-qualified domain name (FQDN) and a path. The FQDN is the part between the https:// and the next /. Anything after the / is part of the path and not the FQDN.
The FQDN is made up of a top-level domain (TLD), a domain, and then a subdomain or subdomains. These move from right to left, so for the address https://www.ssw.com.au/, .com.au is the TLD, ssw is the domain, and www is a subdomain.
For the address https://www.ssw.com.au/people/, people is the path. The path can include all kinds of other characters and parameters.
You should always check that the domain matches the service or website you are expecting.
Bad Example – The address has LinkedIn in it, but it is a sub-domain, not the domain
Bad Example – The address has LinkedIn in it, but it is in the path, not the FQDN. The FQDN is also suspicious
Bad Example – the address has LinkedIn in it, but is not a legitimate LinkedIn site
Good Example – LinkedIn is a secure domain
If you are curious about a URL, and think it might be legitimate, you can check the Whois record to see who owns the domain.
When entering your password (or any other sensitive information, including credit card numbers) into a website, you must make sure that your connection to that website is encrypted. The route your password takes from your web browser to the website is quite a journey – it starts by being broadcast across your wireless network (note your wireless network should be encrypted, but its best not to rely on that). It then goes to a router, then to your internet service provider (ISP), then anywhere across the world before getting to its destination. It can be intercepted at any step along this journey.
Check that the connection is encrypted. Look for the padlock symbol in your browser (usually in the address bar)
Also ensure the address starts with https:// and NOT http:// (without the s).
Finally, you may sometimes see the address bar turn green. This indicates that the owner of the website has gone through extended verification (EV). EV is not necessary for security, however EV is part of an encryption certificate, so if you see it, then it’s an indication that the connection is encrypted.
Leaving your desk for a coffee, catching up with friends for lunch, or attending a meeting in the boardroom, are just some of the reasons why we leave our workstations throughout the day.
But did you know that you might be exposing your company to a potential security risk?
Good news! Its a simple solution: Lock your computer when you leave!
In this rule, we will be looking at why we should lock our computers when we leave our workstations, and some quick and easy ways to make this apart of your daily routine.
Here are some reasons why it's important to lock your computer when you leave your workstation, even for a second!
- Access - Someone can acquire important or private information, and even delete or change files
- Peering eyes - Passerby's might see sensitive data, i.e. Payroll
- Control - With your computer unlocked, this gives access to install potential harmful software
- Communication - Someone could send harmful or sensitive communication using your email or IM "from" your account
There are a few ways to do this:
- Windows: Start menu | Power | Sleep (Windows)
- Mac: Apple menu (Top left corner) | Lock Screen.
- Windows: Windows button (Hold) + L
- Mac: Control + Command + Q
Windows can use devices that are paired with your PC to help detect when you’re away, then it can lock your PC shortly after your paired device is out of Bluetooth range.
This makes it more difficult for someone to gain access to your device if you step away from your PC and forget to lock it.
For more information, check out Windows PC Dynamic lock feature.
Using these quick and easy methods to lock your computer when you leave your workstation will ensure your doing your part to minimize security risk in your company.