As a cybersecurity professional I get frequent questions from people who want to know how to keep their personal or business data secure. While it is true that the tools and techniques used by hackers are getting more sophisticated, the reality is that most breaches, even the very large and highly publicized breaches, could be prevented by implementing common security measures. The bottom line is that in most scenarios, hackers are gaining access to systems the same way they have been for years, by users making poor choices on the Internet, or clicking malicious links in email or other online messages.
Nearly all cyberattacks involve a hacker stealing the valid credentials from a user. Often hackers accomplish this by social engineering, a fancy way of saying they trick a user into giving up secret information like usernames and passwords. Since most users reuse the same password or a slight variation of the same password among different computers and applications, hackers can begin to move rapidly and access a user’s data. For instance, if a hacker tricks a user into clicking a link within an email and ultimately harvests the user’s email password, the hacker will logon to the user’s email. Once in the user’s email account, the hacker will begin reconnaissance to see what other information is in the email box such as emails from banks, employers, cloud storage providers, healthcare websites, social media sites, and more. The hacker will then begin using the password obtained for the user’s email on all of the other sites and generally with a high degree of success.
As someone who investigates cybersecurity incidents for a living, I believe there are two quick-wins to defeat this attack and keep information safe. The first, and most important is called multifactor authentication (MFA) also sometimes referred to as two-factor authentication (2FA). MFA requires that a user provide at least two forms of information in order to be authenticated. MFA involves three categories of information: Something you ARE, something you HAVE, and something you KNOW.
Every person uses MFA when they use a debit card. When a customer presents a debit card at a business and then enters a PIN to complete a purchase, they have just provided something the have (the card) and something they know (the PIN). Usually, the MFA categories include items such as:
Something you Are: Retina scan, Iris scan, fingerprint, voice analysis, etc.
Something you Have: PIV card, one-time password token, smartphone, physical key, etc.
Something you Know: PIN, password, passphrase, security questions, etc.
By implementing MFA it immediately protects a user against brute force attacks and social engineering. Even if a hacker obtains a user’s password through some means, unless the hacker has the second component of MFA, they still cannot access the user’s data. For individuals, MFA is usually accomplished by either the user receiving a text message with a one-time password, or through the use of some third-party application. When a user attempts to logon to a website or application, the user is prompted for their username, password, and the one-time password.
The above screenshot shows a logon attempt to the website Dropbox. I have enabled two-factor authentication for my Dropbox account, which requires me to supply my username, password, and the six-digit one-time password from my smartphone app.
The Google Authenticator app, available for iOS, Blackberry, and Android devices is an excellent app to use and should be used on all sites that are compatible. A quick Google search will provide details on how to set up Google Authenticator and the different websites it is compatible with. Google Authenticator is available for several websites including Gmail, Microsoft, Dropbox, WordPress, Evernote, Hootsuite, and many more.
The above screenshot shows an example of the Google Authenticator app. When the app is opened, the user simply enters the digits displayed for authentication. This is known as a one-time password because the password changes at a regular interval.
Many websites and services offer MFA whether it is via text messaging (also known as short message service or SMS), or an app like the Google Authenticator. For a great resource on what websites are offering MFA, check out Two Factor Auth. Several websites have their own MFA such as Apple iCloud, Twitter, and Facebook. Had Apple implemented MFA and celebrities taken advantage of it, the nude photos that were leaked in 2014 when hackers used a flaw that allowed them to brute force iCloud accounts would have been prevented.
The above shows an example SMS providing a one-time password as two-factor authentication to access a website.
The second quick-win with password protection is the use of a password management solution. By creating different passwords for different sites, users dramatically reduce the access a hacker might obtain by stealing a single password. My recommendation is to use a password management tool that stores passwords in an encrypted database and also has a built-in random password generator. This way, users can generate a unique and complex (at least 10 characters with upper, lower, numbers, and special) for each website. Users only have to remember one password (their password management tool) and then can copy/paste passwords from the management tool to the site or application.
There are many password management tools available, some are cloud-based and others are local applications installed on a computer. Both have their pros and cons with LastPass being very popular for cloud-based and KeePass for local installations. My personal preference is to install the database locally so my passwords aren’t completely stored in the cloud and vulnerable to hackers such as in the 2015 Last Pass attack. A local application such as KeePass is a little less convenient, but there are ways to make it more useful, such as installing the iOS or Android app and having the passwords available on a (hopefully encrypted) smartphone.
The above screenshot is of the Mac version of KeePass, known as KeePassX and the password generator tool builtin to the application.
As with any security-related tool there is a trade-off between convenience and security. MFA does take an extra minute and requires the possession of a cell phone, but the peace of mind it provides is well worth the extra step.