What can happen to my password if it is stolen? Once an attack has happened and the criminal has your data, he or she likely runs through the following steps, which we like to call, “A Hacker’s Post Breach Checklist:”The hacker will:

Inventory the stolen data: Hackers will look through the stolen data files for authentication credentials, personal information like names, addresses and phone numbers, and financial information like credit card details.

“Hackers will often start by selling data on military or government accounts,”People are also bad at choosing passwords for individual services and often reuse passwords, which lets hackers try those passwords on the other websites their victims use.”


Mark Laliberte  – WatchGuard’s own Information Security Threat Analyst

Sell personal information:Next, the hacker will package up personal information like names, addresses, phone numbers, and email addresses and sell them, typically in bulk. These are more valuable the more recent they are. According to Quartz, a full set of someone’s personal information including identification number, address, birthdate, and possibly credit card info costs between $1 and $450 with a media cost of $21.35.

Look for the good stuff:Hackers will then inventory authentication credentials further and look for potentially lucrative accounts. Government and military addresses are very valuable, as well as company email addresses and passwords for large corporations. Since people often re-use their passwords, hackers can often use credentials for military or corporate accounts to target other companies. For example, Dropbox was breached in 2012 using credentials stolen in the LinkedIn data breach earlier that year. A hacker may plan such a hack himself, or he/she may sell the credentials to others on the dark web for a much higher price.

Offload the cards: Financial information like credit card numbers are packaged and sold in bundles. An individual with the right knowledge could easily buy credit card information in groups of ten or a hundred. Usually a “broker” buys the card information, then sells them to a “carder” who goes through a shell game of purchases to avoid being detected. First the “carders” use stolen credit card to buy gift cards to stores or to Amazon.com, then use those cards to buy physical items. The carder may then sell the electronics through legitimate channels like eBay, or through an underground dark website.

Sell in bulk After several months, the hacker will bundle up authentication credentials and sell them in bulk at a discounted price. By now, most of the credentials are worthless since the company has most likely discovered the breach and taken steps to repair it. For example, a database containing the entire LinkedIn credentials dump is still available.

How to Create Strong Passwords                             

Why are strong passwords needed?                       

Good computer security includes the use of strong passwords for all your accounts. Passwords can be the weakest link in a computer security scheme. Strong passwords are important because password cracking tools continue to improve and the computers used to crack passwords are more powerful. Network passwords that once took weeks to break can now be broken in hours.   

Password cracking software uses one of three approaches: intelligent guessing, dictionary attacks, and automation that tries every possible combination of characters. Given enough time, the automated method can crack any password. However, it still can take months to crack a strong password.               

 For a password to be strong and hard to break, it should:

  • Contain 6 or more characters
  • Contain characters from each of the following three groups:
  • Letters (uppercase and lowercase) A, B, C,…; a, b, c,…
  • Numerals 0, 1, 2, 3, 4, 5, 6, 7, 8, 9
  • Symbols (all characters not defined as letters or numerals) ` ~ ! @ # $ % ^ & * ( ) _ + – = { } | [ ] \ : ” ; ‘ < > ? , . /
  • Have at least one symbol character in the second through sixth positions.
  • Be significantly different from prior passwords.
  • Try to change your password(s) every 6 months.                              

When typing in your password, make sure no one is watching you type. Ask anyone around you to kindly look away.               

 Password reuse, like what Marc is describing above, can create opportunities for more breaches. For example, Dropbox was breached in 2012 because a Dropbox employee’s Expedia password was stolen in a separate data breach and they reused that password for their work account.

 A strong password policy doesn’t need to be the only line of defense to your systems and network. Adding multi-factor authentication creates multiple layers of security to protect users and resources.               

What can you do to protect yourself?

Good passwords are critical to information security. Lack of thought in creating password policies increases the chances of unauthorized access or compromised data. The SANS institute recommends that strong password policy include the following characteristics:

  • Contain a mix of uppercase and lowercase letters, punctuation, numbers, and symbols.
  • Contain at least 15 characters.
  • Be unique from other accounts owned by the user.
  • Never include dictionary words
  • Never include patterns of characters

Go even further in your password policy by encouraging the use of pass phrases, which use phrases along with the strong password guidelines to add even further difficulty to passwords being compromised.

For example: The phrase “iced tea is great for summer” becomes “!cedTisgr84$umm3R”               

The easiest solution – use a password safe         

Password safes save your passwords securely, allowing you to save the information on your personal computer without opening yourself up to giving away private information advertently. They can also generate random passwords for each of your accounts.  These password safes store all of your passwords in a single account, which has a master password you need to remember. This allows you to use truly random combinations in all of your other passwords, making them much harder for malicious users or bots to crack. Two examples of such services are: LastPass and Password Gorilla.                  

Change your Passwords Regularly!                          

The RIT Password Standard requires passwords to be changed annually. . In addition, passwords should be changed:

Whenever a malicious program such as a virus is detected or a machine is compromised insome way.

If there is a job change (job is completed, job is terminated, or a job transfer changes the need for access).

From any default passwords. If they are shared with anyone other than the authorized user(s)

Don’t Use your username or any part thereof:                   

These are the don’ts!                     

  • Name(s) of yourself, family, friends, pets, or co-workers
  • Computer terms and names, commands, sites, companies, hardware, or software
  • Birthdays or other personal information such as addresses or phone numbers
  • A set of characters in alphabetic or numeric order (ex. abcdef), in a row on a keyboard
  • (ex. qwerty), or a simple pattern (ex. 123123)
  • Words that can be found in a dictionary
  • Your UCLA ID number, a bank account PIN, credit card number, etc.
  • Any of the above spelled backwards
  • Any of the above preceded or followed by a digit (ex. qwerty1, 1qwerty)            

DON’T Reuse passwords. If you do, a hacker who gets just one of your accounts will own them all. (Some systems will not let you reuse passwords.)           

DON’T Use a dictionary word as your password. If you must, then string several together into a pass phrase.     

DON’T Use standard number substitutions. Think “P455w0rd” is a good password? N0p3! Cracking tools now have those built in.   

DON’T Use a short password—no matter how weird. Today’s processing speeds mean that even passwords like “h6!r$q” are quickly crackable. Your best defense is the longest possible password.

Cyberattacks continue to grow in scale, ferocity, and audacity. No one is safe. Large corporations are a target because hackers see the potential payoff as huge. Small companies are vulnerable too because they don’t have the financial muscle needed to invest in sophisticated security systems. Now more than ever, businesses must do whatever it takes to keep their data and tech infrastructure safe. If non-techie employees understand key cybersecurity terms, they’ll have a much better chance of making the right security decisions. There are thousands of cybersecurity terms but no one (techie or otherwise) is under obligation to know all of them. Some terms are, however, more important than others and these are the ones all staff must be aware of.

Note that knowing these cybersecurity terms is more than just mastering the definitions. Rather, it’s being able to understand the patterns and behavior that define them.

Shutterstock

1. Adware

Adware is a set of programs installed without explicit user authorization that seek to inundate the user with ads. The primary aim of adware is to redirect search requests and URL clicks to advertising websites and data collection portals.

While adware mainly aims to advertise a product and monitor user browsing activity, it also slows down browsing speed, page-load speed, device performance, eats into metered data, and may even download malicious applications in the background.

2. Botnet

Shutterstock

Botnets are simply a collection of several (and they can number in the millions) Internet-enabled devices such as computers, smartphones, servers, routers, and IoT devices that are under a central command and control.

Botnets are infectious and can be propagated across multiple devices. Botnet is a portmanteau of “robot” and “network.” Some of the largest and most dramatic cyberattacks in recent times have involved botnets, including the destructive Miraimalware that infected IoT devices.

3. Cyber-espionage

When you hear the term espionage, what first comes to mind is the world in a bygone era. But espionage is as alive today as it was a century ago. The difference is that thanks to the proliferation of information technology and the ubiquity of the Internet, espionage can now be executed electronically and remotely.

Cyber-espionage is the gathering of confidential information online via illegal and unauthorized means. As you’d expect, the primary target of cyber-espionage is governments as well as large corporations. China has been in the news in this regard though other world powers such as the United States and Russia have been accused of doing the same at some point.

cybersecurity terms

4. Defense-in-depth

Defense-in-depth is a cybersecurity strategy that involves creating multiple layers of protection in order to protect the organization and its assets from attack. It’s born out of a realization that even with the best and most sophisticated technical controls, no security is ever 100 percent impenetrable.

With defense-in-depth, if one security control fails to prevent unauthorized access, the intruder will run into a new barrier. It’s unlikely that many hackers will have the knowledge and skills to surmount these multiple barriers.

5. End-to-end encryption

End-to-end encryption is a means of securing and protecting data that prevents unauthorized third parties from accessing it during rest or transmission. For instance, when you shop online and pay with your credit card, your computer or smartphone has to relay the credit card number you provide to the merchant for authentication and payment processing.

If your card details fall into the wrong hands, someone could use it to make purchases without your permission. By encrypting the data during transmission, you make it harder for third parties to access your confidential information.

6. Firewalls

A firewall is a defense mechanism that is meant to keep the bad guys from penetrating your network. It’s a virtual wall that protects servers and workstations from internal and external attack. It keeps tabs on access requests, user activity, and network traffic patterns in order to determine who can and cannot be allowed to interact with the network.

7. Hashing

Hashing is an algorithm for encrypting passwords from plain text into random strings of characters. It’s a form of security method that transforms fixed-length character strings into a shorter value that represents it. That way, if an intruder somehow got through to the password file or table, whatever they see will be text that is useless to them.

8. Identity theft

Identity theft is sometimes referred to as identity fraud. It’s the No. 1 reason why hackers seek to access confidential information and customer data especially from an organization. An identity thief hopes impersonate an individual by presenting the individual’s confidential records or authentication information as their own.

For example, an identity thief could steal credit card numbers, addresses, and email addresses then use that to fraudulently transact online, file for Social Security benefits, or submit an insurance claim.

9. Intrusion detection system (IDS)

It’s relatively uncommon for a cyberattack to be completely unprecedented or unknown in its form, pattern, and logic. From viruses to brute force attack, there are certain indicators that point to unusual activity. In addition, once your network is up and running, all network traffic and server activity will follow a relatively predictable pattern.

An IDS seeks to keep tabs on network traffic by quickly detecting malicious, suspicious, or anomalous activity before too much damage is done. The IDS blocks malicious traffic and sends an alert to the network administrator.

10. IP spoofing

IP address forgery or spoofing is an address-hijacking mechanism in which a third party pretends to be a trusted IP address in order to mimic a legitimate user’s identity, hijack an Internet browser, or otherwise gain access to a restricted network. It isn’t illegal for one to spoof an IP address. Some people do so in order to conceal their online activity and maintain anonymity (using tools such as Tor).

But IP spoofing is more often associated with illegal or malicious activity. So organizations should exercise caution and take appropriate precautions whenever they detect that a third party wants to connect to their network using a spoofed address.

11. Keylogger

Keylogger is short for keystroke logger. It’s a program that maintains a record of the keystrokes on your keyboard. The keylogger saves the log in a file, then encrypts and distributes it. While a keylogging algorithm can be used for good (some text-to-voice apps for example use keylogging mechanism to capture and translate user activity) keyloggers are often a form of malware.

A keylogger in the hands of nefarious persons is a destructive tool and is perhaps the most powerful weapon of infiltration a hacker can have. Remember, the keylogger will capture all key information such as user names, passwords, PINs, pattern locks, and financial information. With this data, the hacker can easily access your systems without breaking a sweat.

12. Malware

Malware is one of the cybersecurity terms you will hear the most often. It’s a catch-all word that describes all malicious programs including viruses, Trojans, spyware, adware, ransomware, and keyloggers. It’s any program that takes over some or all of the computing functions of a target computer for ill intent. Some malware is just little more than a nuisance but in many cases, malware is part of a wider hacking and data extraction scheme

13. Password sniffing

cybersecurity terms

Password sniffing is the process of intercepting and reading through the transmission of a data packet that includes one or more passwords. Given the volume of network traffic relayed per second, password sniffing is most effectively done by an application referred to as a password sniffer. The sniffer captures and stores the password string for malicious and illegal purposes.

14. Pharming

Pharming is the malicious redirection of a user to a fraudulent site that has colors, design, and features that look very similar to the original legitimate website. A user will unsuspectingly key in their data into the fake website’s input forms only to realize days, weeks, or months later that the site they gave their information to was harvesting their data to commit fraud.

15. Phishing

Phishing is a form of social engineering and the most common type of cyberattack. Every day, more than 100 billion phishing emails are sent out globally. Phishing emails purport to originate from a credible recognizable sender such as e-Bay or Amazon or financial institutions. The email will trick the recipient into sharing their username and password on what they believe is a legitimate website but is in reality a website maintained by cyberattackers.

Knowing these cybersecurity terms is a first step in preventing cyberattacks

While technical controls are crucial, employees are the weakest link in your security architecture. Nothing makes employees better prepared for a cyberattack than security training and awareness. For most organizations, the IT department represents only a fraction of the entire workforce.

Tech staff can therefore not be everywhere to explain cybersecurity terms and help each employee make security-conscious decisions. Therefore, making sure your non-techie staff is familiar with these cybersecurity terms is fundamental.

Featured image: Shutterstock