5 steps for good cyber hygiene

Being cybersecure today seems more and more unattainable and aloof. 

The industry is overwhelmed with loaded catchphrases and jargon like, ‘zero-day’, ‘zero-trust’, ‘2FA’, ‘MFA’, ‘phishing’ and more. What hope is there for those outside of technical disciplines to become cybersecure?  

The answer: Like the saying goes, how do you eat an elephant? One bite at a time.  

While there is no magic potion for becoming cybersecure, there are bite-sized steps that can be taken to a more secure posture. 

These steps are considered ‘cyber hygiene’, and they revolve around the greatest attack vector – social engineering. Social engineering includes a subsect of modalities, the greatest of which is ‘phishing’. Phishing is just another loaded phrase, meaning – where the attacker crafts an email to exploit the recipient into sharing sensitive details.  

It is said by many security vendors and researchers that social engineering takes 90% of all attacks, with phishing being one of top delivery methods of this form of attack. 

With the following five bite-sized steps, you can face this attack vector and become more secure than most of the population... 

1) One to rule them all – Implement a password manager 

A password manager safely stores all your passwords, removing the need to remember them and allowing you to employ very complex ‘high entropy’ passwords that are hard to guess or ‘hack’, enumerate, brute force or otherwise. All you need to do is enter your master password or trusted authentication method (SSO, Biometric, Hardware token), and your password manager will do the rest. 

There are several password manager programs available such as 1Password, with whom C5IT partners. Such programs will help keep your accounts and, by association, your people and your business systems secure. 

This really is the single best heavy hitter in your journey to a more cybersecure future.  

However, this solution alone won’t necessarily keep you safe. Read on to learn more about leveraging your password manager for better security.  

2) Unhuman, random and complex is the value – Ensure high entropy passwords 

When creating a password for your accounts, the misnomer has been with the term ‘hard to guess’. This can be confusing for those of us who aren’t technically minded. For example, ‘hard to guess’ for someone could mean: 

• IL0V3C0mpUt3r5!     (I Love Computers!) 

But when a computer thinks, it thinks deterministically, mathematically with probability. It can condense the human input to patterns and numbers – switches that are on or off. 

This is one of the greatest assets to a hacker. They can exploit this knowledge and ask the computer to crunch the various iterations against the word ‘I Love Computers!’ to guess this password – which is low complexity to a computer.  

We must therefore climb into the mind of a computer to better understand what sort of password is ‘hard to guess’… 

Consider the National Institute of Standards and Technology (NIST) guidelines for password security, which currently requires passwords to be a minimum of 8 characters, with a recommended minimal length of 15 characters. The guidelines also recommend passwords of up to 64 characters long be allowed. 

The goal is to achieve a ‘high entropy’ password – one that is highly random and hard for a computer to guess or iterate.  

So, instead of ‘IL0V3C0mpUt3r5!’ you could use ‘IFhjrI&#(UJ-Uni!k398Gcvnq=*(*&$$’. 

TIP: Another great way to set and form a longer, high entropy password is to create a sentence with spaces you will remember, such as: 

“I walked into the field and saw a cow.” 

Then iterate the sentence to replace letters with other characters of numbers.  

“I w4lk3D int0 Th3 Fi3ld aNd S4w a C0w.” 

*Note: Do not use the above password examples as your password, as they are now publicly known and no longer random, as of this blog post.  

3) You ought to audit – Audit your accounts for breaches  

We hear about breaches left, right and centre, Medibank, Optus, LinkedIn and more. The news is littered with headlines about how the next big company has been breached, along with its customer records.  

Did you know you can find out if your accounts have been involved in a breach?  

Enter, Have I Been Pwned. This site checks if your email address is in a data breach, and if it is, tells you exactly where that breach occurred – on which websites. With this information, you should then log in to those listed websites and change those passwords immediately, as well as making sure not to reuse the passwords associated with the accounts that have been breached. 

4) Keys are overrated - Be prepared for a ‘passwordless’ future 

Be aware that what is secure today, may not be tomorrow. Know how to mature and learn, adapting your security practices alongside implementing.  

Relevant to this is the transition we currently face with moving away from passwords and into the world of ‘passwordless’ authentication solutions. 

One key reason for this is the introduction of quantum computing – a field that uses quantum computers to solve complex problems faster than classical computers. These computers think beyond the traditional binary 0-1, thinking with an array of 0 to 1 at the same time.  

In simple terms, they are next level smart, and, despite promising potential to critical industries such as finance, healthcare, manufacturing and sciences, they will also allow the use of password and encryption cracking in a previously unprecedented short time. Thus, enabling your most difficult password to be cracked in no time.  

The fundamental principle of passwordless authentication is to have a very large ‘unhuman’ long key that may be tied to a physical hardware key or biometric or trusted party, which may also be rotating (changing the key) to authenticate. For those not technically minded, a lesser example of this would be using your Google, Apple or Microsoft account sign-in to sign in to another account, instead of entering a password. In this case, your account with Google, Apple or Microsoft is the trusted party and shared a ‘token’ to authenticate the other account.  

Good password managers such as 1Password, with whom C5IT partners, will offer options to use Passkeys to sign into many of your accounts. See more here: Passkeys in 1Password: The Future of Passwordless Authentication | 1Password.

5) White glove - Use a Managed Security Service Provider (MSSP) 

MSSPs exist because there is a need for a managed cybersecurity solution. MSSPs like C5IT are a solid option if you do not want the responsibility of managing your security, and instead would prefer a trusted, experienced partner to plug into your business and help alleviate the level of risk and exposure experienced.  

A good MSSP can offer comprehensive, end-to-end cybersecurity solutions designed to protect your business IT Security holistically. This includes everything from password management to sourcing and implementing tailored cybersecurity solutions to meet your specific needs. It can even mean ensuring that, in the rare event of a breach, your insurance policies will respond as expected. 

Find out how C5IT can help manage all the above and more for you.