Tips for IT managers and individuals for World Password Day.
Welcome to Cyber Security Today. It’s Wednesday, May 4, 2022. I’m Howard Solomon, contributing cybersecurity reporter for ITWorldCanada.com.
Tomorrow is World Password Day. It’s a day when everyone should be thinking about the passwords they have and how to securely keep track of them. I know, passwords are a drag. It’s hard to create a good one and you need to have a different one for every site you log into. That’s right: create a strong password and use it for your business login, your business email login, your personal email login, your bank login, your Twitter, Facebook and everything else, that’s a formula for disaster. Because once criminals figure out one of your passwords, they’ll try it on everything else they think you’re subscribed to. Passwordless solutions like fingerprint readers and facial recognition exist on laptops, smartphones, and tablets. It is important that you sign up and use them. Even then, you’ll probably need a password or PIN number as a backup in case biometrics fail; they can be picky. So what should I do? First, get a software password manager. It may already be part of your antivirus package. Password managers keep your passwords safe. If you want, you can create encrypted passwords that you never have to remember. The good ones work on all your devices: PCs, smartphones, and tablets. Some listeners already know about password managers because their companies make employees use one. Password manager reviews can be found on reputable websites like PC Magazine. Second, make sure each password you create is long, at least 12 characters. And third, when offered, use multi-factor authentication to add an extra level of login protection. Ideally, the MFA should be delivered by an app like Google Authenticator or Microsoft Authenticator.
As for IT leaders, World Password Day poses a problem: Employees can create strong passwords for work, and you need to exercise control through login rules to make sure passwords are long enough and not easy to crack . You know, how not to use ‘Monday12345678’ as a password. But there’s no guarantee that employees aren’t reusing the same passwords for sites they go to outside of work. So you need to do four things: If your business is passwordless now, switch to passwordless solutions as soon as possible. If you can’t remove passwords, get a corporate password manager that employees have to use. Add multi-factor authentication for extra protection, especially for staff with access to everything, like IT. And educate your employees about creating strong passwords at work and at home, and why they need to create a different one for each site they use.
security experts urge IT administrators to install the latest security updates as soon as possible to prevent hackers from exploiting vulnerabilities. The last reason that comes from a Trend Micro security researchers report in the workings of a new strain of AvosLocker ransomware. This strain attempts to disable Windows Update, corporate antivirus solutions, and looks for the Log4j2 vulnerability. Microsoft released a patch to stop this particular attack for Windows last month. Fully updated anti-virus or anti-malware solutions can also stop this attack.
A New Corporate Espionage Threat Actor Has been discovered. Mandiant Researchers they have given it the name UNC3524. It appears to be targeting senior employees who are involved in corporate development, mergers and acquisitions, and large corporate transactions. Attackers are skilled enough to work their way back into an IT network after being caught and kicked out. Once inside, attackers look to Microsoft Exchange or Microsoft 365 email systems to compromise and read email from executives and employees. One defense is to strengthen the security of email systems. There is a link to the full report in the text version of this podcast on ITWorldCanada.com.
Separately, Email administrators are warned in another report not to take shortcuts with email security. this comes later Avanan researchers discovered Threat actors are taking advantage of a flaw in Google’s SMPT relay service to bypass security. Businesses use relay services to send mass emails. But they can be hacked to spoof legitimate brands and send emails with malicious links or attachments. The recipients are fooled. That’s because victims think the sender address in the “From” field looks safe. Avanan saw a spike in abuse of Google’s relay service last month. One defense against this attack is for IT departments to properly configure the DMARC email authentication protocol.
Finally, operators of decentralized financial platforms for transferring digital currencies and financial instruments via smart contracts still do not have cyber security figured out. The latest evidence comes from news reports that someone took the equivalent of $80 million through a weakness in a platform’s lending protocol.
That’s all for now Remember that the links to the details about the podcast stories are in the text version at ITWorldCanada.com. That’s where you’ll also find other stories of mine.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts, or add us to your Flash Briefing on your smart speaker.