Dr Craig Valli and Dr Ian Martinus 15th Feb 2022
This is part one of a series about low cost, simple steps that small to medium enterprises (SMEs) can undertake to better secure systems (phones, tablets, laptops, computers, routers, TV, fridges, any Internet connected device) from cyber-attacks, resulting incidents and resulting impacts. By enacting steps outlined SME will improve their resilience and safety of their information systems to cyber security risks and attacks.
The 5th domain of human engagement is cyber, the other 4 traditional domains are land, sea, air and space. Up until the introduction of the Internet into Western Australia and even Australia we have enjoyed relative isolation from a security perspective i.e. if there was a crime or an incident it was traditionally a result of the localised Australian based “usual suspects”, with the odd incursion by organised crime syndicates. With this, came the ability to track down and prosecute the wrong doers with some success.
However, the introduction of the Internet into our lives has now made the threat to our assets global in nature. Crimes and attacks from the Internet occur in timelines of seconds and milliseconds from initial engagement to conclusion of the crime e.g. a fraudulent wire transfer, shutting down a facility, erasing a database, accessing private, confidential or commercially sensitive information.
The nature and capability of the attackers has changed. For example, attacking a financial system is no longer just a small gang of dilletantes with firearms taking thousands of dollars from a local branch safe, cyber-crime is well organised, professionally run. Cyber criminal gangs recruit the best talent from across the globe and will attack the entire systems at once for millions of dollars at a time. They will also use the asymmetry of the Internet also to steal small amounts with a distributed attack say taking $2 at a time but from 10 million victims.
A local WA SME can run budgets into the 100s of millions value and be critical to the functioning of society and security of the nation. As a result, they also hold a wide range of financial and other data of interest on their customers (plans, designs, intellectual property etc) and their service providers that will be of interest to cyber criminals, sovereign state intelligence agencies, activists and others. Remember, to access this information they do not have to drive to your location, enter your domiciles and physically steal this information, they can access it through insecure systems you have in a matter of seconds from anywhere on the Internet with relative anonymity.
Passwords the Cyber Security pariah
Passwords are often our only defence against compromise of a system and are one of the largest sources of failure for cyber security. There are some behaviours that are plain negligent such as not changing default passwords, password reuse and having simple, short, repeated or dictionary-based passwords, across all device and platform types that is laptop, computer, phone,tablet, WiFi router, gaming console, TV, fridge … anything that is Internet connected.
This problem lies primarily with the lack of education of end users. This can be rectified through good governance and driving sensible policy that impacts business procedure. Once the policy is set it is about using systems to ensure attributes such as password length and complexity are complied with.
We recommend a minimum of 15-character passwords that have a combination of upper, lower, numbers and special characters and are complex. Yes, complexity is important!! Simple passwords should not rate a mention, but people continue to use dictionary words which in any language is a bad idea. Also appending a number to the end of dictionary word is not smart or secure e.g. Password1 is all too prevalent when we have conducted audits on organisations accounts. Do not use your pet, maiden name, children’s names, football team or date of birth, these are all bad choices because they are all publicly available. Keyboard patterns such as qwerty1234 are also a bad choice.
Always change default/factory or even service provider installed passwords to all systems. Why? Because a default/factory password is in a manual that is typically publicly available. In the case of length, it matters for critical systems and it is recommended that you use the maximum possible characters. We have demonstrated the ability to break any 8-character password in under 2 minutes unlike a 12-character password that may take several days to a week, 64 characters can take several years to decades to break on the same hardware.
Using a password vault/safe such as LastPass can help you create secure passwords and, also provide a secure repository for your passwords. The good ones work across all your devices, the only caveat is to ensure that you use a very strong password for the password to access your password vault. If it is on your mobile or tablet use a biometric such as fingerprint to protect the application as well where possible.
Serious consideration should be given to multi-factor authentication(MFA). Some of us already use this on our phones e.g PIN and biometric (fingerprint, face). MFA even on your desktop/laptop computers in your workspaces, why it prevents malicious insiders/inquiring children getting access to a workers device. A decent USB fingerprint reader costs around $70-100 and is the perfect MFA foil for the access “drive-by” .
Taking the simple preventative steps mentioned in this article about passwords will significantly reduce risk to most information systems in SMEs.