TO repel a decent attack you have to have a robust defence. Any coach worth his salt knows that – assuming of course you are talking about sport. Then there is the physical attack, a whole different ball game you might say.
What about an attack that comes in below the belt and when you are least expecting it? Via your computer. An assault on your personal information or business profile in attempt to unlock your password?
Steve Gibbs has been good enough to send us an extract from his forthcoming book, Keeping Your Data Secure II: The Human Factor.
Steve believes ‘password strength’ is vital to stop would-be attackers in respect of securing important data, or controlling physical access to buildings and systems.
He maintains the Holy Grail of of password security would be to find a method that can’t be beaten by a determined and resourceful infiltrator. So far, he says, the best that can be done is to slow the attacker down a lot and try to make their life inconvenient.
Steve maintains a stronger password is one that takes longer to crack and he doesn’t believe there is a practical password which exists that can’t be cracked. Steve urges people to use harder-to-guess passwords so the assailant has to start digging in their toolkit for other methods to get at your password, rather than just typing in their name, dog’s name, date of birth, car registration number etc.
‘People really do use things like this as their password,’ he confirms. ‘To give you a feel for what you’re up against, let’s suppose I am attacking your computer system remotely and I need to get past a password that you have set.’
Steve has three phases which make up a chapter of the book. In his words, in this extract, he will share with you phase one, ‘The Attack’.
‘The first thing I’m going to do is trawl the internet for anything I can find out about you, starting with Facebook, LinkedIn and other social networking sites, and moving on to credit reference agencies, government sites, registers of voters and anything else that will help me build as complete a picture as possible of YOU,’ he says.
‘If you’re a blogger, so much the better – a goldmine of personal information can often be found in people’s blogs. I will also, of course, be Googling you.
‘I’ll be looking for anything that will tell me what your password might be, as a laser-targeted precision attack with one or two password attempts is much less likely to set system alarms off than an attack where I have to try one or two hundred passwords. Or one or two million.
‘If I discover that you are a supporter of a football team, then I’ll perhaps try the team’s name, or maybe their nickname or the name of their ground.
‘However, if you’re a really wealthy individual, I might be attacking you specifically, probably to get at your money. So I will add searches of news sites to my list, and also consider looking at company registration documents, officer and stockholder details and published accounts of any business I discover you’re involved with.
‘If you’re rich, I would probably be more inclined to invest more time and energy in the attack in other ways too, and maybe indulge in a spot of “Dumpster Diving”. Basically this means I’ll be going through your trash, looking for anything with information on it that might help me attack you.
‘Most people these days are alert to the fact that having their old bank statements blowing around a landfill site is not a great idea.
‘Even your average supermarket carries cheap cross-cut shredders, so the chances of finding useful documents like that still in one piece in your rubbish are dropping – but they’re not zero, so I may strike it lucky. And besides, there may be other things in your trash that you haven’t considered you needed to shred, which could still give me useful information.
‘Such as the tickets to the opera that you attended last week. They probably won’t have your name on them, but I wonder if this week’s password is “Madame Butterfly” or something similar?
‘I might also try some social engineering on your secretary or perhaps other staff further down the food chain in your organisation – I’d probably avoid top executives’ secretaries if possible, as they’re likely to be clued up on Social Engineering techniques.’
Steve devotes a whole chapter to Social Engineering, a big topic in its own right. And there are two more phases in the chapter, dealing with the attacker as he or she digs deeper in to their search to break your code.
To sum up, Steve suggests the following.
1, Make your password is at least eight characters long, and preferably 12 or more.
2, Use a combination of all the different character types in your password; lower-case letters, upper-case letters, numerals and special characters.
3, Don’t use words from a dictionary, or other information that could be personal to you but easily discovered from, for example, social networking sites.
4, Don’t use the same password for every system or website that you log into. It only takes one of these systems to be compromised and your password is then “out there”.
5, Change passwords reasonably regularly, and don’t re-use passwords for at least a year or two.
6, Don’t write them down, ever. But if you must, for goodness sake write them down somewhere secure – not on a post-it note stuck to your monitor!
7, Don’t share your password(s) with anyone.
Good advice don’t you think? Yes, we thought so too.
Steve Gibbs is the CEO of NSM Training Ltd (www.nsmtraining.com). You can download a pdf of the whole chapter from the company’s website.