Contrast is once again proud to be a Champion for Cybersecurity Awareness Month throughout October, to help in promoting global awareness of online safety and privacy. This annual campaign is a global effort among businesses, government agencies, colleges and universities, associations, nonprofit organizations, tribal communities, and individuals committed to educating others about online safety.
“We are proud to again be a champion of this far-reaching online safety awareness and education initiative, which is co-managed by the Cybersecurity and Infrastructure Security Agency [CISA] and the National Cybersecurity Alliance,” said David Lindner, Contrast’s Chief Information Security Officer (CISO). “I applaud all the individuals and organizations that come together to raise cybersecurity awareness globally. This initiative personally hits home, as each and all of us have the responsibility of being security-diligent in our online lives.”
Cybersecurity best practices
Starting this year, the new theme of Cybersecurity Awareness Month is Secure Our World, with the main messaging revolving around four key cybersecurity best practices:
- Understanding the benefits of using a password manager and dispelling existing myths around password manager security and ease of use.
- Turning on MFA on personal devices and business networks.
- Recognizing and reporting phishing — still one of the primary threats used by cybercriminals today.
- Installing updates on a regular basis and turning on automated updates.
Does the average person care?
While Contrast is proud to be a champion, we’re also clear-eyed when it comes to whether the public gives a rat’s blast about this month-long educational outreach.
Given how entwined we all are in technology — from the mobile phones through which we carry out our financial transactions and handle our cryptocurrency balances to the connected homes that help us keep an eye on our infants, our refrigerator contents and our thermostats — you’d imagine that staying safe online would be of deep interest to us all.
It’s not.
“The general gist of what I'm starting to realize in my many years of being in cybersecurity is that the general population doesn't give a [darn],” Dave sighs. “They don't care. We keep saying things like, ‘Set good passwords’ and ‘use [multifactor authentication, or MFA].’ The reality is, if someone doesn't care. they don't care. They're not going to do it.”
He’s said this before, and he’s saying it again: “The only way that people are going to [take precautions] is if the people who require those precautions — the passwords, the MFA — force it on people. That is the only way we're going to fix this problem.”
Finally, somebody steps up to the plate
This year, we’re gratified to see that at least one big player in the world of password management — LastPass — is finally doing exactly that. LastPass announced recently that it’s requiring tougher passwords — a minimum of 12 characters. The password manager company has required longer passwords since 2018, but legacy users had been exempt.
For years — since 2018 — the National Institute of Standards and Technology (NIST) has said that password length trumps password complexity requirements. Now LastPass is requiring that entropy, forcing users into choosing a longer password. As Dave commented in his Sept. 29 CISO Insights column, “This is a brilliant move. More companies should force long passwords (12 characters or more) by default.
“We need to force all those user bases — be it a user base of 75 retirees or 20-somethings who’ve grown up in the technology age — to use basic security principles that keep coming up every year,” says Contrast’s CISO. Those basic principles, outlined below, haven’t changed since last year’s Cybersecurity Awareness Month. That’s for a good reason, Dave says: “Because they're basic. And they prevent so much trouble If practice them all.”
When it comes to businesses forcing cybersecurity best practices onto their users, nobody would claim that it’s an easy fix. Still, “it’s the only way to win,” Dave stresses. “The only way to fix security practices is for the organizations that are requiring you to authenticate to make them compulsory. That's it.
“We know of companies that are doing dealings online who are afraid to turn on strong passwords. I think that there are companies who are afraid to force things upon their users that may be seen as ‘friction.’”
That’s why compulsory cybersecurity practices must be easy to swallow, he says: “It has to be easy to consume and it has to be psychologically acceptable.
Kudos to LastPass for braving this friction by requiring longer/more unique/more complex passwords, the CISO says. Better that than the common practice of shifting the buck to users and shaming them for not complying with security practices when they’ve proven, time after time, worst-password list after worst-password list, that they simply don’t care.
What to do if you care
Here are best practices for those of us who do care about online safety and yet still might not be familiar with how best to stay safe:
1. Use a password manager
This may seem obvious, but all too often, securing strong passphrases/password managers are overlooked. When it comes to staying safe, that’s a serious omission: research shows that compromised credentials are second only to unpatched vulnerabilities when it comes to the most common cause of attackers gaining initial access to targeted systems.
Using long, complex and unique passwords for all of your accounts is a good way to stop your account from being hacked, and an easy way of keeping track and remembering your passwords is by using a password manager. The National Institute of Standards and Technology (NIST) provides great guidance in setting password standards.
2. Enable MFA
MFA adds a necessary second check to verify your identity when logging into one of your accounts. By requiring multiple methods of authentication, your account is further protected from being compromised, even if a malicious actor hijacks your password. In this way, MFAs make it more difficult for password-cracking tools to enable attackers to break into accounts. If MFA is available, enable it! Having it is always better than not, in spite of breaches involving Uber, Okta, Twilio and others, in which malicious actors took advantage of users and bypassed MFA requirements to compromise accounts.
Attacks that bypass MFA are a rare exception. MFA is still a critical component of providing another layer of authentication and identification protections on your accounts.
3. Recognize and report phishing
Phishing is one of the most common forms of social engineering attacks. Phishing — when a cybercriminal poses as a legitimate party in hopes of getting individuals to engage with malicious content or links — remains one of the most popular tactics among cybercriminals today.
While phishing has gotten more sophisticated, you should still keep an eye out for typos, poor graphics, out-of-character messages, unexpected messages and other suspicious characteristics, as these can be telltale signs that the content is potentially coming from a “phish.” In addition, if you think you have spotted a phishing attempt, be sure to report the incident so that internal IT teams and service providers can remediate the situation and prevent others from possibly becoming victims.
One of the more common avenues of phishing these days is through the use of SMS, also called smishing. Some common smishing attacks send SMS messages to unsuspecting users, purportedly coming from businesses such as shipping companies, phone providers, Amazon, etc. These text messages contain links that aim to steal credentials or install malware on the mobile devices. The best approach to thwarting these attacks is to copy the offending message and send it to 7726 (SPAM), and your provider can take it from there. You may also want to block any further communication from the number if your mobile device provides that functionality.
4. Update your software
When a device prompts that it is time to update the software, it may be tempting to simply click postpone and ignore the message. However, having the latest security software, web browser and operating system on devices is one of the best defenses against online threats. So don’t wait — update. Malicious actors take advantage of disclosed vulnerabilities due to the lag time between initial reporting and patching across all affected systems. The faster we can keep our software up to date, the more protected we will be in the long run.
And for software vendors in particular, shortening Mean Time to Respond/Remediate (MTTR) for application vulnerabilities can help customers to reduce their windows of exposure. Application vulnerabilities simply need to be found and fixed faster.
For more information about Cybersecurity Awareness Month 2023 and how to participate in a wide variety of activities, visit cisa.gov/cybersecurity-awareness-month and staysafeonline.org/cybersecurity-awareness-month/.