Document forgery, bank and credit card fraud, spam, online privacy, identity theft, pharming, phishing, RFID. As we’ve progressed from telegraph to telephone to the Internet, and as we move into global communication, these terms are more and more part of our everyday lexicon. 

Since 2002, information risk management studies around the world show that passwords are the least protected part of our technology — and people will divulge them for a free pen or some chocolate! Would you give your house or car keys or your bankbook to someone who offered you a free pen? Do you keep your password on a sticky note on your monitor or under your keyboard? Do you give your password to contractors or your computer technician? 

If you do, you are the weakest link in the human firewall. 

---

Document forgery, bank and credit card fraud, spam, online privacy, identity theft, pharming, phishing, RFID. As we’ve progressed from telegraph to telephone to the Internet, and as we move into global communication, these terms are more and more part of our everyday lexicon. 

Techniques for obtaining personal information (without which it is difficult to impersonate someone) include: 

• Dumpster diving to steal mail and personal information
• Pickpocketing
• Remotely reading smart chips (RFID) on credit cards and passports
• Eavesdropping on personal conversations at your neighborhood hangout and public transportation (shoulder surfing)
• Redirecting mail
• Infiltration into large data files or a data breach by a company trusted with personal information (social security or credit card numbers)
• Researching the Internet’s stored public registers
• Retrieving information from recycled equipment that has not been sanitized
• Browsing social networks for personal data
• Posing as a representative of a trusted company (phishing, an especially good technique for telephone and email scams)
• Using false pretenses to trick business gatekeepers into divulging customer and business information, especially passwords (pretexting).

Since 2002, information risk management studies around the world show that passwords are the least protected part of our technology — and people will divulge them for a free pen or some chocolate! Would you give your house or car keys or your bankbook to someone who offered you a free pen? Do you keep your password on a sticky note on your monitor or under your keyboard? Do you give your password to contractors or your computer technician? 

If you do, you are the weakest link in the human firewall. 

The idea of a firewall is to ensure that only those you invite into your network have access and unwanted guests are turned away. All the technology in the world is useless if a human unthinkingly opens the security door in the wall. Those who are intent on mischief and harm are using social engineering against you. A human firewall is built by re-engineering how humans react to divulging secure data so as to minimize errors when information needs to be shared. 

Social engineering is defined as the act of manipulating people to get them to divulge confidential information. It is a bit more sophisticated than a con game or simple fraud. It is information gathering by deception or trickery: information that is used to compromise computers, steal your identity, and worse. The Federal Trade Commission (FTC) has a wealth of information on its web site www.ftc.gov/bcp/edu/microsites/idtheft/ to explain and protect you from identity theft and what to do if your identity is stolen. But it is the human firewall and password protection I am writing about today. 

BUILDING A HUMAN FIREWALL BY CHANGING THE CULTURE  

As listed above, there are dozens of ways to break through the firewall, human or otherwise. Implementing basic changes in thinking and researching will minimize your exposure. Changing behavior is difficult and there is a whole industry dealing with this. Some simple to make culture shifts include: 

• Encrypting emails that include sensitive data
• Put a printed reminder near your copier to remove originals
• Keep your public conversations public – don’t discuss company or personal business where you can easily be overheard
• Keep your software and patches updated
• Leave simple, not detailed, voicemail messages
• Never share your passwords or other sensitive information with anyone on the phone or through email or even at your front desk – that nice man selling a service might be another Kevin Mitnick trying to get his digital foot in your door

Kevin Mitnick, one of the most famous convicted computer hackers, notes technology is useless (and often provides a false sense of invulnerability) if you or an employee hands a password to anyone posing as a colleague, repairman, or seems trustworthy. Kevin tells one story where a man was waiting in an outer office for an appointment. He asked the receptionist if there was an extra computer he could use while waiting. The receptionist took him to a guest office where the man proceeded to install a small program that he later activated from his home computer, a virtual breaking and entering. 

DESIGNING PASSWORDS TO WARD OFF ATTACKS 

Begin to change your security culture by designing strong, easy to remember, yet hard to guess, passwords. The strongest are those with a minimum of 8 alphanumeric characters, mixed upper and lower case, and perhaps including special characters. Having a policy of requiring a strong password that is not often changed is probably the best way to proceed. 

Password policies should include: 

• Not using “easy to guess” passwords such as a family name or other personal contact information like your favorite song or birthdate or license plate;
• Not using easy to crack passwords. Password cracker software (like safecrackers) is available and programmed to run through sequences of numbers and dictionary words (in all languages) in a matter of minutes;
• Not storing passwords in writing or sharing with others;
• Logging out of a computer before leaving it unattended;
• Using different password for administrators, operating systems and applications;
• Changing passwords if they appear to be compromised; and
• Setting a chain of responsibility which, through repetition, will become part of your regular security routine.

THE POLICY OF PRACTICALITY 

Designing a complex password, creating and memorizing different passwords for each application or system or family member, and special characters can cause chinks in the wall. You might find yourself writing your password on a paper taped under your keyboard. Using special characters can cause a problem if your keyboard is set up for 2 or more languages. 

Password management systems, which use a security question (“your mother’s maiden name,” “your favorite pet,” “your school”), are easily breached by surfing your social media sites (Facebook, LinkedIn, MySpace, YouTube) and then guessing at your password. 

The simplest attack is to trick you into thinking an administrator is requesting a password. You receive and open an email request for a password or credit card information to “reactivate settings” or some other benign operation. 

This is phishing. Scary? Maybe. 

With your new corporate culture in place, you (or your employees) are no longer going to divulge sensitive information, passwords or anything else, to people claiming to be administrators, who, in reality, rarely, if ever, need to know the user’s password to perform administrative tasks. You’ll never again leave the password blank (as in no password) nor will you: 

• Use the word “password,” “admin” (and their derivatives)
• Use your name or login name, or other personal information
• Use your favorite anything (book, food, celebrity)
• Use words where you’ve added numbers or reversed letters
  as your password.

YOU’VE ALWAYS WANTED TO WRITE IN CODE… 

…and here is your chance. The best practice to create a strong alphanumeric, 8 to 15-letter password is to take an easily remembered phrase and code it. 

“Romeo, O Romeo, where art thou Romeo?” could become R0R?atR! 

“Twinkle, twinkle, little star” could be 2TWs!t!* 

Use numbers and punctuation to replace obvious letters. An “E” becomes a “3.” The letter “I” becomes “! (exclamation mark). 

THAT PIECE OF CHOCOLATE 

For the past few years, Infosecurity Europe tested giveaways as a password cracker. In 2004, of those offered chocolate bars, 71% gave up their password for the sweet, a bit of an improvement from the year before when 90& of office workers approached gave their password in exchange for a pen. In 2008, it was getting better with about 52% providing their passwords. While we don’t know if the passwords were made up on the spot to claim the prize, remember your mom’s words, “don’t take candy from strangers” and you won’t be the weakest link. 

Gayley Knight is a guest blogger for Terametric. She is Founder/Principal of Business Her Way (a social media management company). Delighting in opening the technology world for your company, Gayley draws on her extensive network and personal business experience to simplify your online world. Showing you best social business practices and simple tech tools designed to increase your business visibility brings social media into perspective, saving you time and money. You can contact her directly at http://www.businessherway.net or via email at gayley@mothergeek.com. 

Tags: General

This entry was posted on Wednesday, April 15th, 2009 at 12:00 AM by Wendy Troupe and is filed under Wendy Troupe's Perspectives. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.