For 'Cybersecurity Awareness Month' America's Cybersecurity Agency Shares Four Online Safety Tips (cisa.gov) 34
Since 2004 October has been designated "Cybersecurity Awareness Month" in America, "a collaborative effort between government and industry to enhance cybersecurity awareness, encourage actions by the public to reduce online risk and generate discussion on cyber threats on a national and global scale."
That's according to America's Cybersecurity and Infrastructure Security Agency (or CISA), the operational lead for federal cybersecurity and national coordinator for critical infrastructure security and resilience (specifically designed for collaboration and partnership). It's why the NSA is publicizing the ten most common cybersecurity misconfigurations in large organizations.
But in addition, for consumers CISA is introducing a new program this year that "promotes behavioral change across the Nation, with a particular focus on how individuals, families and small to medium-sized businesses can Secure Our World by focusing on the four critical actions..." In a video the director of America's cyberdefense agency calls them steps "that everyone can take to stay safe online."
That's according to America's Cybersecurity and Infrastructure Security Agency (or CISA), the operational lead for federal cybersecurity and national coordinator for critical infrastructure security and resilience (specifically designed for collaboration and partnership). It's why the NSA is publicizing the ten most common cybersecurity misconfigurations in large organizations.
But in addition, for consumers CISA is introducing a new program this year that "promotes behavioral change across the Nation, with a particular focus on how individuals, families and small to medium-sized businesses can Secure Our World by focusing on the four critical actions..." In a video the director of America's cyberdefense agency calls them steps "that everyone can take to stay safe online."
- Use Strong Passwords, "meaning long, random, and unique to each account. And use a password manager to generate and to save them."
- Turn on Multi-Factor Authentication on All Accounts That Offer It. "You need more than a password on your most important accounts, like email, social media, and financial accounts."
- Recognize and Report Phishing. "Be cautious of unsolicited emails, texts, or calls asking you for personal information, and don't click on links or open attachments from unknown sources.
- Update Your Software. "In fact, enable automatic updates on your software, so the latest security patches just keep your devices continuously up-to-date."
The video ends by noting CISA is asking tech companies and software developers to create products that are "secure by design."
"And let's secure our families by ensuring that our loved ones know what to look for and how to stay safe online."
Great advice, timely too (Score:2)
Will this now be published every year, or every couple of weeks by different organizations?
They forgot one:
Buckle your seatbelts.
Ooh, another one:
Always use your turn signals.
Re: (Score:2)
Drink more Ovaltine!
Re: (Score:2)
Re: (Score:2)
Cursed "Secure Mail" systems (Score:3)
The only fscking links in unknown senders I ever have to click on are from my bank and their asinine "secure mail" system. (I do know when they are coming, but how stupid can one of the largest US banks be?!
Must be the same industry that thinks a SMA is a good second factor.
Re: (Score:2)
They're not allowed (by federal regulation) to send detailed information on plain text, in case somebody intercepts the email and gets enough info to steal your identity. The same is true for health care providers, via a different set of regulations. And E2EE email is too hard to do on a large scale with typical users, so these senders don't bother trying.
Re: (Score:2)
I get that, and it is ok that they don't use regular email... but the system is stupid. You can have other systems that work relatively well though for the same purpose... for starters build it into the banking app. Blind uploads encrypted to the sendee are an option as well, although bi-directional information exchange is harder.
Re: (Score:2)
The best passwords to use (Score:3, Funny)
contain Chinese ideograms or Cyrillic characters.
The bad guys would never think of that!
What happened to "change your password often"? (Score:4, Insightful)
Re: (Score:2)
The last large security catalog (BSI) dropped this requirement in 2020. Seems your knowledge is a bit obsolete there.
Re: (Score:2)
Re: (Score:2)
There are obsolete people in the world. Some have "security" practices that _decrease_ security, because they are stuck in the past.
and oh puh-leeze! (Score:3)
Upgrade to Windows 11.
Re: (Score:2)
Upgrade to Windows 11.
I will wait for Windows 95. Lots of release years between '11' and '95' so I got time to plan my migrations, right?
Password managers are great, but... (Score:4, Informative)
I hate the "use a password manager" advice. Don't get me wrong, I use one. I encourage others to use one. But I don't encourage everyone to use one. Advice like this is predicated on the assumption that it is universally applicable, and it just ain't so.
Why? Because it requires a certain level of tech literacy to use one properly. The easiest ones to use are 1password and LastPass and the like. One problem is that they're not all compatible with all devices. Will it work on my Chromebook, my Android, and my iPad? (probably, yes - I don't use online managers) What happens when I travel, and LastPass flags a suspicious login, and wants a second factor? Well, they'll typically either send an email or an SMS. Can't log in to my email, because I need to log in to LastPass first. Okay - then send an SMS. Oh crap, my international SMS isn't working, or my phone is dead, or the rates are exorbitant so I got a local number, or, or, or...
This happened to my father just this week, he's visiting me from overseas. His cell provider charges astronomically stupid rates for international service, so he bought a cheap cell phone plan and a new sim card at the airport. Upon trying to log in to his email provider, they demanded a second factor by SMS - which he could not receive. If that was a LastPass account, he would have been locked out of everything. Keep in mind, the man is approaching 80, and does not adapt to new technology as quickly as he once did.
Password managers all have individual quirks when integrating with various devices. It can be a nightmare for the technologically challenged - exactly the type of people these scams go after.
Then of course, using password managers on shared devices is troublesome (think library computers, or a borrowed tablet). And there is the very real risk that you can lose the password to your password manager - in which case, generally, everything is lost. Forever. Password managers are a great idea, but they fail to address the needs of a deceptively large (and largely ignored) group of users. Advice like this is typically ignored by those users.
When my father asked my advice on how to securely travel with all his account credentials, I gave him the following advice: Write your account names on one sheet of paper. Write the account passwords on another sheet of paper. Index them so you can correlate them. Then place one of those papers in your carry-on, and the other in your checked baggage. Basically, that equates to "write it down" - which I hate doing, but the risk of losing access to his bank account while overseas is very much more real than the slim chance of an account compromise. It worked quite well - and with a lot less frustration than a password manager. The SMS 2FA I helped with by putting his original SIM card back in, something he has neither the tools nor knowledge to do. The five texts he received when it connected cost him $5.
And as for random, unique, long passwords... that is impossible for humans without a password manager.
Re: (Score:2)
That's why I recommend authenticator software. Carrying 2 devices and charging cables is far more accessible than a phone network and SMS.
At the worst, installing password manager and password-enabled authenticator (such as And OTP [google.com]) on one device, forces an identity thief to require my phone PIN, my password-manager password and my authenticator-app PIN.
That is one thing you can write down. Ideally, without a label or explanation: It should be something that you will immediately recognize as a passwo
Re: (Score:2)
That's why I recommend authenticator software. Carrying 2 devices and charging cables is far more accessible than a phone network and SMS.
My bank does not provide me that option. It's SMS or a voice call or get bent.
That is one thing you can write down. Ideally, without a label or explanation: It should be something that you will immediately recognize as a password. Second-best, includes the name of a person who will tell you where the password goes. The phone PIN and authenticator-app PIN will have to be remembered but can be numbers you already know. Eg. the odd digits of your phone number, your ATM/EFTPoS-card PIN backwards.
I do like this, thank you.
Re: (Score:3)
You're assuming that 2FA means insecure SMS.
And that password managers have to be online
No I'm not. I myself use Keepass and TOTP. I'm assuming that all other options (at least currently) are too difficult to manage for a large number of people.
Re: (Score:2)
Is this [xkcd.com] no longer good advice?
Sounds great... (Score:2)
So their first bullet point is great and all... (Score:4, Informative)
Frankly, banks are some of the worst offenders when it comes to shitty password policy. Stupid things like "minimum of 8, maximum of 15 characters, only letters, numbers, and this limited list of special characters, and no spaces." Embarrassing really.
Re: (Score:3)
Stop using canned "security questions" because they all ask for info that can be easily gleaned from the Internet
The solution for that is to treat answers for security questions as additional passwords and store them in your password safe, too. Your mom's maiden name should be something like XNW,mKoU\M^v'"'`uEB!.
What? It's a very cromulent name on Alpha Perseus 4. What are you, xenophobic?
Let people choose their security questions (Score:2)
That's one thing the Australian myGov web site actually gets right. You can choose your own security questions/answers and they can be arbitrarily complex. It's effectively just a set of user-specified prompts and correct responses. Only the prompts need to be stored in plaintext on the remote side. After entering a valid username/password, you're prompted with a randomly se
Erh.. mind if a security researcher butts in here? (Score:3)
Use Strong Passwords, "meaning long, random, and unique to each account. And use a password manager to generate and to save them."
That's a great idea... provided that password manager is hosted locally and that it's under your control 24/7 instead of putting your eggs into some basket that doubles as a high profile target for password stealing attacks. Yes, Lastpass, I talk about you specifically. But don't feel special, any cloud-based password storing service is just as vulnerable.
Turn on Multi-Factor Authentication on All Accounts That Offer It. "You need more than a password on your most important accounts, like email, social media, and financial accounts."
Again, a great idea. Provided that you don't use the same device to access your account that you use as your second factor, like, say, accessing your online banking with the same phone you use as a second factor for the MFA. Because that defeats the purpose.
Recognize and Report Phishing. "Be cautious of unsolicited emails, texts, or calls asking you for personal information, and don't click on links or open attachments from unknown sources.
You might want to tell people HOW to identify phishing, because people have been notoriously great at falling for phishing, then accusing companies trying to prevent them from handing out their credentials for phishing. People are stupid. Deal with it.
Update Your Software. "In fact, enable automatic updates on your software, so the latest security patches just keep your devices continuously up-to-date."
That would be great advice if companies wouldn't care more about keeping you from using your devices the way you want to use them than to keep you secure. Especially with IoT devices, and TVs are the most problematic culprits there, updating your device may not be in the interest of your security because all it does is to keep you from taking control of your device and handing control to its maker... or whoever.
Re: (Score:2)
At the minimum, something like how 1Password stores things, with the user password combined with a secret key. This is awkward in some ways, as one has to keep the secret key in some safe place (perhaps print it and stick it in a file cabinet), but this ensures that anything stored in 1Password's cloud cannot be brute-force decrypted without access to an endpoint. One can get similar functionality with KeePass by using a keyfile and copying the keyfile to all endpoints, and only storing the .kdbx file on
Re: (Score:2)
"the user password combined with a secret key"
That's just two passwords.
Re: (Score:2)
That depends on what that secret key is, it could be of the "what you know" and "what you have" kind, it depends entirely which one it is.
The first one is bogus (Score:2)
Ordinary users will _never_ use strong passwords. They are not capable of it. Demented invalid and obsolete policies enforcing regular password changes make this one worse though.
Re: (Score:2)
I can memorize ONE password that has twelve or more random characters. Anything more than that I can only manage 8 characters of randomness and some pieces that are generated from a pattern.
The problem with 2FA (Score:2)
For most people their threat model is "I don't have that 2FA any more" rather than "security services of a foreign nation is trying to intercept my communications".
"report phishing" (Score:2)
Report phishing? Really? They want me to spend my whole day sending dozens of emails into a black hole for "analysis"? Time does not grow on trees.