Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Government United States

For 'Cybersecurity Awareness Month' America's Cybersecurity Agency Shares Four Online Safety Tips (cisa.gov) 34

Since 2004 October has been designated "Cybersecurity Awareness Month" in America, "a collaborative effort between government and industry to enhance cybersecurity awareness, encourage actions by the public to reduce online risk and generate discussion on cyber threats on a national and global scale."

That's according to America's Cybersecurity and Infrastructure Security Agency (or CISA), the operational lead for federal cybersecurity and national coordinator for critical infrastructure security and resilience (specifically designed for collaboration and partnership). It's why the NSA is publicizing the ten most common cybersecurity misconfigurations in large organizations.

But in addition, for consumers CISA is introducing a new program this year that "promotes behavioral change across the Nation, with a particular focus on how individuals, families and small to medium-sized businesses can Secure Our World by focusing on the four critical actions..." In a video the director of America's cyberdefense agency calls them steps "that everyone can take to stay safe online."
  • Use Strong Passwords, "meaning long, random, and unique to each account. And use a password manager to generate and to save them."
  • Turn on Multi-Factor Authentication on All Accounts That Offer It. "You need more than a password on your most important accounts, like email, social media, and financial accounts."
  • Recognize and Report Phishing. "Be cautious of unsolicited emails, texts, or calls asking you for personal information, and don't click on links or open attachments from unknown sources.
  • Update Your Software. "In fact, enable automatic updates on your software, so the latest security patches just keep your devices continuously up-to-date."

The video ends by noting CISA is asking tech companies and software developers to create products that are "secure by design."

"And let's secure our families by ensuring that our loved ones know what to look for and how to stay safe online."


This discussion has been archived. No new comments can be posted.

For 'Cybersecurity Awareness Month' America's Cybersecurity Agency Shares Four Online Safety Tips

Comments Filter:
  • Will this now be published every year, or every couple of weeks by different organizations?

    They forgot one:
    Buckle your seatbelts.

    Ooh, another one:
    Always use your turn signals.

  • by aaarrrgggh ( 9205 ) on Saturday October 07, 2023 @01:46PM (#63908605)

    The only fscking links in unknown senders I ever have to click on are from my bank and their asinine "secure mail" system. (I do know when they are coming, but how stupid can one of the largest US banks be?!

    Must be the same industry that thinks a SMA is a good second factor.

    • by Entrope ( 68843 )

      They're not allowed (by federal regulation) to send detailed information on plain text, in case somebody intercepts the email and gets enough info to steal your identity. The same is true for health care providers, via a different set of regulations. And E2EE email is too hard to do on a large scale with typical users, so these senders don't bother trying.

      • I get that, and it is ok that they don't use regular email... but the system is stupid. You can have other systems that work relatively well though for the same purpose... for starters build it into the banking app. Blind uploads encrypted to the sendee are an option as well, although bi-directional information exchange is harder.

        • Maybe they should adopt the system that the VA uses on its main patient website, My Healthe Vet, (That's the way they spell it.) Secure Messaging. You can only send a Secure Message from that website and only if you have a Premium Account. You can only send messages to somebody at the VA who's listed as able to receive those messages, and if the person you need to communicate with has been removed from the list, there's nothing direct you can do about it. If you receive a Secure Message, you're told by
  • by Ferocitus ( 4353621 ) on Saturday October 07, 2023 @01:51PM (#63908611)

    contain Chinese ideograms or Cyrillic characters.
    The bad guys would never think of that!

  • by Art Challenor ( 2621733 ) on Saturday October 07, 2023 @01:54PM (#63908613)
    Have we finally realized that changing passwords more often than you wash your coffee cup likely adds nothing to your security?
    • by gweihir ( 88907 )

      The last large security catalog (BSI) dropped this requirement in 2020. Seems your knowledge is a bit obsolete there.

      • And yet I still have a customer that requires 30 day password changes...
        • by gweihir ( 88907 )

          There are obsolete people in the world. Some have "security" practices that _decrease_ security, because they are stuck in the past.

  • by PPH ( 736903 ) on Saturday October 07, 2023 @01:56PM (#63908615)

    Upgrade to Windows 11.

    • Upgrade to Windows 11.

      I will wait for Windows 95. Lots of release years between '11' and '95' so I got time to plan my migrations, right?

  • by Striek ( 1811980 ) on Saturday October 07, 2023 @02:16PM (#63908659)

    I hate the "use a password manager" advice. Don't get me wrong, I use one. I encourage others to use one. But I don't encourage everyone to use one. Advice like this is predicated on the assumption that it is universally applicable, and it just ain't so.

    Why? Because it requires a certain level of tech literacy to use one properly. The easiest ones to use are 1password and LastPass and the like. One problem is that they're not all compatible with all devices. Will it work on my Chromebook, my Android, and my iPad? (probably, yes - I don't use online managers) What happens when I travel, and LastPass flags a suspicious login, and wants a second factor? Well, they'll typically either send an email or an SMS. Can't log in to my email, because I need to log in to LastPass first. Okay - then send an SMS. Oh crap, my international SMS isn't working, or my phone is dead, or the rates are exorbitant so I got a local number, or, or, or...

    This happened to my father just this week, he's visiting me from overseas. His cell provider charges astronomically stupid rates for international service, so he bought a cheap cell phone plan and a new sim card at the airport. Upon trying to log in to his email provider, they demanded a second factor by SMS - which he could not receive. If that was a LastPass account, he would have been locked out of everything. Keep in mind, the man is approaching 80, and does not adapt to new technology as quickly as he once did.

    Password managers all have individual quirks when integrating with various devices. It can be a nightmare for the technologically challenged - exactly the type of people these scams go after.

    Then of course, using password managers on shared devices is troublesome (think library computers, or a borrowed tablet). And there is the very real risk that you can lose the password to your password manager - in which case, generally, everything is lost. Forever. Password managers are a great idea, but they fail to address the needs of a deceptively large (and largely ignored) group of users. Advice like this is typically ignored by those users.

    When my father asked my advice on how to securely travel with all his account credentials, I gave him the following advice: Write your account names on one sheet of paper. Write the account passwords on another sheet of paper. Index them so you can correlate them. Then place one of those papers in your carry-on, and the other in your checked baggage. Basically, that equates to "write it down" - which I hate doing, but the risk of losing access to his bank account while overseas is very much more real than the slim chance of an account compromise. It worked quite well - and with a lot less frustration than a password manager. The SMS 2FA I helped with by putting his original SIM card back in, something he has neither the tools nor knowledge to do. The five texts he received when it connected cost him $5.

    And as for random, unique, long passwords... that is impossible for humans without a password manager.

    • ... send an SMS.

      That's why I recommend authenticator software. Carrying 2 devices and charging cables is far more accessible than a phone network and SMS.

      At the worst, installing password manager and password-enabled authenticator (such as And OTP [google.com]) on one device, forces an identity thief to require my phone PIN, my password-manager password and my authenticator-app PIN.

      ... real risk that you can lose the password ...

      That is one thing you can write down. Ideally, without a label or explanation: It should be something that you will immediately recognize as a passwo

      • by Striek ( 1811980 )

        That's why I recommend authenticator software. Carrying 2 devices and charging cables is far more accessible than a phone network and SMS.

        My bank does not provide me that option. It's SMS or a voice call or get bent.

        That is one thing you can write down. Ideally, without a label or explanation: It should be something that you will immediately recognize as a password. Second-best, includes the name of a person who will tell you where the password goes. The phone PIN and authenticator-app PIN will have to be remembered but can be numbers you already know. Eg. the odd digits of your phone number, your ATM/EFTPoS-card PIN backwards.

        I do like this, thank you.

    • And as for random, unique, long passwords... that is impossible for humans without a password manager.

      Is this [xkcd.com] no longer good advice?

  • ...for the executives of fortune 500 companies to take. Do you think they'll have the humility to listen?
  • by Red_Chaos1 ( 95148 ) on Saturday October 07, 2023 @02:34PM (#63908697)
    But it will require a number of things to change on all websites:
    • Stop using user antagonistic login pages. Splitting up the username/password fields between pages or only revealing the password field after entering a username and clicking a button is stupid, and fucks with password managers. It doesn't help with security at all, it just makes it more of a PITA for real users.
    • Sanitize inputs and allow all UTF-8 characters.
    • Remove upper limits on password length
    • Stop it with the stupid "security pictures/images/etc."
    • Stop using canned "security questions" because they all ask for info that can be easily gleaned from the Internet

    Frankly, banks are some of the worst offenders when it comes to shitty password policy. Stupid things like "minimum of 8, maximum of 15 characters, only letters, numbers, and this limited list of special characters, and no spaces." Embarrassing really.

    • Stop using canned "security questions" because they all ask for info that can be easily gleaned from the Internet

      The solution for that is to treat answers for security questions as additional passwords and store them in your password safe, too. Your mom's maiden name should be something like XNW,mKoU\M^v'"'`uEB!.

      What? It's a very cromulent name on Alpha Perseus 4. What are you, xenophobic?

      • The solution for that is to treat answers for security questions as additional passwords and store them in your password safe, too.

        That's one thing the Australian myGov web site actually gets right. You can choose your own security questions/answers and they can be arbitrarily complex. It's effectively just a set of user-specified prompts and correct responses. Only the prompts need to be stored in plaintext on the remote side. After entering a valid username/password, you're prompted with a randomly se

  • by Opportunist ( 166417 ) on Saturday October 07, 2023 @02:42PM (#63908709)

    Use Strong Passwords, "meaning long, random, and unique to each account. And use a password manager to generate and to save them."

    That's a great idea... provided that password manager is hosted locally and that it's under your control 24/7 instead of putting your eggs into some basket that doubles as a high profile target for password stealing attacks. Yes, Lastpass, I talk about you specifically. But don't feel special, any cloud-based password storing service is just as vulnerable.

    Turn on Multi-Factor Authentication on All Accounts That Offer It. "You need more than a password on your most important accounts, like email, social media, and financial accounts."

    Again, a great idea. Provided that you don't use the same device to access your account that you use as your second factor, like, say, accessing your online banking with the same phone you use as a second factor for the MFA. Because that defeats the purpose.

    Recognize and Report Phishing. "Be cautious of unsolicited emails, texts, or calls asking you for personal information, and don't click on links or open attachments from unknown sources.

    You might want to tell people HOW to identify phishing, because people have been notoriously great at falling for phishing, then accusing companies trying to prevent them from handing out their credentials for phishing. People are stupid. Deal with it.

    Update Your Software. "In fact, enable automatic updates on your software, so the latest security patches just keep your devices continuously up-to-date."

    That would be great advice if companies wouldn't care more about keeping you from using your devices the way you want to use them than to keep you secure. Especially with IoT devices, and TVs are the most problematic culprits there, updating your device may not be in the interest of your security because all it does is to keep you from taking control of your device and handing control to its maker... or whoever.

    • At the minimum, something like how 1Password stores things, with the user password combined with a secret key. This is awkward in some ways, as one has to keep the secret key in some safe place (perhaps print it and stick it in a file cabinet), but this ensures that anything stored in 1Password's cloud cannot be brute-force decrypted without access to an endpoint. One can get similar functionality with KeePass by using a keyfile and copying the keyfile to all endpoints, and only storing the .kdbx file on

      • "the user password combined with a secret key"

        That's just two passwords.

        • That depends on what that secret key is, it could be of the "what you know" and "what you have" kind, it depends entirely which one it is.

  • Ordinary users will _never_ use strong passwords. They are not capable of it. Demented invalid and obsolete policies enforcing regular password changes make this one worse though.

    • I can memorize ONE password that has twelve or more random characters. Anything more than that I can only manage 8 characters of randomness and some pieces that are generated from a pattern.

  • For most people their threat model is "I don't have that 2FA any more" rather than "security services of a foreign nation is trying to intercept my communications".

  • Report phishing? Really? They want me to spend my whole day sending dozens of emails into a black hole for "analysis"? Time does not grow on trees.

As you will see, I told them, in no uncertain terms, to see Figure one. -- Dave "First Strike" Pare

Working...