Just how did my small business email system get hacked? How did my network get exposed? Maybe you or your employees were careless your password selection and use. Why owners and employees need to be careful about their company's data, and what are the current best practices for choosing and implementing passwords.
3. Why should Employees Care?
• Company Damage:
– Reputation
– Fines
• Lost Business
• Lost Revenue
• YOUR Income
• YOUR Job
10/27/2016
Revenue
Loss: -46%
Adivi Corporation
4. Why should Employees Care?
• Personal Impact
– Identity theft
• Name
• Address
• Social Security
– Banking
– Health Information
10/27/2016
Adivi Corporation
5. What Did I Do?
You Fell For The Wrong Phish
… beware the sweet talking
email spear-phisher!
Careless Wi-Fi Connection …
don’t just connect to any-old
wi-fi you meet!
Improper Protection … using
passwords poorly is like not
using no password at all!
10/27/2016
Adivi Corporation
6. When You Hide In Obvious Ways,
You Become A Tasty Treat!
10/27/2016
Password
Fido (pets)
123456
2468101214
987654321
Ford2014
qwerty
dragon
Baseball (sports)
letmein
monkey (sexual or anatomical references)
1111111
abc123
mustang
master
shadow
7 dirty words reference
welcome
1qazwsx
login
starwars
princess
passw0rd
Football (sports)
Adivi Corporation
7. Public Information is a
Recipe for Disaster!
10/27/2016
Joshua (child name)
michael/jennifer
anniversary
birthdates
license plate number
home address
How to check if you’re email/password has been compromised:
https://haveibeenpwned.com
Adivi Corporation
9. Passwords:
You Don’t Need to Be A Genius!
PASSWORD Best Practice
• LONG passwords (12-15 ++ characters)
• Avoid whole words/phrases
• Spread Symbols and Numbers Throughout
• Unique password for each important site
(never use twice!) e-commerce, bank.
• Change Infrequently
• Should be different than username
• Never use email password on another site.
– Email is frequently used as user name for
logins.
• 2-factor authentication for important data.
• DON’T SHARE PASSWORDS!
• IF you write them down, secure that list! OR
use hints only YOU would know.
• Passwords stored in browsers are visible
(Chrome, Firefox, Internet Explorer)
10/27/2016
Adivi Corporation
10. Two Can Play this Game!
• Think of a unusual sentence:
“The Chicago Blackhawks Should
Play In Green 81 I Love Marian
Hossa” (Tcbspig81ilMH)
• Three Word Model:
– Ex: Object, Place, Color
• - Symbol to separate
• - Capitalize ONE word
• - Add a number
• Vowels into numbers:
Tcb@mft81, Tcb@mft8!,
Cthr11cbaugn03
• Remove Vowels: Tcbspg81lmh!
• Build around a base:
– Tcbsp1g81ilMHFaceBook
– Tcbsp1g81ilMHMyBank
– Tcbsp1g81ilMHTarget
10/27/2016
Adivi Corporation
12. What do you need?
• Considerations:
– 2-Factor Authentication
– Automatic Password Capture
– Web Form Auto Fill
– Password Strength Assistance
– Application Password Capability
– Browser Plugin
10/27/2016
Adivi Corporation
13. Password Security is no joke… It is always a serious story.
10/27/2016
Adivi Corporation
15. Thank You
Adivi Corporation
1332 W Lake Street
Chicago, IL 60607
(312) 676-2400
10/27/2016
This was not a test of the Adivi Managed Services monitoring system. In the event of an actual
emergency, Adivi engineers would have executed preventative measures to ensure continuity in
your normal business operations.
Again, this was not a test of the Adivi Managed Services monitoring system.
Adivi Corporation
Notas del editor
We all know technology is upending every aspect of the businesses operate. I just had someone today tell me that if had the technology today when he started his own business 10 years ago, his company would be in a completely different place.
Because technology has become such a large part of our normal business activity, it is important that every one of your employees understands how important it is to ensure they approach their use of technology with good, healthy, proactive IT practices.
The purpose of this presentation is to highlight why small business owners and employees should care about IT security, with a special focus on password do and don’ts as well as some creative methods for creating passwords, as well as a quick review of password applications.
Symantec 2016 Internet Security Threat Report
Cybersecurity Firm
According to Symantec 2016 Internet Security Threat Report small businesses account for more attacks than ever before. 43% of all attacks in 2015 were against small businesses (defined as sized less than 250 people), up from only 18% of attacks as recently as 2011.
WSJ reports 34,529 known computer incidents EVERY DAY (source: Microsoft Cybersecurity WhitePaper)… 62% of data breaches against SMBs.
Some hackers are trophy hunters, who pick on the easiest prey. Small Business do not have as many resources – they are outsized and under-equipped – to deal with threats.
Other hackers are looking to be a wolf in sheep’s clothing, hoping to disguise themselves in their quest for bigger prey … such as…
Reputation:
CSO 1/7/16, prsa.org 7/22/16
Target sales fell by 46% YOY Q4 2013 after data breach – Can Your Small Business Survive That?
UK Research OnePoll – 86.55% of respondents were “Not at All Likely” or Not Very Likely” to continue doing business with an organization that had a data breach for credit/debit cards. Lower for HH/Email address loss
Government Fines
Lawsuits
Target downfall was a sub-contractor. So you may not be the target. You may not even be aware of the danger your hacked system can pose to your customers/clients. It is vitally important, especially those who are Owners, have financial titles, or who handle payments, are very careful about what they do – they are the biggest targets.
Don’t wreck your reputation!
US Department of Justice – 17.6M individuals experience some form of ID theft
Think about what personal information your company has about you….
Direct Financial Loss: Bank Accounts/Money
Indirect Financial Loss: ID Theft = legal fees/overdraft fees
Average Loss: $1,343.
Credit Score – Negative Impact
Credit Cards
Auto Loans
Home Loans
Insurance Rates
Jobs
Personal Health – Stress/Sleep
There are many activities that can lead to your company’s account being hacked.
Click on a bad email
Connect to the spoof wi-fi
Poos passwords…
Today we will talk about passwords.
Splashdash.com
The Telegraph UK – Do You have one of the most common passwords? Mar 23, 2016
Computerworld, Jan 20, 2016 Worst, most common passwords for last 5 years.
Using personally identifiable information is risky … provides another nugget of information about you that is associated with the username/password.
Makes it easier to tie more elements about your personal life together.
You don’t have to be a hero!
The average joe can make a big impact!
And you don’t have to be genius…. Just be deliberate in choosing.
Here are the key elements of good password selection.
1. Email/iCloud/Google Passwords – journalist iCloud password on website, bot verified, lost password – wipe my device.
2. Data Storage: Dropbox, Lockbox
Two Factor – reroute SMS outside the US ….duplicate SMS to
If you ever get 2-factor request and you didn’t request, means that your account is hacked.
CERN: is you type your password in your user name by accident – CHANGE – shows up in system logs.
Jim Fenton, security researcher with NIST, quoted in NakedSecurity.com/2016/8/18
Make security user friendly, verifier more
Moving toward – no real length restriction, phrases will be OK, all symbols/emojis, no more hints, stupid questions, no expiration
Think like you are defending vital information – because you are!
Outwit those cybercriminals…. They can move on down the line and eliminate someone else!
Three Words with a couple characters
Object in front of you, where you were, favorite color –
Separate with a character
Capitalize one of the words – capitalize the WHOLE word
add a number – not tied to personal number.
No space – because it’s the obvious break…
Maybe a test?
Trick is Complex – stronger than simple that are changed all the time.
Pcmag review: Sept 23, 2016
Computerworld, Jan 20, 2016 list of password keepers
Bitium, Okta, OneLogin are corporate password keepers.
Password Keeper is encrypted. No one can, not the company, not federal authorities can see what the data is. Your
Masterpassword – MUST BE SECURE!
Same rules
Password Manager can also manage two factor code… text messages or code generator – code on the screen (mobile = QR code) SAFER because there is no SMS, or security breach.
What are you looking for in a password keeper?
Can it handle two-factor authentication
Most will automatically capture passwords
Do you fill out a lot of forms? Auto Fill will help
Are you unsure about how strong a password is? Some will help
Applications – things like Facebook, LinkedIn, CBS Sports, Company Apps – will the password keeper save those?
Is there a browser plug-in for the PK?
Seriously – be careful about selecting passwords.
Resources about passwords, 2-factor authentications.