December 10, 2012 By Wayne Hanson
The first element of strong security is a strong password — as boring as that may sound. You have a key to the front door of your house; computers and computer systems use passwords. Weak passwords are like simple door locks that can be sprung with a paper clip. Short, simple words — for example, your dog’s name “Scotty” — make weak passwords. Cybercrooks can break these in a few seconds. For starters, a good password is at least eight characters long. Using upper- and lowercase letters also increases the time required to crack it. Adding a number or two strengthens your defenses even more, and adding a punctuation mark or other symbol gets you into “strong password” territory that could take years for a hacker to crack. Use tools like Microsoft’s password strength checker to make sure you’re on the right track.
RESOURCES FOR CITIES AND COUNTIES: Tools, Templates and Guides
Multi-State Information Sharing and Analysis Center cybersecurity guides for nontechnical managers.
SANS advice on protecting mobile devices: PINs, passwords, pattern locks, encryption, backups, remote wiping, and what to do if your device is lost or stolen.
White House Guide to bring your own device (how to safely integrate personal mobile devices into your network).
McGraw-Hill basic security training, concepts, definitions, two-minute drill and a self-test.
A four-page nontechnical acceptable use template developed by MS-ISAC and LeRoy, N.Y.
This webpage contains many different types of security policy templates from the SANS Institute.
NIST Computer Security Incident Handling Guide
The Open Web Application Security Project live CD: testing tools for website security
Metasploit penetration testing tools
Trustwave perimeter scanning for vulnerability and PCI compliance
Strong passwords are complex — but how do you remember them? Writing them on a sticky note attached to the screen or under the keyboard means anybody with physical access to your computer can get into your data. But experts have come up with a few tricks to jog your memory. Start with a phrase, for example, that commemorates a family activity: “We camped at Humbug Mountain in 2010.” Your password could be the first letters of that phrase: “WcaHMi2010.” Microsoft’s checker rates this password as “medium” strength.
To strengthen it, trade some letters or numbers for symbols. For example, trade the “a” for an ampersand (&), the “i” for a colon (:) and swap the two zeros for letter Os. That gives you: “Wc&HM:2O1O”. Microsoft’s checker says that’s a “strong” password, and it’s much easier to remember than a randomly generated strong password. So you’ve beefed up your front door and installed a deadbolt.
Pelgrin said using the same password for your home computer and work systems is like using the same key for your house, car, office and storage facility. If someone makes a copy of that one key, they have access to everything. Typically, if hackers crack one password, they will try that password on any other systems (e.g., social networks and mobile devices) that you use. “Keep your city or county login password strong and don’t use it anywhere else,” Pelgrin said. And, even though it’s inconvenient, passwords should be changed regularly.
If you have too many passwords to remember, try using a password manager, which stores multiple passwords in an “online safe” where users only need one password for access. “They let you randomly generate strong passwords for all your accounts and store them securely,” said Joanne McNabb, chief of California’s Privacy Protection Office, in a newspaper article. McNabb said there are a number of free password managers including: KeePass (for Windows, OS X, Linux, Android and iOS), Password Safe (Windows) and Keychain (Mac).
In some cases, biometric devices that require a fingerprint, retina scan or facial recognition can provide secure access without a password. For instance, staff members at the Sacramento, Calif., City Clerk’s Office are piloting fingerprint readers for their mobile devices.
Americans lose $7 million in mobile devices every day. Yet Pelgrin said he’s astounded at how many people don’t use a sign-on password for their smartphones. Simply setting a four-digit passcode will keep a thief out of smartphone users’ personal information, bank accounts, contact lists, etc., and after a certain number of wrong attempts at cracking the password, the phone will freeze everything or erase all data.
Using strong passwords isn’t the only security measure to take, but it’s a good start. The next layer of the “onion defense” is a firewall. If someone knocks on your front door, you would certainly find out who they are and what they want before inviting them in. A firewall does that for a computer. It analyzes traffic coming from the Internet, for example, that’s going into the computer system and allows some traffic to enter and stops other traffic based on operating rules designed to protect the system from attacks. Most firewalls offer a choice of “on” or “off.” To have this layer of protection, make sure your firewall is on. If the firewall stops a connection you want, then add an exception in the firewall settings.