Take steps to protect your sensitive data with a quick security tune-up

Reading about the recent Twitter attack (quick summary in this TechCrunch article) reminded me of the importance of everyday security on email and social accounts. Remember years ago when people told us the key to security was having a hard-to-remember password? How many sites today make you choose a password with a combination of uppercase, lowercase, numbers and maybe special characters? I’d actually argue that passphrases (use of multiple words that don’t make sense together - think “wheat argue falling mountain” would actually be better than "4h474&^#Go" in most cases since such combinations are easier to remember yet still hard to crack. My view on this aside, the primary issue today in my opinion is more about the ease of resetting passwords, rather than password complexity.

Think about how many sites you use today where the “forget password” link prompts you to enter your email address? You check your email, click on a link or get a temporary password, and then you are on your way. Easy right? That is the problem! Now start thinking about what happens if someone gets control of your email account. All of a sudden, an attacker can do the same thing and soon be logged into all of your accounts. I use the term "anchor account" to cover any email account you have where the address is used as a login for another site. Stop for a moment and think about how many you have? Most people I know have at least two - one personal and one business. If someone can get into your email account, chances are he or she can run a quick "forget password" and get into other personal accounts quickly.

Now is a great time to enable “multi-factor authentication”. The oldest and best definition I know for this is simple - authentication requires something you know AND something you have. In practice, today MFA works for most people through a text message to your phone or use of an “authenticator” app such as Google’s Authenticator or Microsoft Authenticator. You might worry about locking yourself out. What if I lose my phone? What if someone steals my phone? These are reasonable questions. If you enable a PIN, fingerprint, or pattern lock on your phone, that provides substantial protection as it is very hard (but not impossible) for someone to break into your phone configured in such a way. You can also print or download what are called "recovery codes" that can be used if you lose your device. If you use them, obviously put them somewhere safe (and not on your phone!)

My recommendation for most people is to use an "authenticator" app whenever possible, but to do so particularly with "anchor" email accounts and financial accounts. This protects against what is called a “SIM swap” attack (where a malicious person or group convinces a carrier to activate your phone number on a new SIM card in a phone they have - see below for some backgrounder links). This kind of threat is probably more of an issue for high-profile users like politicians, journalists, large-company executives, or those with a significant following in social media. Even so, using an authenticator app is not any harder than getting a text message, since either way you read a code (one-time password or OTP in the jargon) and enter it. For those with a very high profile or high security concerns, both Microsoft and Google offer very high security authentication systems that require possession of a physical key (usually in the form of a pluggable USB device) or other specialized verification measures.

Whether you decide to use an authenticator app or use a "code by SMS" option, the most important action to take is to enable some kind of multi-factor authentication. So, if you aren't comfortable with one of these apps, see if you can use the SMS option instead.

If you are an IT leader, I’d suggest taking some time over the next few days and making sure you have a plan and recommendations on what needs to be done in your enterprise. Implement MFA if you haven't, look into the advanced security that your cloud identity providers offer for your high-profile users, make sure you have a program to encrypt the storage on devices your users carry, and have systems in place to monitor your security and user access logs. Talk with your business colleagues about what can be done and what different investments in security could do for the enterprise.

If you are a business leader, I’d suggest seeking out one of your IT colleagues and having a conversation about the current state of the enterprise for user account security. Ask about what special provisions are in place for the high-profile accounts (senior executives, finance, HR, legal, procurement, etc). See what projects are going now to improve security and ask your IT colleagues what they think is most important. Together you may find some quick wins or identify some issues that need immediate attention.

Coming back to the everyday account security, here are the tips I would offer in a quick “security checkup”. If you don’t have time to do everything at the same time, just spread the work out over a few days. Dealing with extra security is a hassle, but it is far better than having someone compromise your account, your data, and possibly the data of your family, friends, and business associates.

1. Make sure your phones and tablets are configured with a PIN, pattern, or fingerprint lock that activates after a short period of inactivity (security experts I know suggest 10-30 seconds max - use your judgment.)
2. Enable MFA (multi-factor authentication) on your "anchor" email accounts that in turn are used to access systems containing personal or sensitive information like banks or social networks. Use Google Authenticator or Microsoft Authenticator if you can, but otherwise use SMS. Having either solution is so much better than relying on just a password!
3. Repeat #2 for any financial accounts that haven’t already required you to add MFA or two-step authentication.
4. Call your carrier or check your account to verify you have a "PIN" set up that is required to make any changes on your account. This minimizes the chance of SIM swap attacks. If you are a high-profile user, call your carrier to learn about special steps they can take to provide additional protection.
5. Ask your company’s security staff about what you can do to use similar mechanisms on your company systems, if you are not already. Aren't sure if you have such systems? Now is a good time to strike up that conversation!
6. Reach out for help to a qualified security consultant if you feel you have specialized issues or are a high-profile user. If you aren’t sure how to find such a firm, message me and I will try to offer some recommendations based on your location and situation.

Remember, it is no longer just about the strength and security of your password (though still important). Now it is also about how easy it is to change that password and to gain access to other accounts after doing so. In many cases, all an attacker needs is access to your "anchor" email accounts to impersonate you on social media, log into your financial accounts, or access your company systems. Taking steps to protect these "anchor" accounts. your mobile account, and your portable devices can give you much better security!

Some links that may be useful:

1) Google's "2 Step" info page: https://www.google.com/landing/2step/

2) Microsoft help article on two-step verification: https://support.microsoft.com/en-us/help/12408/microsoft-account-how-to-use-two-step-verification

3) Information on Google's "Advanced Protection Program", aimed at protecting the accounts of very high-profile or security-conscious users: https://support.google.com/a/answer/9378686?hl=en&ref_topic=9376233&visit_id=637287177754349866-3284065034&rd=1#

4) A few good articles on SIM swapping

a) from Robert McMillan at WSJ: https://www.wsj.com/articles/he-thought-his-phone-was-secure-then-he-lost-24-million-to-hackers-11573221600

b) from Terry Sweeney, posted on Dark Reading: https://www.darkreading.com/theedge/sim-swapping-attacks-what-they-are-and-how-to-stop-them/b/d-id/1336662