Unlocking Secrets: How to Create Passwords that Hackers Hate (PART 1)

Welcome to the first post in our three-part series "Unlocking Secrets: How to Create Passwords Hackers Hate," where we delve into physical security and risk.

Instinctual Security

Whichever psychological framework you may attribute it to, most people agree that humans have a basic, built-in instinct to survive; to protect themselves, their loved ones, and their belongings.? We’ve been doing this for a long time, and it comes very naturally to us.? What are the threats that might seek to do us harm and what are they capable of?? From the sabretooth tiger to breaking quantum encryption, understanding the threat’s intentions and what they’re capable of, gives us a healthy concept of risk and the knowledge of “what” and “how much” defense we need to have to feel reasonably safe. ?

Cybersecurity is loosely defined as protecting the confidentiality, integrity, and availability of digital information.? Cyber threats and cyber defenses present a unique challenge as we can’t “see” them. ?They’re all around us in a myriad of technological devices, but not being able to put your hands on the data and defenses makes it extremely difficult to understand and make those good security decisions.? That’s why it can be helpful to draw comparisons from the physical world to the digital one.?

A Medieval Metaphor

In cybersecurity we recommend a defense-in-depth approach, acknowledging that no single layer of defense is sufficient to protect our data. ?This isn’t a new concept by any means.? In medieval times, castle fortresses embodied defense-in-depth principles.?

How does this translate into cybersecurity you may ask?? A castle would have watchtowers and cleared land to enable a view of oncoming enemy forces.? This equates to our auditing, antivirus/antimalware, network and system monitoring, and the security incident and event manager (SIEM) and cybersecurity operations center (CSOC) personnel alerting us of enemy activity.? A castle would usually have an open field within bowshot of the walls. ?This might equate to a network demilitarized zone (DMZ), where digital services such as webservers can reside, providing access to the public, but denying access to the internal network.? The outer wall, moat, drawbridge, and gatehouse are analogous to the firewall, blocking access except through specifically approved ports and services.? The bailey greenspace between the outer and inner walls could be the virtual local area networks (VLANs) separating distinct parts of the local network.? The inner wall of a castle may be likened to host-based defenses and firewalls, authenticating yourself as friend not foe with the door guards (username and password, multifactor authentication).? Finally followed up by the castle keep which would equate to file permissions, discretionary and mandatory access controls protecting your data. ??

Security Today

That’s all well and good for medieval siege warfare, but what about today?? We protect our money and our banks (Has anyone seen Ocean’s Eleven?) with defense in depth: cameras, guards, vaults, and alarms.? We protect our homes with defense in depth: curtains for privacy, video cameras, alarm systems, barking dogs, locked windows and doors, and granny with her shotgun mounted over the fireplace.?

The question remains though of “what” and “how much” security is the right amount? ?The answer is that it depends. ?What are you protecting, your flat screen TV, the Colonel’s eleven herbs and spices recipe, or the nuclear arsenal launch codes?? There is a continuous spectrum between ultimate security and ultimate convenience.? ??

Calculating Risk

There are many factors that impact risk, and yet human beings are naturally good at calculating risk in real world scenarios.? Do you walk down the dark alleyway at night in the big city?? What are you trying to protect?? Your wallet, your watch, your car keys, your life?? Is the threat present?? Does it have intent? ?What is it capable of?? The alley is dark, the threat has intent to rob you blind, and may have a knife or a gun.? What are your mitigations?? Are you wearing plate mail armor?? A bullet-proof vest?? Are you Chuck Norris, Jackie Chan, or James Bond?? ?No?? Then perhaps you should find another route.? We can do those calculations in the blink of an eye, so why is it so difficult in other situations, especially cybersecurity?

Attempting to calculate risk would seem simple. Take the Likelihood of something bad happening multiplied by the Severity of the consequences.? Subtract the effectiveness of your mitigations and defensive protections and you have your Risk, see the equation below.?

RISK = (Likelihood * Severity) - Mitigation Effectiveness

Simple right?? Not really.? The Likelihood of something bad happening can be further broken down into the Threat’s Capability and the Threat’s Intent weighted by the existence of a Vulnerability and the Difficulty of exploiting that vulnerability.?? The severity of impact can be broken down into the Value of the target multiplied by the consequential Cost of it being damaged.

Likelihood = Threat Capability * Threat Intent

Severity = Target Value * Impact Cost

Unless you’re one of the #ProfessionalParanoid (like we are at ExistX), most people don’t have an in-depth knowledge of the risks of technology.? Knowing what is possible and what the threat is capable of is a key variable in knowing and properly mitigating your risk.?

Onward to Part 2…..Do you feel safe at home?? Is your company data secure??

Stay tuned as we delve deeper into the nuances of cybersecurity, expose the vulnerabilities you may not even know you have, and share how to bolster your defenses. Next up in our series, we'll unravel the weaknesses in home security and the simple mistakes that could compromise your digital fortress. Can your passwords withstand a siege? Join us in our next post to find out.