True Security Doesn’t Mean Passing a Compliance Audit

Keeping company IT resources secure is a critical goal. Meeting compliance standards supports that effort, but achieving compliance isn’t the same as achieving security.

Compliance vs. Security

Compliance is about taking the steps necessary to satisfy regulatory scrutiny. Typically, a business will need to meet a compliance standard based on its industry or the nature of the data it collects. The standards provide a checklist of measures that need to be implemented in order to be in compliance.

Security, on the other hand, is about taking steps to reduce the risks faced by business IT resources. This usually requires going beyond the baseline measures needed for compliance. There are a few reasons for this:

  • compliance is not nuanced. Compliance means you’ve done or not done a particular security task. Whether the way the task was completed actually increases security isn’t important. For example, compliance often requires annually training employees with respect to secure computing. There are many ways to meet that requirement, and not all of them effectively educate employees and result in increased security.
  • compliance is not current. Compliance requirements don’t keep pace with the threats. By nature, they require a lengthy review process. In the meantime, technology is changing and bad actors are discovering new ways of doing damage. Meeting last year’s compliance policy doesn’t protect you against today’s threats.
  • compliance emphasizes the wrong risks. The requirements listed in a compliance document don’t always match up to the most important risks the business faces. To ensure the company’s systems are safe requires addressing the actual threats, not just the items emphasized in a compliance standard.

Security Counts

You may need to check off the boxes on a compliance questionnaire, but achieving security means going beyond that minimum. Businesses need to identify the real risks they face and focus their efforts on addressing those, not deciding “job well done” because they’ve passed an audit. You need to develop policies and processes that provide real security, and implement control that match the level of risk on an application-by-application basis.

This requires keeping up with current trends in threats, making sure necessary patches are deployed, giving users meaningful testing, and integrating technology that effectively detects and blocks intruders, even when it’s not required by any compliance standard. Complete security requires addressing risks in your network, on devices, in your applications, in your data, and in your users.

Security is harder than compliance, because it relies on your own understanding evaluate risks and your own assessment of what steps you need to take to protect yourself. CCS Technology can help you develop and implement a security solution that offers true protection. Contact us to learn how to move beyond compliance and effectively protect your critical IT resources.

Additional Security Resources

Discover the Dangers of the Dark Web

Create An Information Security Culture to Protect Your Data

6 Ways to Keep Your Cloud Secure

Searching the Dark Web Should be Part of Your Information Security Strategy

Peering into dark corners can be scary, especially when it’s the dark corners of the web. If you’re concerned about whether company data has been exposed on the dark web, you have to go looking for it, but you need to do it carefully. There won’t be blinking signs lighting the way to your stolen info, and if you aren’t careful, you can even draw unwanted attention. Nevertheless, there’s more risk in ignoring the shadows than in checking to see what they’re hiding. Here are some things to keep in mind:

Checking the dark web lets you know if you’ve been victimized

Every business is vulnerable to attack, but it isn’t always obvious that an attack was successful. Because hackers often post stolen data on the dark web, finding it there confirms that you’ve been attacked and lets you know what sensitive data was taken. You can then focus your security efforts to change those stolen passwords and increase security where you were vulnerable. While some of that new security is reactive, knowing what’s on the dark web can identify new threats and let you be proactive in adding security measures, too.

It isn’t easy to find your data

There’s all kinds of stolen data available on the dark web, but it isn’t easy to access or to identify where it came from. In addition, there may be data about your business on the dark web that wasn’t stolen but can still make you more vulnerable to attack. Some data on the dark web may even be completely innocuous. You can easily waste a lot of time trying to find data and then figure out whether what you found is significant.

You can make yourself more vulnerable when you explore the dark web

The queries you do when you search the dark web can leave a trail the bad guys can analyze to learn more about your IT resources. It’s important to be smart about exploring the dark web to make sure you learn more than you reveal.

What are the kinds of things you should look for on the dark web? You’ll want to search for data that reveals the inner workings of your business, plus sensitive information about customers. This includes data about your executives, including their personal information and information about their activity outside of work. Customer data, including personal data and account information, is also online. In addition to data about people, there may be data about systems, including helpful hints on how to set up fraudulent accounts or bypass security measures.

You may want to look for more than lists including name, address, account number; there’s code on the dark web, so it’s worth looking for proprietary source code along with other intellectual property.

Protect Your Business With CCS Technology Group

Protecting your business requires knowing what data has made its way onto the dark web. CCS Technology Group’s dark web scan provides a safe way to peer into dangerous places on the web and gather the insights you need to protect yourself from further damage. Contact us to learn more about why exploring the dark web should be part of your cybersecurity strategy.

Additional Dark Web Resources

Is the Dark Web All Bad?

Discover the Dangers of the Dark Web

What is the Dark Web and Why Should We Care?

Two Numbers to Keep in Mind When You Think About Information Security

Any business that still thinks it doesn’t need to invest in information security needs to take a moment and consider two numbers:

  • When a test placed a new server online, it took only 52 seconds before hackers attacked it.
  • The average cost of a data breach in the United States is $8.19 million.

Can you afford to lose more than eight million dollars in under a minute? No matter what your business is, it’s at risk, and protecting networks, data, servers, and other corporate IT resources need to be a priority.

Developing an effective information security strategy is complicated. To get started, focus on critical categories:

1. Credentials

Credentials are the keys to the kingdom, so keeping them safe is priority one. This is both a technological and a human factors problem. You can use technology to require strong passwords, to implement two-factor authentication, to limit privileged access, and to leverage role based accessed controls, among other methods, to ensure that credentials are assigned, protected, and verified. Users need ongoing training in safe computing, to ensure they know how to create and protect passwords, use mobile devices safely, and avoid falling for phishing emails.

2. Data

While some hackers are intent on destruction, most are after data. Make sure data is protected both at rest and in transit through strong encryption. In addition, protect your data from ransomware by implementing a reliable backup and recovery process. You can also consider using tools such as data loss prevention software and cloud access security brokers to stop data from sneaking outside your corporate network.

3. Servers

Servers are most often vulnerable because they’re using out of date software that hasn’t been patched. For security reasons, it’s important to use supported software and to apply all vendor patches as soon as possible after they’re released.

4. Network

The network is where intruders find the front door to your systems. Firewalls and other tools help keep hackers out. Other tools, like data loss prevention software, help keep important data in. Your internal network design is also an important security measure; proper segmentation and use of internal firewalls can keep intruders who make it inside your perimeter from accessing the most sensitive data.

5. Cloud

More and more company IT resources reside outside the corporate walls and in the cloud. Keeping data in the cloud secure requires action by the cloud provider and also by the data owner. Improper cloud configurations can accidentally make data publicly accessible. Consider using a cloud access security broker as an additional control over access to data in the cloud.

Don’t Get Caught Playing Catch-Up With Your IT Security

CCS Technology Group offers information security services to help businesses reduce the potential risks and costs of a data breach. Contact us to learn how we can help you protect your data.

8 Practices for Safe Computing When Employees Work at Home

Employees working from home can be casual about their dress, but they shouldn’t be casual about their computing practices. Whether they’re working on their phones, tablets, laptops, or desktop PCs, employees need to take steps to make sure the business they do at home doesn’t endanger their business.

Employers can help employees work safely when they’re working remotely by teaching them to follow these 8 practices:

1. Safe networks

Only secure WiFi connections should be used. When working from home, a home firewall should be turned on to block unapproved connections. When working away from home, employees should avoid free public WiFi and always double-check the name of the correct network. A virtual private network (VPN) is always a good idea.

2. Safe devices

Employees shouldn’t use obsolete hardware and should be sure they’re up to date with operating system security patches. They shouldn’t root or jailbreak mobile devices, as that can disable built-in protections. Antivirus software should be kept up to date, and devices should be paired only with known Bluetooth devices. Every device should be protected by a strong password. In addition to data security, physical security matters too. Employees should use a surge protector to prevent damage to their computer and loss of data.

3. Safe accounts

Employees’ devices at home might be shared with other users. Everyone should have a separate account. Keep passwords private and don’t write them down where snooping children might find them.

4. Safe applications

Because home devices are also used for personal matters and entertainment, you may not be able to limit them to business applications obtained via your company; however, employees shouldn’t download applications from unofficial sites on any machines used for business.

5. Safe data

Any business-related data stored locally should be encrypted. There should be regular backups to an official company data server or cloud location.

6. Safe computing

All the usual safe computing practices apply when working at home. Employees shouldn’t email sensitive information or use unapproved cloud services. Only business email should be used for business matters, and unexpected documents and suspicious links should be left alone.

7. Safe communicating

SMS messages can include phishing links, and employees should be cautious when clicking links, especially in unexpected messages. If employees use a videoconferencing service to keep in touch with friends and family, they should ensure that no company documents are visible.

8. Safe browsing

Employees shouldn’t go to unknown websites, and should avoid clicking on ads or popups unless they know they’re from a trusted source.

Working from home is becoming a key practice to keep businesses functioning during challenging times. By following these safe practices, risks to company data can be minimized. Contact CCS Technology Group for help training employees and ensuring your cybersecurity practices keep your business safe wherever your employees are working.

On-Demand Webinar: Learn More About Managing Remote Employees

For more information, check out our on-demand webinar: 5 Biggest Challenges Working Through COVID-19. We discuss:

  • Safety and Security Working Remote: Hackers are having a heyday right now taking advantage of an already difficult situation. Here’s how you can cope.
  • Bandwidth Challenges: How many things can you expect your network to do?
  • Productivity While Working Remote: We gathered tips and tricks from experienced remote workers that help you settle in to work mode without the commute.
  • Connecting with your team: You can’t gather around the water cooler anymore, but personal connection is still critical.
  • Woes of Video Conferencing: Everyone is trying to adapt to video calls. They can be immensely frustrating or your greatest gift to project management. It’s all in how you use them.

Also, please consider joining us for our upcoming webinar (May 13) where we will discuss a tool to help you manage your remote workforce. Click here to learn more or register.

Know What’s Happening on Your Network with Network Monitoring

Information security requires knowing what’s coming into your network so you can protect the valuable data inside.

Network Monitoring Basics

Basic network monitoring tools work with what’s called flow data. This is very basic information such as IP addresses, ports, and protocols, along with when the communication occurred and how much data was transmitted.

While IP addresses can be mapped to domain names to provide a better understanding of traffic, a single IP address can support multiple domains. This means that the IP address and domain name by themselves provide an incomplete or incorrect understanding of the data source. Adding additional detail to the flow data is needed to provide a fuller picture.

In order to get that fuller picture, the flow data can be enhanced with application metadata. This metadata pulls additional information out of the traffic; for instance, it can identify an http request and the http hostname. This provides better support for blocking traffic to unapproved websites.

Network Monitoring Challenges

Although enriched flow data improves monitoring capabilities, there are still numerous challenges that need to be overcome in order to establish an effective monitoring strategy.

  1. Encrypted data. Today, almost all http connections are actually https connections. These encrypted connections protect transmissions from being spied on as they travel between endpoints. However, that same encryption blocks necessary security inspections once the data arrives at its destination. A message that’s encrypted isn’t necessarily “safe”; it can contain a virus or other malware.
  2. Selecting the data sources. Flow data, from routers and other devices, is necessarily high-level. You can get more detailed data through looking at packets at test access points and port mirrors. In addition, monitoring often requires installing agents on each device. The more devices installed, the higher the costs and the more maintenance required. Some software doesn’t require installing agents, but monitoring too many devices makes the effort more complex and error-prone. Finally, while network monitoring for security often focuses on external data flows, internal data flows should be monitored for suspicious usage as well.
  3. Accessing historical data. Real-time analysis isn’t always sufficient for detecting threats. More accurate threat analytics require historic data as well.
  4. Determining users. Although all data is associated with an IP address, this doesn’t necessarily identify the user associated with the data. User identity may make a difference when deciding whether data is legitimate or should be blocked.

Overcoming Network Monitoring Challenges

All of these challenges can be overcome with a more refined network monitoring strategy. Even encrypted traffic can be subjected through monitoring though designs that allow the data to be decrypted for inspection before passing it on to its destination.

Network monitoring is a vital element of both infrastructure management and information security. Managed services from CCS Technology group ensure your network provides both capacity and security. Contact us to learn more about how our services can improve your business’s IT experience.

Additional Resources

Everyone Is a Participant in Information Security

Discover the Dangers of the Dark Web

Don’t Overlook These Information Security Basics

The High Cost of Falling for Phishing

Any employee can fall for a phishing scam. When the employee who falls for the scam is authorized to access and transfer large sums of money, an honest mistake can have significant costs.

$400,000 Sent to a Phisher

That’s what happened to Barbara Corcoran, of “Shark Tank” fame. A phisher changed one character in an email address and reached out to Corcoran’s bookkeeper. The email requested nearly $400,000 to be sent to a German company.

Of course, the bookkeeper didn’t just hand over the money. She replied back to who she thought was Corcoran’s executive assistant, and there was a legitimate-sounding reason for sending money to what appeared to be a legitimate business. The money got sent out, and it was only a later email to the executive assistant—not sent by hitting “reply” to the phishing message—that discovered the scam.

Business Email Compromise

The FBI calls these targeted phishing schemes business email compromise (BEC), and they’re a major risk to businesses. Once the money is wired, it is extremely difficult to get it back.

The scam Corcoran’s assistant fell for required some knowledge of how her business operated, in order to have a reasonable response when the bookkeeper questioned the request for the funds, but hackers don’t need to be sophisticated to implement the scam. Criminals can simply purchase templates that allow them to send these messages or break into an email account using passwords stolen in an earlier breach; if they’re not sure what they need to do, they can buy a phishing tutorial to learn. The overall costs of BEC in 2019 were close to 1.8 billion dollars, according to the FBI.

Defending the Business Against BEC

There are multiple types of phishing attacks, so there are multiple defenses needed, too.

Not all the attacks are as targeted as the one that hit Corcoran. Some attacks send generic messages to thousands of targets. Email filters can help block the messages from reaching employees, and training can help employees learn to report them rather than responding to them.

The more targeted attacks need to be handled through business procedures as well as technological fixes. When there are unexpected requests for large sums of money, businesses can require confirmation through a phone call in addition to an email paper trail.

Learn more about protecting your business against phishing emails.

To make sure you have effective phishing protections in place, contact CCS Technology Group. Our IT security services include employee training as well as the latest in technology to keep your business secure from phishing and other IT security threats.

Don’t Let Ransomware Destroy the Backups You Need to Recover from Ransomware

Backups are the primary means a business can use to recover from a ransomware attack. It’s no wonder, then, that many forms of ransomware now attempt to destroy any backup files they encounter. Protecting your backups against ransomware is an important part of your defensive strategy.

The Ransomware Threat Against Backups

Ransomware is a form of malware that encrypts system and data files with an unknown encryption key. This encryption makes the files unreadable by their owner. The only way to recover the data is to pay a ransom and receive the encryption key or restore the files from an unencrypted backup.

Some malware implementations attempt to recognize backups by file extensions and will delete those files. On Windows systems, ransomware can detect and delete shadow copies that support file recovery. Ransomware will also attempt to spread through the network, accessing mounted file systems containing backup, and encrypt those files as well. Ransomware may even be able to reach and corrupt backup files stored in the cloud.

Ways to Protect Backups Against Ransomware

The methods to protect backups against ransomware rely on making multiple copies of backups and taking steps to make them inaccessible to any ransomware.

Make Multiple Backups

It’s a good idea to use specialized third-party backup software rather than (or in addition to) built-in backup solutions. Ransomware can’t know how to target every vendor’s backup files.

Keep multiple versions of your backups. There are good reasons for this that have nothing to do with ransomware, but if your latest backup is encrypted, you can restore an older version of your files from before the ransomware attack.

Keep Backups Inaccessible to Ransomware

There are several ways to make backups inaccessible to ransomware:

  • Store at least one copy of your backups in an offsite location.
  • Dismount backup devices after the backup process is complete.
  • Make backup files read-only, or store on write-once media.
  • Use access controls such as Windows Controlled Folder Access to prevent unauthorized processes from accessing backup files.

Note that backing up to cloud does not make those backups inaccessible to ransomware, unless the only access to the backup is via an API rather than mounting the cloud as a drive.

Test Your Backups

It’s important to test your backup files periodically to verify that the data is complete and that you know how to access it and use it to restore your data. You should conduct a full disaster recovery test at least annually and continuously monitor your backup process and address any alerts or failures.

CCS Technology Group helps businesses implement comprehensive business continuity solutions to protect against ransomware and other causes of IT outages. Contact us to learn more about implementing a backup solution that protects your backups as well as your data.

Additional Ransomware Resources

Take These Steps to Avoid Expensive Ransomware Recovery Costs

Don’t Lose Your Files to Ransomware

Ransomware 101: Keeping Your Organization Safe

Two-Factor Authentication Has Vulnerabilities as Well as Benefits

Achieving information security is a never-ending challenge as bad actors find ways to get around every new protective layer. Like all other information security technologies, two-factor authentication can be bested by a determined intruder.

Two-Factor Authentication Means Users Need More Than a Password

The idea behind two-factor authentication (2FA) is that passwords by themselves are relatively weak security. Instead of users needing just a password, they need to prove their identity in two different ways. These ways include:

  • Something you know, like a password.
  • Something you have, like a cellphone that can receive a single-use token.
  • Something you are, like your fingerprints or retinal scan.

It’s important to note that a password plus security questions is not an implementation of 2FA; the security questions and the password are both “something you know.” In effect, the security questions are simply secondary passwords.

Two-Factor Authentication Is Vulnerable to Attacks

Although 2FA adds an extra layer to security, that doesn’t make it invulnerable. There are several approaches a hacker can use to get past it:

  • SIM hacking. In this approach, the bad actor effectively takes over the phone number of the mobile device used as part of the 2FA. This enables them to receive the single-use tokens and login.
  • Phishing. Phishing can direct users to malicious sites where single-use passwords are captured. A hacker watching the site in real-time can use the token to access the targeted site before the token expires.

Making Two-Factor Authentication Effective

These vulnerabilities don’t mean that you shouldn’t use 2FA to increase the security of your systems, but it does mean you need to be smart about how you implement it.

In particular, there’s an implementation of 2FA that is not vulnerable to SIM hacking or phishing. Instead of a user providing a token that was sent to them, this implementation requires a hardware key to be plugged into the user’s device. Because of the extra cost and potential inconvenience, this may be most appropriate when you have highly sensitive data to protect. It’s also important to note that at least one version of a hardware key was itself found to be improperly implemented and vulnerable to attacks.

Two-factor authentication should also be integrated into an effective overall information security strategy. Employees need to be trained to detect and avoid phishing emails. Your infrastructure should include firewalls, blacklists, filters, and other controls that help protect employees and their credentials from dangerous sites.

CCS Technology Group provides comprehensive information security services that protect your valuable data. Contact us to learn how to use 2FA as part of an effective information security solution.

Additional Information Security Resources

Everyone Is a Participant in Information Security

Discover the Dangers of the Dark Web

Different Kinds of Malware Need Different Kinds of Defenses

Is the Dark Web All Bad?

Dark Web: (noun) – Part of the world wide web that is only accessible by utilizing special software, allowing users and websites to remain anonymous or untraceable. It exists on an encrypted network that uses masked IP addresses to maintain anonymity for users and site owners. This way, people who use the Dark Web for illegal purposes can’t be traced.

As you can see by the above definitions, the Dark Web can be a shady place where illegal transactions take place. Things like drugs, guns, counterfeit money, and credit card numbers can all be found, bought, and sold.

Chances are that if your business has been hacked, some or all of the stolen information is for sale on the Dark Web. This is why small to medium business owners need to make sure their security software is regularly updated against new and stronger threats.

But is the Dark Web only used for bad things? Surprisingly—no. It is estimated that only about a third of the people who visit the Dark Web do so for illegal activities.

Before we go any further, I’d like to bring up a little more info on the Dark Web and some of its misconceptions. Did you know that the internet you use every day is actually just the Surface Web? Also called the Common Web, Visible Web, or the Indexed Web, it is just the portion of the web that the general public has access to. We assume that it is the majority of the internet because we’ve labeled it the world wide web, right? Well, the Surface Web is only about one-third of the entire internet. Everything we have access to is, in reality, just the tip of the iceberg.

Underneath the Surface Web is the Deep Web. Also called the Invisible Web or Hidden Web. It is a portion of the world wide web whose contents are not indexed by standard search engines. 99% of the information on the Deep Web cannot be found through search engines like Google or Bing.

But are there positive aspects to the Deep Web and Dark Web?

The U.S. government uses both the Deep and Dark Webs to keep open channels to countries that are ruled by oppressive dictators, in case citizens of those countries want to send out news stories or ask for help. Media outlets, like the New York Times, host portals that allow people and whistle-blowers to send in news tips, anonymously.

That anonymity helps give people who are in bad situations or have no one in their lives to talk to, a means of expression and channels of help. There are groups for survivors of abuse that allow victims to name their abusers and also to get support from other survivors. There are groups for people with every type of addiction, anything from food, drugs, to gambling. Some countries punish their citizens arbitrarily, for such reasons as sexuality or religion. The Dark Web offers opportunities for people to create communities where they can share stories and tips or plan to meet in person.

You can even join a chess club and play with people from all over the world. There are chat rooms, dating sites, and gaming forums where you can talk about anything, anytime, without the fear of being monitored. People can freely share their feelings, express their challenges and even find help from these groups.

Freedom of expression is alive and well in the crevices of the Dark Web. If you’re an artist, you can share your passion with people who truly enjoy creativity and self-expression. The same goes for writers, poets, and musicians. There’s even a site where origami lovers post their beautifully folded ornate creations, and some of them are so intricate it’s hard to believe they started as a flat piece of paper.

You’re probably thinking, “With all the negative and scary stuff on the Dark Web, I’ll never even try to access it.” You want to stay safe and keep away from it, right? Well, sorry to tell you, but some of your daily excursions on the internet already access part of the Deep Web, and even the Dark Web, because of the anonymity they provide.

For example, your company’s intranet is on the Deep Web so search engines cannot see it. There are sites you may have joined that exist behind pay-walls or require special registration. Many databases and webmail pages are also tucked away below the Surface Net, so your personal information is not exposed.

If you belong to a Facebook group—guess what? Yes, that group is on the Deep Web. Otherwise, anyone can search for that page, read the posts, and request to join. If you use online banking, that information is also on the Deep Web. Sites that host medical information and legal documents are hidden there as well. As you can see, there is a need for the Deep and Dark Webs because of the security they offer.

If you choose to go to the dark side of the web, be careful. You just might find something beautiful, or you could accidentally stumble upon the worst aspects of human nature. Like everything else the world has to offer; when you’re exploring, be safe.

Get a Dark Web Scan to Identify Your Vulnerabilities

What you don’t know will hurt you. A Dark Web Scan can uncover if your data is for sale, and tell you if your personal or business data may be at risk.

Additional Dark Web Resources

Discover the Dangers of the Dark Web

What is the Dark Web and Why Should We Care?

Passwords – Outdated and Dangerous, But Necessary?

Passwords – Outdated and Dangerous, But Necessary?

Here’s a quick test – what do these seemingly random alphanumerical groupings have in common?

  1. 123456
  2. password
  3. 123456789
  4. 12345678
  5. 12345
  6. 111111
  7. 1234567
  8. sunshine
  9. qwerty
  10. iloveyou

That is a list of the top ten passwords used in 2018. Recognize any of these? If you don’t, you’re not necessarily in the clear, but your chance of becoming compromised or hacked is far less than someone who uses one of these passwords. If you do recognize these, you’re certainly testing your luck.

These days, creating and remembering passwords has become increasingly more challenging. If we had only one device that required a password, we could probably manage it quite easily. But with every device we use, most programs we need to do our jobs, and sites that require you to change your password every few months, it is estimated that the average person must memorize up to 191 different passwords. No wonder we often choose to take shortcuts!

The problem is over 80% of hacks are due to compromised credentials, otherwise known as stolen username and password information that are often traded on the Dark Web. In fact, in one month alone in 2018, Microsoft blocked 1.3 million attempts to steal password data, which would have led to dangerous phishing attacks, and other hacking attempts.

These harrowing statistics are why you hear the recommendations:

  • Never use the same password twice (IT Managers report 73% of all passwords used are duplicated in multiple applications, opening up multiple avenues for attack)
  • Never write down your passwords
  • Never share your passwords with anyone else
  • Never use real words or known information about yourself in your passwords
  • Avoid commonly used passwords (50% of all attacks involved the top 25 most used passwords)

Pay attention to that last stat: 50% of all attacks involved the top 25 most used passwords. See what we meant when we said if you recognized anything on that list you’re testing your luck?

Following all these rules and regulations, you’ll end up with passwords that are about 16-characters long, impossible to memorize, and, unfortunately, are still completely hackable (much more difficult, of course, but where there is a will, there is a way). So, what do we do now?

Password Manager

The first shortcut is a password manager. You can store all your passwords in one place. This makes remembering all your passwords much easier, but there you’re not out of the woods yet. The password manager is also protected by a password. If you’re utilizing a software like this, make sure that this password is especially complex, so that hackers aren’t even tempted, especially in the case of a brute force attack. If possible, turn on multi-factor authentication, especially on your password manager.

Multi-factor authentication

Many sites utilize multi-factor authentication. This extra layer of protection connects to your phone, email, or other authentication source, rather than relying solely on a password. We recommend enabling multi-factor authentication wherever possible. The only caveat here is make sure your secondary authentication source is equally secured with a strong password. No sense in double protecting yourself with a wide-open source.

Random Password Generators

These sites come up with secure passwords for you, but are typically a random jumble of letters, number, and symbols that are darn near impossible to memorize. If you’ve got a strong memory, this might be a good starting point, but if you’re like most of us, this may be more challenging than it’s worth.

How to craft the best password

Use a “Password Phrase” in place of random letters, numbers and symbols. Create something that’s easy for you to remember, but has no meaning to anyone else. For example I<3Fh@ck3rs43v3r!. Breaking this down, you get:

  • I –                  I
  • <3 –               Love
  • F –                 fooling
  • h@ck3rs –   hackers
  • 43v3r –         forever

This would be easy for you to remember because you understand the phrase, but difficult for a hacker to decipher because it’s not made up of real words. There’s no time like the present to get started and change your easy-to-hack passwords to something safer, because it’s always better to be safe than sorry.

Work at creating passwords that will be difficult to hack. Make sure to change them regularly. Never write them down, (especially on a Post-it Note stuck to your computer!). But most of all, make passwords an important part of your life. Don’t consider them a nuisance or a thorn in your side. Make a game out of creating passwords. Challenge yourself to be more creative each time you create one. Beat the hackers at their own game by making your password too time intensive to try and crack, and you’ll reduce your chance of your information showing up on the Dark Web.

Worried about your information already being available due to past weak password use?

If someone breaks into your home, you can usually document what’s missing so the police can track it down. This isn’t as easy with data. A dark web scan can reveal what information may have been exposed to help you take actions to correct course. Register for a dark web scanand we’ll run a scan that reveals your vulnerabilities.