Humans are often the weakest link in the chain when it comes to computer security. So how can we stop doing silly things that play into the hands of cyber criminals?
When you ring IT support, you know the geek on the other end of the line thinks you’re an idiot. It’s the heavy sigh and patronising tone that give it away.
In fact, they have an acronym for us – PEBKAC. It stands for Problem Exists Between Keyboard And Chair. That’s you and me.
And before you get on your high horse full of indignation, ask yourself: when did I last back up my data? How many online accounts do I use the same password for? How many times have I clicked on a link in an email without really knowing who sent it?
Every year we’re reminded how dumb we are when it comes to choosing passwords.
These range from the obviously bad “123456” and “password”, to the only marginally improved “12345678” and “admin”.
With passwords like these, a child of two could probably break in to your account after bashing on the keyboard with a toy hammer for a few hours.
“A lot of people forget their password and then just use the temporary password the IT department gave them,” says Thomas Pedersen from OneLogin, an identity and access management company.
“The problem is that these temporary passwords can sometimes last a month.”
So in a large organisation, there are potentially hundreds of people using the same password.
“This makes them vulnerable to a password scrape attack – taking the most common passwords and trying them on millions of accounts,” says Mr Pedersen.
“The hackers will get a hit every 5,000 to 6,000 times.”
Once inside the system, the hackers can cause havoc.
How not to be a password poodle
- Use as long a password as you can cope with – at least more than eight characters
- Mix upper case and lower case characters with symbols and numbers
- Try not to use easily guessable words – the names of your children, spouse, pets, favourite sports teams and so on
- Avoid sharing passwords with other people
- Use different passwords for different sites and services
- Use two-factor authentication
- Consider using a password manager such as Dashlane, Sticky Password or Roboform
The UK’s National Cyber Security Centre has also published lots of advice about choosing and good passwords
Major data breaches are becoming almost weekly occurrences, with Facebook, Cathay Pacific, British Airways, Reddit, Wonga, and Dixons Carphone joining a long list of corporate victims in recent months.
Two-factor authentication – using your smartphone or a separate dongle to provide an extra layer of security on top of your main log-in details – is becoming more common, especially using biometrics such as voice, fingerprint, and facial recognition.
But these are less suited to the corporate environment because desktops don’t usually come with fingerprint readers or video cameras built in, Mr Pedersen points out.
We’re also pretty dumb when it comes to clicking on links and downloading content we shouldn’t, says Ian Pratt, co-founder of cyber-security firm Bromium.
A lot of these links are loaded with malware – programs designed to burrow though corporate security systems, steal data or even take remote control of machines.
“More than 99% of [malicious links] are run-of-the-mill criminal malware that are not targeted,” he says. “That malware is trying to spread pretty aggressively, but they do not use any clever tricks.”
“More than 70% of the breaches that we hear about have started on a PC with some hapless user clicking on something that lets attackers get on to the network,” says Mr Pratt.
And hard-pressed IT departments have had their lives made even more difficult in recent years by the surge in mobile phones, laptops and tablets we use for work as well as for private purposes.
So, many large firms are focusing on making the desktop PC idiot-proof.
Bromium’s tech works by isolating each and every action that takes place on a PC – sandboxing to use the jargon.
“Almost every task performed effectively gets its own computer,” explains Mr Pratt. “As soon as you finish that task we effectively throw that laptop away and get out a new one.”
This means that if you click on a malicious link, the malware is isolated and can’t escape to infect the rest of the network.
But keeping an eye on what we’re doing across a sprawling IT network is very hard, says Paul Farrington, a former chief technology officer for Barclays and now a consultant at security firm Veracode.
Large organisations being clueless about the extent and reach of their IT assets is “very common”, he says.
A project Veracode carried out for one high street bank discovered 1,800 websites the organisation had not logged.
“Their perimeter can be 50% larger than they originally thought it was,” says Mr Farrington.
And this ignorance can also extend to the number of computers – or “endpoints”, in the jargon – sitting on a corporate network, says Nathan Dornbrook, founder and head of security firm ECS.
One of his clients has more than 400,000 machines to manage, and several other customers have similar numbers.
“The machines could contain substantial amounts of information and customer data, passwords to internal systems, and all sorts of bits and pieces in the easy single sign-on applications that cache credentials locally,” he says.
In other words, just one of these PCs could be an Aladdin’s cave to a hacker.
“If one attack gets inside,” says Mr Dornbrook, “you lose the whole enterprise.”
So given that we’re PEBKACs and IT departments are overloaded, automated systems are becoming increasingly necessary, cyber-security experts say.
For example, ECS uses the Tachyon tool from security firm 1E to help monitor millions of PCs and keep them updated with the latest software patches and security updates.
“Otherwise you just don’t have time to react,” says Mr Dornbrook.
Many other cyber-security companies are moving from a firewall approach to automated real-time traffic monitoring, looking for strange behaviour on the network.
But it would certainly help if we all didn’t behave like PEBKACs at work and casually give away the keys to the kingdom.
By Mark Ward & Matthew WallTechnology of Business, BBC News