360 Degree Cyber Security, LLC

Do you KISS? I do!

Do you KISS? I do!

 

I am all for the KISS methodology.  Keeping Information Security Simple (KISS) has to become a basic tenant.  It is how we as information/cyber security professionals can help small businesses, municipalities, and non-profit organizations realize some measure of information security.

 

16230-illustration-of-red-lips-pv

Here are some simple methods that won’t deplete your profits and apply to businesses of all sizes (1 person to 100,000 employees).

1.    Encrypt your mobile devices.  Laptops, tablets and cell phones are treasure chests full of goodies.  We store everything on them.  The days of the rolodex and the personal organizer/binder have given way to the electronic organizer.  It used to be that if we misplaced or day planner we would feel lost and maybe even anxious as a lot of information was stored in that book.

All that information has migrated into the digital age and is now present on all sorts of mobile devices.   Newer phones have enough processing power in them to encrypt the contents of the phone until the device’s owner enters a password to decrypt them.  The encryption is part of Android and Apple IOS.  It is also possible to encrypt the hard drive of your laptop in a similar manner.  If you use Microsoft Windows, spend a little extra money and purchase the professional edition.  It includes BitLocker, Microsoft’s utility for encrypting hard drives.

If you lose the mobile device, you are not likely to lose the encrypted information to unwanted eyes.

2.    Use complex unique passwords for every account.  I know, I know!  I hear it all the time.  I have this large number of accounts that I need to remember, how do I do it?  There are number of articles out there for crafting complex passwords that are easily memorized.  However, I offer that you only need to remember one or two.  Use technology to help you create and remember the rest.

Use password managers such as Sticky Password, LastPass, KeePass, etc.  Each offers certain capabilities that should fit with your business model.  Check out http://lifehacker.com/5529133/five-best-password-managers for a review of some popular ones.

For the one or two passwords you need to remember, create passwords that really have nothing to do with you.  One of the first things an attacker will do is profile their target.  Anything on the Internet about you can be used against you to build a list of words.  So when you choose a password, don’t use your favorite team, vacation place, family member names, etc.  For example choose three or four letter character unique nouns that are some related, but not directly.  Maybe you have three foods you don’t like, lasagna, buffalo wings, and prunes.  These three items make an excellent password as it is something you are not likely to write to the world about.  So let’s make a password out of it….

buf2alopRunel@$@gu@

or plainly buffalo prune lasagna. (sounds nasty!) But it is a set of words that when in plane text don’t make sense and if you apply some character substitution to them it becomes a long (in this case 19 character) complex password.  Come up with a consistent method in changing the letters.  In this example I:

  • when there is two of the same letters next to each other, I only put one and follow it with a 2.  So Mississippi would be mis2is2ip2i
  • I chose that the second letter of the second word must be capitalized making prune into pRune
  • Finally in the final word I use character replacement.  I replaced the a with an @, I replaced the s with a $ and I used ‘u’ for the letter ‘n’

Choose a similar way to develop your own password and apply your own password style and use that password to control access to your password manager.  Then let the password manager create complex random passwords for everything else.

These are just two quick examples of KISS that improve information security and don’t require a lot of cash.  I will write more examples in later posts.

About the Author

Chris Wolski author

Chris Wolski is the founder and principle consultant of the small business and municipality focused cyber security firm 360 Degree Cyber Security, LLC. He is currently certified by International Information System Security Certification Consortium as a Certified Information Systems Security Professional and by the SANS Institute as a Global Industrial Cyber Security Professional. Active in the information security community, Chris volunteers his time at BSides Delaware and to various individuals seeking to be mentored in cybersecurity. He is frequently researching industrial devices to discover weaknesses that would present a problem for users of those devices. Chris obtained his start in cyber security in the U.S. Navy where he served in various information security and signals intelligence roles over his 20 year career. He left government service after serving in a position to develop cyber threat intelligence against industrial controls and later on the Joint Chiefs of Staff as a cyber incident handler. Chris has a Bachelor of Science Degree in Cybersecurity from University of Maryland University College and is currently pursuing a Master in Business Administration, also at the University of Maryland University College.

Leave a Reply