INVITATION TO CYBERSECURITY 234 The principle of planning for failures leads to better cyber vigilance and preparedness across an organization, and it helps to minimize the damages when failures do occur. 9.2 Practices Cyber principles lead to daily practices that improve cybersecurity. This section explores a few of the most impactful cybersecurity best practices. All of them can be mapped to one or more of the principles above. Ignoring best practices invites cybersecurity incidents. While most of this textbook focuses on organizational cybersecurity, this section homes more in on personal cybersecurity. These practices also apply to organizations, but many organizational practices do not apply to individual persons or families. The motivation of this section is to provide practical and actionable steps that readers can take in their own lives. More so than the rest of the book, this section risks becoming outdated. 9.2.1 Manage Authentication Credentials Section 4.1.2.3 explored credential stealing, one of the most efficient and effective ways that cyber attackers gain unauthorized access to networks and computer systems. This section explores a few best practices for managing user credentials. 9.2.1.1 Use Strong Passwords As we learned in Section 8.1, the most common authentication credential is a username and password combination. Password-based authentication is based on “something you know” and assumes that only the rightful user knows his password. In reality, accounts are compromised routinely because this assumption fails. There are multiple ways that hackers can discover a user’s password. However, there are things that users can do to make it less likely that their passwords will be compromised. As we saw in Section 7.2.3.3, authentication databases store password hashes, not passwords. Even though password hash files are closely guarded, hash dumps (collections of password hashes) routinely fall into the hands of hackers. When a user creates a password for an account, he needs to anticipate that this could happen. As we have seen, hashes are one-way so they are attacked through a forward search attack called password cracking. The mathematics of forward searches can be analyzed to make password cracking attacks practically impossible. The United States National Institute of Standards (NIST) released password guidance in the early 2000s that has since been repudiated and replaced with much better guidance. Unfortunately, the old guidance took root during an era of rapid Internet expansion, and it is still widely practiced and promoted. The guidance required that passwords be at least eight characters long and have at least one uppercase, one lowercase, and one non-alphabetic character. Password math (similar to keyspace math) can be used to determine the number of passwords in this space. Password math takes the length of the password and the character set to compute the total number of possibilities. There are twenty-six up-
RkJQdWJsaXNoZXIy MTM4ODY=