I recently taught Calibre Press’ Cyber Security seminar in Burien, Wash., and had some excellent discussions I’d like to address in this column. We actually did a few table-top exercises where groups were formed and they developed their own cyber attacks that could realistically, and quite easily, be carried out against their organizations. This highlighted areas where can easily start taking steps to rapidly improve our security.
Two things emerged from these discussions.
Awareness & Training: Most employees, and even management, are simply unaware of how easy it is to attack and hack any organization. They don’t know about how we accidentally leak protected information online. (As one deputy asked when we found a local gas tank providing live readings of how much gas was in there: “What the hell is that doing on the internet?!” This is exactly what we all need to be asking about information we store online.)
Security: Once we’re trained and aware of the threats, the next logical step would be to protect ourselves and our communities from the sorts of cyber meddling that could jeopardize private information. These protections are actually pretty simple, but because of institutional and individual ignorance we don’t even try.
In the class, of course, I’m able to get into deeper specifics and therefore offer much greater protections. But today I’m going to give you a simple example of how you can greatly improve your chances against hackers in one critical area.
Let me introduce you to Two Factor Authentication, or 2FA. Most people practically understand this as getting a text message or using a random code that’s required to login to your online accounts. I’ll explain why they are critical.
Logins and passwords have long been a weak link in the chain of security for a variety of reasons. In fact, one of the highlights of our class in Burien was finding “encrypted” passwords and easily breaking that encryption. So the security world has long been crying out for a savior to mercifully redeem us from the sin of using just a login and password. Our prayers were answered years ago with the arrival of 2FA.
Problem is, most people and institutions haven’t fully embraced it. Which means they are much more susceptible to being compromised.
The disclosure of Vice President Pence using his personal email for state business further highlights the need to implement 2FA on everything. Your bank, your personal email, and your HOA login, as examples, should all implement 2FA.
But for the love of all things good, incorporate 2FA for work emails! (Bosses: Make it mandatory for all employees.)
The simple fact of the matter is we’re already in a world where simple email and password are not enough to protect yourself. Here’s why.
When you create your 27-character long password that’s so complex it took you all night practicing it just to remember it, all that hard work is easily undone with one accidental click.
The next time you go to login in to Gmail, for example, you may see something like this.
But if you accidentally misspell “accounts” with one “c,” or you click on a link that lands you on a dangerous page, you will end up here.
This looks almost identical to the accounts.google page where you actually login, but someone created the website “acounts-google” just for this purpose. Now I’m sure you would never misspell “accounts” or click on a dangerous link—of course not!—but what about Stan? You know, the guy who can hardly lace his boots and chew gum at the same time? (Every agency has a Stan or two.)
If we surf to just “acounts-google.com,” we find this.
I’m shocked, SHOCKED, I tell you, to find a webpage in—Russian! (BTW, it translates to “webpage under construction.”)
Doing a whois check on the site shows that it was created February 10 of this year, and is registered in Moscow.
SHOCKING! [Editor’s Note: For you older folks, this is Millennial sarcasm.]
Scammers, criminals, and other governments are constantly creating really legit looking webpages to steal your password. Passwords by themselves are broken. You must begin incorporating some sort of 2FA in everything you do. Now!