Computer security, hacking, and cybercrime related issues and scams now seem to make news headlines every day with some new slant that has netted fraudsters six figure sums from their illegal activities. Will it ever end? With this sort of money to be had the answer is probably not. There will always be somebody out to make a fast buck at somebody else's expense.
Cybercrime Tug "o" War
As attackers develop new strategies defenders develop new countermeasures. So the attackers develop counter-countermeasures to which the defenders respond with counter-counter-countermeasures and so on it goes and at such a rate that it sets your mind spinning. It really does seem to get quite overwhelming at times.
Everybody's objective in the cybercrime, tug "o" war games is to be on the winning side. Nobody likes losing especially when the prize is your own personal property or even worse your identity that is at stake. However, there are steps you can take to reduce both an organization's and your individual personal risk/threat impact levels.
Single Point of Failure
Many systems today, still rely on password only authentication. Thus, defending yourself and your organization against the ravages of breaches of password security becomes of heightened importance. Having a single point of failure/attack (the logon name/password combo) does leave one more exposed to the efforts of cybercrime.
Ostrich tactics won't work here so be a cold-blooded pragmatic realist and assess your current password security procedures and status honestly. Do not let anyone else know the details of your self-assessment. Identify areas of weakness and put them right.
Passwords - Hard Copies (Paper)
Human laziness, carelessness and a casual attitude toward security, particularly where user accounts are concerned is one of the most pervasive ongoing long-running issues facing the information security specialist.
The best advice concerning the practice of making hard copies of authentication credentials is DON'T. But we live in the real world and people do. So here is what can be done to tighten security for password hard copies.
Keeping a Copy in the Desk
Maintaining a hard copy (paper) of your passwords and locking it in your desk is not as secure a practice as you might think. You cannot guarantee that nobody will attempt to break into your desk.
The locks on most desks are merely a trivial inconvenience to those with a little know-how and a flat-edged envelope opener. Five to ten seconds is usually all that it takes to open the majority of desk drawers.
Failing to lockup your desk compounds the crime. It may save damage to your desk's lock but will do nothing to save the hard copy of your passwords. You cannot keep watch over your desk 24/7 so there really is no way that you can guarantee that your desk is a secure location to store password authentication credentials.
Password Hard Copy Security Basics (If You Really Must)
- Do not leave a hard copy of your passwords in close association and physical proximity to your computer e.g. on your desk or beside PC or monitor
- Do not make a hard copy of your logon and password details and leave it in open public view
- Do not write your logon name and password on a post-it-note and attaching the post-it-note to the PC or monitor. This is probably the worst password hard copy security practice of all.
- Lock desk
- Use a safe
- Store the credentials in another room or even off-site
Passwords - Electronic, Magnetic and Optical Copies
While not as risky as maintaining hard copies of your authentication details considerable care still needs to be taken when storing electronic, magnetic or optical copies of authentication credentials. Here are a few pointers to improve your security preparedness with regards to storing password authentication credentials on electronic, magnetic or optical media:
Encryption - You should always encrypt the authentication credentials data when storing it in an electronic, magnetic or optical format.
Password Protection - Use a password to lock and protect the file for additional security.
Hashing - While you are at it I do recommend using a hashing algorithm; such as MD5, to ensure the integrity of the file. It will help by identifying that the file has been tampered with. Apply the hashing algorithm after the file has been saved to disk and make sure that you include the files attributes in the hash. This works best on NTFS systems such as Windows XP, Vista, Server 2003 and Server 2008.
Using a hash will tell you if anybody has attempted to access the file in the period between when you applied the hash and are now checking the files validity. It will not tell you as to whether or not they had any success but it will tell you that they were there. It may not be able to tell you who it was but if it was another network user then they may well have left identifying evidence behind.
