New Year, Secure You


Password Checkup

We all have done it, used the same password on different websites or for different applications.  Did you know that this can cause issues later on down the road?  Let’s take a look at a potential situation that could unfold here. 

Say you do your bills every month online, you have them setup automatically so you never have to touch the thing.  Simply just check your statement from the bank every month make sure they didn’t take too much out.  This has worked perfectly for many years, never having to worry about it, everything just takes care of itself.  When you first set all of this up, you set up everything at the same time.  While doing this to make life easy, so you didn’t forget how to login, you setup all the accounts to have the password:

bill$AreNoFun75

This password is super secure!  It has more than eight characters, it has a special character, uppercase letters and numbers to boot! None of the websites are going to stop this password from being created for being weak, that is for sure. 

Six months down the road after setting up your amazing automated processes, everything is still humming along perfectly.  No over payments, no late bills, nothing, even your bank statements are in perfect order.  On your way into work one morning, you hear over the local radio station that the local water company has issued a boil water notice due to potential chemical imbalances.  

Turns out there was no issues with the water supplies. The next couple of months go by, you haven’t seen anything abnormal in your bank statements.  You think you made it through unscathed, certainly appears to be that way.  On month three after the boil water notice, you notice that your gas bill has increased almost but not double, on your bank statement.  Don’t think much of it, it is getting colder outside and you typically use more gas during the colder months.  This goes on until the middle of the summer, where you think the gas bill should have gone back down.  Log into your gas utility company site and find that a second service has been opened up under your account this entire time.

What ended up occurring:

Turns out, with the water utility they had an upgrade of their systems.  However instead of hiring an outside company who is currently certified, they handled things inhouse with their own folks who didn’t stay current on their certifications.  They then put their controllers that mix the different chemicals for the water treatment on a network, however instead of putting them behind a firewall, they left them public facing. This allowed the operators to be able to see what the plant was doing even when not physically on site to ensure their customers were safe. They did change the passwords from the default thinking this would keep them secure, however a visitor come by and seen the password written in marker on the PLC.  Later it is discovered that while the breach to the controllers was going on, the bad actors were able to get into the user portal database and grab all login credentials.  The bad actors, held onto the login information since they were from around the area, they had a good idea of what other utilities were available and started to try to login using the information from the database.  After they had all of their needs met, they then sold off the information they obtained out on the black market for the highest bidder.  

Obviously the scenario above is not real, however that is the interesting thing about these types of breaches, you never know, what, when, or if the information that is gathered is going to be used.  Typically what I have noticed when companies are breached, they will offer an identity protection service for one year after the breach.  Anything beyond that you are on your own.  

This sounds crazy doesn’t it?  I would be inclined to agree, however it is a real possibility.  Take a look at an article  about Attacks on U.S. Water Utilities

 

 External Link – Fast Company – Article: U.S. water utilities were hacked after leaving their default passwords set to ‘1111,’ cybersecurity officials say

Password Checkup Ideas

While there is no 100% sure fire way that you can protect yourself, the steps below is a great starting point to get you on the path to ensure that you are safer on the internet.  

  • Use a password manager.
    • There are a bunch of them out there, some better than others.  I would encourage you to do a little research on the company prior to giving them all of your secret information.  
  • Use a unique password for every account you have.  
    • I know that this can be insane to try and keep track of all of the passwords, that is why the first bullet was a password manager.  
  • Enable MFA (Multi-Factor Authentication) on all accounts
    • Basically a way to ensure that it is you, these usually come in the form of a code that is to be used one time to authenticate to that specific platform.  
    • Ensure that there is more than way to authenticate.  Examples would be like an Authenticator Application,  Cell Phone (Text/Call), Email.  You want to enable at least two sources beyond just the password, reason being is if your phone number changes and that is the only MFA enabled you won’t be able to access the account. 
  • Account Checkup
    • This one is going to be a bit time consuming.  What I would encourage is that you log into each account and review the account statements.  Make sure that the amount being charged is accurate for your use of that service.  Wouldn’t hurt to check their current offerings as well, see if there might be any new discounts.  
    • Check the account logs, some platforms offer a security log to see what devices have logged in and when.  See anything unusual, take action.  
    • Some platforms have a “Sign out of all devices” or something similar.  I would change the password, ensuring that it is logged in the password manager, that MFA is enabled (If possible), then press this button.  This will force any device that is logged in to be booted and have to re-login using the new information.  

 

Security Sweep

There are many different ways you can view the term “sweep”.  For the purposes of this article, we are going to have two forms of “sweeping” mentioned.  The first method is physical sweeping.  Physical sweeping would be various tasks that take the power of observation into account.  Physically going through secure locations such as the place where your Internet Services terminates into your office or residents to ensure no new USB Drives have been plugged into your equipment.  Cables are still in proper condition, meaning they haven’t been spliced into or have any other forms of damage.  Verify that the technology components are in their proper location, servers typically don’t move once deployed and they don’t get any bigger.

I would like to focus a little bit on External Storage Media.  One potential breach is the simple act of finding a USB Drive of some type either in a hallway or out in the parking lot some place.  This seems simple enough to plug in and attempt to find the rightful owner, however a bad actor could have “deployed” such a drive in a conspicuous location just for an employee to try and open infected files.  If you were to find a flash drive out in the parking lot or in the hallway, turn it over to an IT Professional so they can handle the drive in a secure manner.  

The second method of sweeping is software based.  To begin, it is best to make sure that the malicious software is up to date and has the latest definitions downloaded. Most anti-virus or anti-malicious code programs typically automatically run scans on their hosts, however from time to time it is a good idea to manually kick off a deep scan of the entire machine to verify that there isn’t anything out of the norm on the device.  Once verification that there is no malicious code, review the logs on the machine or even online accounts.  Look for any weird logins from IP’s or locations that are not known to you, especially foreign locations.  

 

Updates

Did you know that Microsoft releases updates on a regular basis, typically on the second Tuesday of every month? These updates not only improve the functionality of their operating system and applications, but also enhance security by addressing bugs and vulnerabilities. By keeping your servers and client computers updated, you can reduce the risk of being compromised and ensure a more secure environment for your business operations. Regular updates are crucial for maintaining the performance, stability, and security of your systems.