byline: Bryan Newlin, CPA

Another widespread, high-profile security breach — this one at Virginia’s largest health insurance provider, Anthem — serves as a reminder that our business and customer information is targeted in a very real way on a regular basis. Securing sensitive information can no longer be deferred to the back-office information technology staff. It has become the responsibility of all employees. And one of the most effective ways to protect information is by using strong passwords.

Passwords serve the same purpose as the keys on your key ring. Would you install a lock on your home, car, or safe with a generic key used by lots of other people? Probably not. Consider a password a key that you can create yourself. With a little forethought and planning, your passwords can be strong and protect your business’s information, be easy to remember and can even help you learn new things. Here are some tips to make passwords manageable.

Protecting really important information
Some information is so important that it needs a unique and very strong password. Your email, online bank account, and investment accounts are probably the highest risk data you access online. Each of these accounts should have a long, complex, unique password. Here are my suggestions for creating a strong unique password.

• Select a song, movie or book — for example, the Beatles song “While My Guitar Gently Weeps,” released in 1968. Take the first letter of each word, and add some special characters and/or more information to the beginning or end:
theBeatlesWmGGW1968!

• Use a pass phrase. Long passwords are the strongest. If a password is long enough, it can include dictionary words without deprecating the password strength:
MyDogLovesTableScraps:)

Protecting kind-of important information
All data are not created equal. Therefore, all passwords do not have to be created equally. For less-sensitive information, I suggest using what I call a Consistent Dynamic Password (CDP). This password has two parts. The first part is a strong default password. The second part is applicable to the data it is securing.

1. The first half of the CDP (the consistent part) is a strong default password with letters, numbers, a special character, no dictionary words, and at least 8 characters. You can use the suggestions above to create the first half. Continuing with the Beatles example, let’s use “WmGGW1968!” as the default password.

2. The second half of the CDP (the dynamic part) is to add a component applicable to the data being protected. For example, let’s say you are creating a password for your online Wall Street Journal subscription. The information protected by the password is not sensitive, but you still need a strong password. So, add something to the end of the default password like WallSt.

3. Combine the two components of the CDP to make a strong, easy to remember password: WmGGW1968!WallSt.

There are a few benefits to using the CDP for less sensitive accounts. First, although the data is less sensitive, the password is strong but easy to remember. Second, if the login credentials are compromised, they would not impact your other accounts because all of your passwords are different.

Using passwords to learn something new
Some passwords must be changed frequently, so you can use them to drill new information into your brain by finding something you want to learn and creating a password using that information. For example, I wanted to learn the military alphabet, so for about 18 months, my passwords included some derivative of Alpha, Bravo, Charlie, Delta, Echo, etc. You could consider historical events (JulyFour1776@Mer!c*) or phone numbers (867-5309#forJenny). A word of caution — most password cracking tools and rainbow tables account for the substitution of numbers or special characters for letters, so replacing A with @ and I with 1 does not help the cause.

Password padding
Steve Gibson of Gibson Research Corp. suggests “password padding” as another method to craft easy to remember but difficult to crack passwords. Padding is the practice of adding a combination of characters to increase password length. For example, adding a character combination like, ^–^ to the beginning or end of a password makes it far less likely to be cracked. The password “password” would take 0.00217 seconds to crack. But padding it to create the password “password^–^” increases that time to 6.9 months! Another word of caution — using password as your password is a really bad idea.

Until all sensitive information includes some form of multi-factor authentication, passwords are sticking around. It’s best to accept this truism and make the best of it. Your data will continue to be targeted, and strong passwords will be the best first line of defense.

Bryan Newlin is an IT Audit Manager with Yount, Hyde & Barbour’s Risk Advisory Services Team in Winchester and a member of the Virginia Society of Certified Public Accountants (VSCPA). For more information contact Bryan at (540) 662-3417, [email protected], or by visiting http://yhbcpa.com.

Our mobile devices have become so ubiquitous in our daily lives that we often take their complexity for granted. Flashlight, pocket watch, day planner, weather station, camera, news, banking, music, email, texts, phones — mobile devices accomplish far more than anyone would have imagined 10 years ago.

We also take for granted how much information is accumulated on one small, easily lost or stolen piece of hardware. Unfortunately even the most innocuous data can become valuable information to an attacker. Here is some of the most common data stored on a mobile device, and how it can be used against you or your business.

Email
Email is a prime target for an attacker. The wealth of information accumulated in email rivals our financial information. We don’t protect email like we protect our bank account, but we should. In the hands of a nefarious snooper, email on a mobile device can do serious damage.

Far too much online security is predicated on the assumption that access to email is secure. However, a few quick searches through the “all mail” folder on your mobile device will return a list of online accounts, purchases, welcome emails, connections through social media, and tons of other launching points for an attacker. Many websites use an email address as a username, so the only additional level of authentication is the password, which can be reset and emailed to the account on file, which is accessible to the person holding the mobile device. What happens when you forget your online banking password? You receive a temporary one via email. 

Within the context of business, emails contain attachments, internal communications, price lists, communications with customers, and a whole host of other sensitive information that could cause substantial reputational, financial or legal damage if lost.

Contacts
Most contact lists seem harmless, and some probably are, but valuable information can be contained in these apps. The lifeblood of most business is connections with people. Suppliers, customers and key business partners work together to create the value of the business. Losing contact lists on a mobile device could damage those relationships through loss of trust. Even worse, contacts could be sold or provided to a competitor, reducing your competitive advantage. 

Calendar
A calendar may include less sensitive data than email or contacts, but could still help build a profile about the owner of the mobile device. For example, the calendar may list a reminder to pay a bill, details about a teleconference meeting or when a sales presentation will be given. All of these conditions are perfect for an attacker to generate a spear phishing attack — a malicious email designed for a specific target in an attempt to trick the user into clicking on a link, thus compromising the computer and internal network.  

Social media
Our online identities have manifested themselves on our mobile devices. Whoever holds our mobile device can access, update and change security settings on Facebook, LinkedIn, Twitter and any other social media app. Whatever personal information about you that couldn’t be gathered through email can almost certainly be accumulated through social media. The reputational damage that could occur through fraudulent postings or pictures is only the beginning. Answers to challenge questions from financial or credit related sites can often be found in a social media feed.

Multi-factor authentication
Websites that have the strongest authentication techniques use multi-factor authentication by providing an app or sending an SMS text that generates a random number as part of the authentication process. When an attacker has access to your mobile device, they also have access to the random number, circumventing multi-factor authentication.

Enabling systematic controls to minimize these risks are too easy not to use. Every mobile device should be using some sort of passcode or password.  Individuals should turn on the mobile device tracking feature that allows the mobile device to be remotely wiped. Businesses using mobile devices should deploy some form of Mobile Device Management (MDM) software and, at a minimum, force a passcode and encryption on any device accessing corporate data. All users who connect their device to the corporate network should be trained to immediately contact the appropriate level of management when their device is lost.

We have embedded mobile devices into our communication tool kit and should protect that data with the same rigor as corporate data and personally identifiable information. Unfortunately, the physical and logical security of mobile devices is too often overlooked, exposing a treasure trove of information to prying eyes.

Bryan Newlin is an IT Audit Manager with Yount, Hyde & Barbour’s Risk Advisory Services Team in Winchester. Newlin is also a member of the Virginia Society of Certified Public Accountants (VSCPA). For more information contact Bryan at (540) 662-3417, [email protected], or by visiting http://yhbcpa.com