This blog is somewhat in alignment with my previous post about “The Importance of Good Antivirus”. There are several things that we can do to secure our systems against the wild elusive hacker, but how many of them do you know about? Do you know how hackers get in to our systems? Or what they do once they’re in? There is no single reason why hackers break in. There are probably as many reasons why as there are hackers. It’s not the ‘why’ that you should be concerned with. It’s the ‘how’ that should concern most people. How do these cyber criminals get in to our systems? The answer to this question is simple. We invite them in. Yep. I said it. We invite hackers in to our computer systems and networks. If a hacker gets in to our system, then it is our fault for not securing it properly. I’m not going to bore you with the details, but basically we allow hackers to get in through a number of methods. One method is opening attachments in emails. Another method is through weak passwords on open services, such as SSH (Secure Shell). Once again, there are thousands of ways a cyber-criminal can get in to our systems. The bottom line is that WE are the weakest link. Preventative Measures Threat mitigation is all about reducing the plane on which an asset can be exploited. There is no such thing as an unhackable computer (although some MAC users would try to argue). There is no such thing as an impenetrable network. So what can we do to reduce the risk of people or things breaking in to our systems? One of the best ways to keep hackers out is to educate people on how to properly operate. This means letting them know not to open attachments, or click on links in emails from people they don’t know and trust. Opening email attachments and clicking on links are a good way to get a virus, or backdoor installed on our systems. Password Security I know everyone hates this one, but… Password Security. It’s a must. The best passwords are not passwords at all. They are what is referred to as Passphrases. Microsoft has a fairly decent article on how to come up with good passwords from phrases. One of the examples they give is using a phrase such as “My son’s birthday is 12 December, 2004” and turning it into a password such as “Mi$un’s Brthd8iz 12124” using techniques such as misspelling words, and using symbols to replace characters (s = $). Here’s a link to the article: http://windows.microsoft.com/en-US/windows7/tips-for-creating-strong-passwords-and-passphrases. Note that I did use actual examples from the article. There is also a utility to test the strength of your passwords created by Steve Gibson, who is a security expert. This utility he calls a ‘Haystack Calculator’ can be found here: https://www.grc.com/haystack.htm. One might also want to click on the link to the news story that is on the Haystack Calculator page. There are probably more articles on password security floating around the internet than there are passwords. Just google for ‘password creation techniques’ or ‘passphrase versus password’ or something like that and you’ll come up with thousands of results. I would recommend that anyone who uses a service that requires a password use such techniques to create easy to remember highly secure passwords and passphrases. Network Security One of the easiest ways to prevent cybercriminals from breaking in to your network is by disabling services. This means that if you don’t use your email service, then you should disable it. You should also only use secure services. This means using a service that encrypts it’s traffic rather than transfers data in plain text. This is the difference between using Telnet and SSH, or using FTP and SFTP. The latter of the two encrypts the traffic so that it’s more difficult to decipher if it’s intercepted in transit.