Having rigorous infrastructural security is as important for organizations as having a competent workforce and the need to spread security awareness among employees has never been greater. While the field of information security encompasses all sorts of cumbersome concepts and paradigms, it’s obligatory for the inhabitants of the modern world to at least possess knowledge of the security awareness fundamentals. These rudimentary tenets include the recommended practices that should be followed by users (and those that can put their security at risk) in order to be able to stave off some of the most common security threats. This article lists such fundamental topics for the purpose of spreading technical awareness:

Password Management

Passwords act as the keys to the locks that secure the most precious of our resources and their management is something that has often not been given enough heed to. The two main steps in the password management process are detailed below.

  1. Password selection/generation

The first step is the selection of passwords by users or the generation of passwords by the system (for the users). Some applications/enterprises generate passwords themselves for the users in order to maintain standards of security and integrity. This is a recommended practice, as a system-generated password is often hard for the brute-force engines to crack, but it has a drawback: it’s difficult for the users to learn.

Conversely, as in most modern-day applications, users are asked to set their own passwords. They are often given guidelines that need to be followed in order to set a strong password but this can be dangerous at times too: 1. A scenario in which the user has to enter one special character and one capital case letter in any case, the hacker can have better odds of cracking the password because they can predict the dataset to an extent (they know with certainty that at least one special character and at-least one capital case letter is there). 2. A scenario in which the user manages to set their birthdate as their password with special characters appended at the end (hence the guidelines are met), the hacker will succeed in intruding without having to try hard.

It’s recommended that the system generate the passwords for the users itself because even though it (often) takes away the luxury of “knowing the passwords by heart” from the users, it does ensure that the passwords are rigorously strong enough. Moreover, the passwords should be periodically updated as a precautionary measure in any case.

  1. Password storage

The storage of passwords is equally important in the password management process. Some organizations are still naïve enough to store passwords in databases in their original forms. Why this is strictly not recommended? Because anybody who can take a peek at the file (or the database data) can gain access to the accounts of users. There are many possible schemes that can be employed for secure storage of passwords.

a. Encrypted passwords

This is a scheme in which passwords are encrypted before they are stored in the database (decrypted when they are retrieved from the database and used for authentication purposes). This is the least any organization can do but it’s also not usually substantial because the sanctity of this scheme depends on the strength of the encryption algorithm. Moreover, if the encryption key is somehow made available to the criminal, they can decrypt the passwords and start misusing them in no time.

b. Hashed passwords

In this scheme, passwords are stored as hashes. The process of hashing involves the transformation of a string into a fixed length key or value (usually shorter in length) that is also eventually used to represent the original value. Not only does hashing make things safer (as hashing is a one-way function and there’s virtually no way to guess the password by looking at its hash), it also makes things more efficient, as retrieval times increase.

c. Salt and hash

In this scheme, we add a random number at the end (or start) of the password string, and then calculate the hash of the resultant string. This is better than storing simple hashes but is a little more difficult to achieve.

OWASP’s complete guide on how to store passwords the right way is available here.

Identity Theft

Identity theft occurs when an imposter uses another person’s name or social security number or credit card number, etc., to commit crimes. According to a report by Javelin Strategies, about 15 billion dollars were stolen from over 13 million US citizens during 2015. Here are some of the things that you should keep in mind in order to diminish the chances of anybody being able to steal your identity:

  1. Protect your Social Security number more than you protect anything else. Refer to this document for more details.
  2. Beware of phishing attacks and be extra careful whenever you are about to enter your personal information.
  3. Shred papers containing important information before throwing them in the trash.
  4. Protect your computer and smartphones with passwords.
  5. Keep all of your confidential documents locked.

National Crime Prevention Council’s report gives a more detailed overview of the matter.

Social Engineering

Social engineering is often referred to as the art of psychologically manipulating people into yielding confidential information or doing specific actions. There are many different types of social engineering; some of the most common ones are:

  1. Baiting

Baiting is when a hacker leaves an infected device in a place where it can be retrieved by the victim. Once the victim plugs the device in their personal computer, they let the intruder in.

  1. Phishing

Phishing occurs when a hacker sends a victim a malicious link that has been sugarcoated to look like a legitimate original one.

  1. Scareware

Using scareware, the hacker tricks the user into believing that their computer has been infected by a malware. They then offer the victim a solution that can remedy their bogus problem; in reality, however, as soon as the user installs the proposed remedy application, they fall prey to the hacker’s social engineering skills.

Social engineering can only be avoided by offering people training and awareness on the matter. This comprehensive report presents feasible ways of reducing the negative repercussions of social engineering.

Security Awareness

Malware

Malware installation has been the biggest source of computer hacks since the dawn of technology. Despite the most sophisticated anti-virus programs and widespread fear of viruses and Trojans, malware still makes its way into millions of computers throughout the country. Here’s how you can try to be malware-free:

  1. Always keep your anti-virus software up to date.
  2. Always monitor the software that has been downloaded to your drive.
  3. Beware of phishing (meaning that you shouldn’t click on any link without verifying first that it isn’t malicious).
  4. Avoid clicking on flashy advertisements while browsing the Internet.

Smartphone Data

Smartphones have become excessively common over the past five years and they carry enormous amounts of user data in the modern-day world. A big security breach occurs when people delete personal data from their phones before selling them off and believe they have played it safe. However, simple deletion doesn’t stop recovery software from retrieving the data from the apparently wiped phones. In order to ensure that it becomes impossible to retrieve the data, always remember to load dummy data on to the phone after wiping it clean (to overwrite the original data traces). This report elaborates the topic further.

Final Word

Information security is a gigantic field and the aforementioned are only some of the topics that people need to be aware if. If people can educate themselves more about the very basics of security awareness, we can go a long way toward reducing the number of security hacks.

Be Safe

Section Guide

Ryan
Fahey

View more articles from Ryan

SecurityIQ has published a number of videos on social engineering and phishing. You can sign up for a free account to browse their resources and test how phishing savvy you really are.

Section Guide

Ryan
Fahey

View more articles from Ryan