One of the key areas you and your users need in the business is email security. Protect Your Email Account From Ransomware
The critical reason behind this is the majority of password resets will come to this account, and attackers can use this to easily reset and compromise accounts. They can even lock you out of your own email accounts and cause you to be a victim of identity theft.
Employ strong email security by using a strong, separate password and also, although this isn’t a foolproof solution, just adds complexity to someone trying to compromise your accounts, enable Multifactor authentication where it’s supported.
Make sure the password you use for your email is standalone and not used on any other of your accounts on the Internet. If an attacker were to compromise a weaker account, as the recent breach at Spotify, that password when tried against your email wouldn’t work.
Creating a Strong Password
When you are looking to create a password, apart from having to keep in line with the provider’s terms in needs of complexity, but you need a password that you can remember.
We suggest using three words, and you can use upper case and numbers if the site complexity requirements are to be met. If you are struggling, look at What Three Words, pick a square and use them.
Using a Password Manager
We all need to remember more and more passwords, and the temptation is there to reuse passwords to avoid having to click that ‘Forgotten Password” link.
By making good use of a password manager, personally or in the business, can help you to have hugely complex passwords without never having to remember them at all. A lot of them monitor the darker sides of the Internet for data breaches and password hacks and will actively notify you of any threat to your sites and resources.
A good password manager will also notify you of how secure your passwords are, and whether any are reused, allowing you to make your way though and keep your accounts as secure as they can be.
Phishing Attacks
When someone, unfortunately, falls victim to a phishing or other attack, the ensuing changes that happen can be devastating for a business. or an individual. Hence it’s so crucial that you employ the best email security.
We have seen it happen where someone clicks on a link to take them to ‘reset their Microsoft 365 password’ where it takes the account details, prompts the user to enter it in twice (just in case it was wrong the first time around!) and then take them to the main login screen for Microsoft 365 ready to log in, leaving the user none the wiser.
There are then automated processes where the attacker takes your password and quickly tries it against literally thousands of different services, from Spotify, Netflix and Amazon through to your bank, and try and get access.
We have also seen occasions where the password has been used by the attacker where they strike up a conversation with the finance team (automatically moving the messages from them into a subfolder) with the user none the wiser, with the sole goal of extracting money to be paid out of the business.
Top Insecure Passwords of 2020
This list is released year after year, and each year the simplest of passwords top the list.
• 123456
• 123456789
• picture1
• password
• 12345678
• 111111
• 123123
• 12345
• 1234567890
• senha
• 1234567
• qwerty
• abc123
• Million2
• 000000
• 1234
• iloveyou
• aaron431
• password1
• qqww1122
How are Passwords Compromised?
There are numerous ways an attacker can get hold of your passwords and phrases, here are a few of the well-documented ones. Also, there is a wide range of vulnerabilities that can be exploited to obtain these also. Your email security strategy should address all possible threats.
- Using Social Engineering and Phishing in order to get a user to enter in credentials and passwords
- Hackers and criminals will monitor and participate in the Dark Web to see if credentials are being bought or sold there, or even being just discussed. Credentials can be sold for as little as £1.00 per account. These can then be used on other services, such as Amazon, Microsoft 365, Netflix, etc, where they will be tested to see if a: the user has an account and b: whether it uses the same password and an easy compromise.
- There is a technique called password spraying. This is where an attacker will take a dictionary of common and well-used passwords and variants and just try them across a number of different platforms and systems to see if they get a hit.
- brute-force attacks – this is one of the original ways of an attacker getting access. They take a huge database of credentials, called Rainbow Tables, and test them one by one on a user’s account in an attempt to secure a breach. This can take some time for an attacker, but it’s all automated and can be left to just run in the background until they get a hit.
- Looking over the shoulder of someone, even from a distance, to spot a pin or password. It’s more common than you think.
- When we have been involved in Penetration Testing for a business, there are a couple of basic goals. First of all to get past any physical security and gain access to a building. The next first few tasks involve the following;
- Getting a password hash file from an unattended computer. The hash file can be broken and decrypted to reveal passwords that have been used to log on to the computer, including any administrative level passwords
- Checking desks, unattended notebooks, etc, for written down passwords, passwords on sticky notes on screens or keyboards.
- Password guessing, if we know a little about the user, we can hazard some educated guessing of passwords.
- Getting in between a computer and the network, intercept the password during transmission, and decrypting it.
- Keyloggers. Putting a small device either physically between the keyboard and computer, or a small program on the computer, to document and log each and every keystroke
Summary – Email Security
Be as creative as you can be when creating passwords for your accounts, the longer the better where you can and the systems support it.
Your social media accounts and online presence can give away clues to what your password may be, don’t use your children’s names or your football team to create your password.
Don’t use the easy-to-guess ones, when an attacker is looking to brute force an account by sending a deluge of passwords to the service, one of the first ones on the list to try Password, Pa55word, Password123, etc.
