A Hitch-Hacker’s Guide to the Galaxy – Developing a Cyber Security Roadmap for Executive Leaders
In this blog series, I am looking at steps that your organisation can take to build a roadmap for navigating the complex world of cyber security and improving your cyber security posture.
There’s plenty of technical advice out there for helping security and IT teams who are responsible for delivering this for their organisations. Where this advice is lacking is for executive leaders who may or may not have technical backgrounds but are responsible for managing the risk to their organisations and have to make key decisions to ensure they are protected.
This blog series aims to meet that need, and provide you with some tools to create a roadmap for your organisation to follow to deliver cyber security assurance.
Each post focuses on one aspect to consider in your planning, and each forms a part of the Cyber Security Assessment service which we offer to our member organisations in the UK Higher and Further Education sector, as well as customers within Local Government, Multi-Academy Trusts, Independent Schools and public and private Research and Innovation. To find out more about this service, please contact your Relationship Manager, or contact us directly using the link above.
View all episodes.
Episode 3: Knock, knock, who’s there?
“Think of a number, any number.”
“Er, five,” said the mattress.
“Wrong,” said Marvin. “You see?”
quote from Douglas Adams, The Hitchhiker’s Guide to the Galaxy
[ Reading time: 12 minutes ]
Educational organisations are almost unique in intentionally allowing their “customers” access to their buildings, networks and systems. Furthermore, as places of learning, they are designed to be welcoming, inclusive environments in which barriers to entry are discouraged.
That presents a challenge to information security, which of necessity requires barriers to be in place to ensure that good people can do good things, and bad people are prevented from doing bad things. More of that in Episode 8 (It’s a Zero Trust Game).
Who goes there?
It’s all about identity. Who are you? And can you prove it? In Cyberspeak, we call this authentication.
It’s important because this is the door that adversaries are trying to open to perpetrate a cyber attack.
For decades, since the first mainframe computers were installed in universities and major government and business organisations in the 1960s, the username and password combination has been the standard way to login to a computer. It’s a simple way to prove who you are. The trouble is it’s really not very effective. Usernames are readily available (very often it’s just an email address), and passwords are easily crackable using today’s technology. You might get a surprise to find out just how easily your own passwords could be cracked.
The trouble with passwords
For attackers, this is low hanging fruit. So, one solution is to make passwords better. That means longer and stronger. With at least one lower case and upper case letter, number and symbol. You know the drill. Oh, and make sure you don’t use that password for anything else.
And just exactly how are we supposed to remember all those passwords?
The answer of course is that we can’t and we don’t. So we write them down, and we use the same or similar password for lots of different things.
Attackers know this too. So if they can crack one of your passwords, there’s a good chance that it will work for a number of other things you use too.
For some time, the technology industry has been working on ways to solve this problem. Ultimately the future is a world without passwords, where you prove who you are with biometrics (a fingerprint or facial scan) on a trusted device (like a phone). Some systems are already offering passwordless authentication. But it’s going be a while until that becomes the norm.
Three random words
For now, passwords remain an important part of the authentication process. As is clear from the password cracking table, the longer the password the better (except for numeric-only passwords which are always easily crackable and should never be used). Mixing up upper and lower case letters helps, as does throwing in numbers and some symbols. But it’s the length that matters.
The best way to make a long password that’s memorable is to use a phrase. NCSC recommends three random words, like deviousgreenbanana (18 letters) but it could be any sentence, like thisblogisreallyuseful (22 letters).
Throw in some names or foreign words for extra spice.
mydogfidolivesinkathmandu (25 letters).
Season to taste with upper case letters, numbers and symbols.
It’s good general advice for staff and students, but better still, especially for your key staff, is not to have to think up or remember passwords at all.
Time to call time on passwords
Until we achieve the nirvana that is a world without passwords, you need to ensure your organisation’s password policies are adequately protecting your people and your data.
You should publish clear password guidelines to your staff and students, and your IT teams should enforce these with technical controls which check for minimum password length, and prevent simple or numeric-only passwords.
Password best practices have evolved, and it is no longer recommended to require people to change their password every 90 days or so. Changing passwords annually is still a good idea for most, but in certain cases, passwords need to be longer, stronger and changed more frequently, possibly as often as once a month.
These include some key “service” accounts that work away underneath the hood of your network systems, as well as the administrators of your key business systems, like IT, Finance, HR, and Student Records. These people do an important job for you, but that shouldn’t include remembering countless passwords.
Instead, they should be using a reputable password manager.
LastPass, Dashlane, NordPass and 1Password are just some of the big names. These help you use unique strong passwords, but it will generate these for you (made up of lots of random characters) and (here’s the magic) make it easy for you to use these by never requiring you to remember them or type them in. The passwords are stored in an encrypted vault, which is itself secured by a master password, and usually additional security like multi factor authentication (of which more below).
Using a password manager should be an essential working practice for those key teams.
Doesn’t that mean putting all your password eggs in the one basket, and making your password vault a target for attackers?
Yes, it does. Which is why you need to make sure you only use a reputable password manager, which is built on 3 principles:
- “zero knowledge architecture”—meaning nobody, not even the vendors, know any of your passwords, including your master password.
- multiple encryption levels—so that even if hackers steal your password vault, they can’t access the passwords themselves.
- hosted in the cloud—or at a minimum, backed up to the cloud. In the event of a disaster, you want to ensure you don’t lose access to those passwords.
Factor in better security
You can make a huge improvement in authentication security by switching on multi factor authentication (MFA) wherever it’s available. MFA means using two or more ways (or factors) to prove who you are. The first factor is usually something you know (usually your password), and the others are something you have (like your phone) or something you are (your fingerprint or facial scan).
Typically the second factor is a code from a text message or authenticator app on your phone, and most of us are used now to having to do this for logging in to webmail, social media accounts, banking services and corporate systems.
MFA has proved remarkably effective at improving authentication security. Microsoft estimates that it reduces the incidence of account compromise by 99.9%. It’s a foundational security measure that is a requirement for Cyber Essentials compliance.
Nothing in cyber security is 100% foolproof, though, and MFA is no exception. Information security is a seemingly never ending game of cat and mouse with attackers always devising methods to get around security, and there are a number of “MFA Bypass” attacks out there. But an attacker has to work much harder to get around it, so for 99% of your people 99% of the time, this is going to be a strong protection.
So use it.
Just don’t let it be the only weapon in your armoury.
Defence in depth
So what about the other 1% of people? Who are they? And what can you do to protect them?
The answer is defence in depth.
Your high value targets are those in your organisation with access to systems, data and knowledge. The more sensitive the data, the higher the target. Your IT admins, your Finance, HR and Student Records teams, your Facilities and Estates people, your research leads. Oh, and your executive team. That’s you.
Why? Because if an attacker can gain access to one of these accounts, they can access valuable data, use a genuine email account to instruct and authorise others, and use it to open doors to gain further access. You can be confident that there are sophisticated threat actors, including nation state sponsored groups, spending time working out who your valuable people are and how to target them. It’s called “spear phishing” and I’ll say more about this in a future episode (Don’t Train in Vain).
So how do you protect these high value targets? Well, you enable MFA as a minimum. You use conditional access rules and privileged access management to determine when, how and from where people can authenticate, and what they can access. You don’t give anyone too much access to valuable data and systems (we call that the principle of least privilege), and you use intrusion detection and prevention systems to block or alert about anomalous behaviour.
Your IT Team are major targets, because they preside over your network (or domain), which is a complex machine with many moving parts which include accounts and passwords. Not just for people, but computers themselves and the myriad “services” which run constantly in the background on computers also all use accounts and passwords as part and parcel of normal operations, and any of these can be compromised if not secure.
IT “domain administrator” accounts can override all controls without difficulty, and if one of these is compromised, your organisation is in serious trouble.
I’ll say more about this in the episode The keys to the kingdom.
There’s a lot involved in getting this right. Defence in depth is the key takeaway. Our Cyber Security Assessment service provides insights into where you have weaknesses, advice on how to tighten up this vital aspect of security. With ever more data being stored in the cloud, we can also undertake a security audit of your cloud services.
Wait, there’s more?
As you get rid of the low hanging fruit options for attackers, social engineering becomes a much more lucrative avenue for compromise. It’s much easier to trick someone into giving away their username and password than trying to guess them. Attackers will pick an easy target first as a staging post to compromising a high value asset.
Social engineering includes “phishing”—emails, texts, social media messages—purporting to be from a bank, student loan company, university wellbeing services, research partner, funder, or the CFO. A link to a fake login page provides an easy way to harvest user passwords.
Multi factor authentication is a strong protection against phishing attacks, but with the help of AI tools like ChatGPT, these are becoming ever more sophisticated, so you need to equip your people with the skills to recognise and report phishing attacks when they happen. I’ll say much more about this in the episode Don’t Train in Vain.
Single Sign On – a blessing or a curse?
One popular approach to the problem of logging into multiple systems is called “single sign on” (SSO), which is closely related to “identity federation”. The idea is that you can use the same login details to access multiple services, and once you have logged in to any one of them, you can move seamlessly between them all. Federation is what allows you to log in to Spotify using your Facebook account, and SSO is what allows you to open your HR, payroll and MIS systems without having to login to each.
It requires some choreography behind the scenes, but provides a great user experience, and means you only have to know and remember one set of credentials to access lots of systems. What’s not to like?
On the plus side, it reduces the number of passwords which have to be remembered and typed in. If an account is compromised, then your cyber response teams only have to switch off that one account to prevent further damage, rather than hunting down other accounts that might have been caught in the cross-fire.
On the down side, if an attacker can crack your password, they can gain access to a lot of systems. And the scope for damage is very wide until the compromised account is shut down.
So, again, it’s good for 99% of your people, but you might want to limit its use for your critical systems.
One further thought. If your SSO system suffers an outage, then that can knock out access to a lot of systems, and you need to think about the impact that could have on your operations. So for your critical systems, you need to build resilience by having emergency “break glass” accounts which are not dependent on either Active Directory or SSO. More of that to come in episode 12, Keeping the lights on.
What about legacy systems?
What about all those legacy systems you have which were invented long before MFA was. Well, although modern multi factor authentication methods such as smartphones might not be option, there are a range of other factors available. You can restrict access to a particular computer or network, so that it’s only accessible particular computers on the organisation network, not from the internet. You can put it on its own “virtual” network (called a VLAN), or take it offline altogether.
Use the MFA advice from NCSC to help you work out which of these mitigations meets your risk appetite.
A Final [Deep] Thought
In the next episode of A Hitch-Hacker’s Guide to the Galaxy, we’ll be looking at access controls—how to limit the damage if someone’s break in. Who goes there? Friend or foe?
For now, you can take useful steps forward by checking out your organisation’s authentication policies. Do you publish password guidelines for staff and students? Do have technical controls in place to enforce these? Do you enable MFA wherever possible? Have you undertaken a security audit of your cloud services?