Dear Computer Experts Client:

Below you’ll find updates on the Equifax breach and how it affects you, your staff and your company, as well as our advice on immediate precautions you can take.

Recommended Equifax articles

Equifax PIN Woes- NY Times update        ♦ Assume you ARE compromised- Krebs on Security

The Equifax breach is here to stay

We suspect this story will just get bigger. No matter how many breaches of consumer sites we've had prior to the Equifax breach (remember the LinkedIn breach and any of the Yahoo breaches?) we still hear from people on a daily basis that they are annoyed by having to update a password, no less make a complex one. We hear “I use the same one for every login, that way I don’t forget it”, “I can’t type that one easily enough”, “I’ve lost my password sheet, can you remind me?”, and “I don’t have time for that”.

Are smaller businesses or lower income individuals less likely to be cybercrime victims?

One might think that no one would be interested in the account of an average person or very small business. That would be a mistake. Heather, CXG advisor who specializes in security awareness trainings, responds “If you had $1,000 cash in your car, and were parking in a high risk theft area, would you lock the car? If the car is 15 years old and has a dent, parked next to a shiny new BMW with obvious alarm system that might contain $10,000 worth of items, do you think someone would decide to ignore your cash that would take about 5 seconds for them to grab?

Hackers have figured out that a large percentage of individuals and small businesses are easy pickings because they have largely ignored data security measures. This sector is a great target market for them. Especially with the prevailing attitudes."

car without locks

This car has an alarm system, locks, and is always parked in a secure garage or near a surveillance system. There's $10,000 on the seat.

CXG Advisor and data forensics expert, Chris Cassar says “it comes back down to this: humans are the weakest link. There’s natural disasters, there’s data breaches and hackers, and then there is human’s penchant for acting against common sense. That’s where awareness training comes in.”

Chris mentions that password lists are common hacking targets via web access to your computer (malware for instance) but keep in mind that humans can get direct physical access to machine or via data kept on network, or kept in Dropbox in folder and you named it "Password List".

A client was recently informed by his tech savvy son that a password to open up the computer wasn’t important, as long as there was a Lock Screen button that had to be clicked. Senior CXG advisor Kevin White says that "Lock screens aren’t necessarily locked. That fools a lot of people." If there is no password on the account, the screen just allows you to click on the account name to let you in. There is no security with that. Computer user passwords are a high priority and should follow the latest password conventions. Similarly, a PIN on a tablet or smartphone is a necessary first line of defense.

Critical Password Updates

Don’t wait, start this week!

Computer Experts Group strongly recommends addressing password management ASAP. Passwords for all online accounts, computers, phones and devices, basically anywhere that touches the web or data, should be secured. We feel strongly that each person in your company should be made aware of the current risks and how their personal and professional lives could be adversely impacted by this breach, and in some cases, company information could be compromised due to personal data breaches.

1- Personal passwords: Write (on paper that gets kept in a safe place!) a list of all online accounts that have your personal information. Start with banks, credit cards, online and mobile payment apps, health accounts, insurance accounts, etc. Visit those sites and change your password. Most of these sites will have a password strength indicator. Use the strongest one possible, usually a combination of upper- and lower-case letters, numbers, and symbols, the longer the better. Feel free to use the Computer Experts Group password generator.

Do not trust just searching for your bank's website, credit card's website, etc. Be sure to type in the URL manually, as we’ve already heard reports of people clicking on imposter links set up to take advantage of people rushing to secure accounts. While you are there, take a look at what that institution offers for security settings, such as transaction alerts and overseas access alerts. ALSO NOTE: Each site should get its own new password. DO NOT share passwords between sites!
Do this while in a known safe network. Do not use public wifi, like at a cafe, to access any of these accounts.

2- Company passwords. Similar to individual users, update and tighten security for company accounts such as banking, payroll, HR, and anywhere personal or sensitive documents are stored. Limit who has the usernames/passwords to these accounts.

We find it acceptable to use the Little Black Book method, which is basically keeping a physical notebook with passwords and usernames recorded in the office, in a locked file with limited access. This should not leave the office. We do not recommend storing passwords in an excel file, even if that document has a password set on it. It is trivial to crack or remove those passwords. Even better, we recommend password management software for teams. See recommendations below. Call us if you need help.

3- Review (or create) company password management plan. Having a plan and clearly communicating that plan to all employees is the first step, and is often overlooked especially at smaller companies. The plan will streamline onboarding of employees, and can be easily updated as new cyber threats emerge. Companies need to take the initiative on creating plans and enforcing them. Employees won’t lead on security. If the company doesn’t treat information and accounts with care, why should the employees? Remember that humans are the weakest link in physical and online security.

If you need help setting up a plan, checking vulnerabilities and evaluating threats, we’re happy to provide that for managed clients. For clients who aren’t on one of our BetterNET plans, we can do a free evaluation.

Updates on the Security Freezes

On Friday we recommended people add a credit freeze to their accounts at the top 3 major credit reporting agencies. We’ve heard from a number of people that they’ve had issues with accomplishing the security freezes, whether site being temporarily overwhelmed, PINs rejected or phone queues of 30 minutes. We'd like to hear how it's going for you.

Update: Freeze your credit on the 4th major credit reporting agency, Innovis.

Staff picks for Password Management Software

We asked 3 of our computer experts to share their favorite password management software:

LastPass- Chris has been using LastPass for a few years on all of his devices, Mac and PC, and iPhone too. He says it is user-friendly, and has accounts for teams. Data is encrypted and decrypted at the device level. Data stored in your vault is kept secret, even from LastPass. Your master password, and the keys used to encrypt and decrypt data, are never sent to LastPass’ servers, and are never accessible by LastPass.

Pricing:
$2/per user/month for individuals
$2.42/per user/month for teams up to 50
$4/user/month for enterprise edition which has more features and custom security policies.

KeePass- Michael Schechter has been using KeePass for several years, across platforms and devices. He likes KeePass Password Safe because it is free and open source and works well for Windows, Linux and Mac OS X, as well as Android, iPhone/iPad. KeePass puts all your passwords in a highly encrypted database and locks them with one master key or a key file. You only have to remember one single master password to unlock the whole database. And the databases are encrypted using the best and most secure encryption algorithms currently known.
One drawback is that it is not shiny and slick, so some users may find it has a higher learning curve than paid products, so the ‘trainability’ and tech savvy of your users needs to be considered if choosing this product.

Pricing: free.

RoboForm- Kevin White “I'm using the Roboform Everywhere product which syncs in the cloud. I have personally used it on PC, laptop, iPhone, iPad, Android phone and Android tablet. Besides cataloging my passwords, Roboform allows me to interactively fill in forms on web pages using data that I've recorded to Roboform, a real time-saver. Along with a customizable password generator, I use the password retrieval and form filler the most.”

Pricing:
*Roboform Free* apparently includes unlimited logins now
*Roboform Everywhere* $19.95/year for personal use, includes premium support
*Roboform Family* $39.90/year for 5-users, includes premium support
*Roboform for Business* $29.95/user/year, includes premium support (has centralized management for company, Company admins can allow employees to reset their forgotten Master Passwords and also enforce policies on their Master Passwords, and master passwords are local, not in cloud)

Let us know what you choose, or what your experience is with various password software.
NOTE: BetterNET clients can add password management to their package.
___________________

Next post to include:

  • Breach Updates
  • 2-Step Verification: How important is it?
  • Vulnerability Testing

Stay Tuned, Be Alert