It’s important to always follow best practices when securing a network. In this video, you’ll learn about data encryption options, password complexity, account disabling, locking the desktop, and much more.
A good way to protect data is to encrypt this information. This way, only you or people you trust are able to view this encrypted data. If you’re encrypting an entire drive, then you’re performing a full-disk encryption. Sometimes you’ll see this referred to as FDE.
And if you’re running Windows, then you would be using BitLocker to provide full-disk encryption. This is often referred to as data-at-rest because this is encrypting all of the data that’s being stored on your storage drive. Instead of encrypting everything in a volume, some operating systems allow you to encrypt single files or single folders. This is often built into the file system that you’re using, so you may want to look at the properties of a file to see what options might be available in your OS.
Another good place to have encryption is on the USB drives that we carry around, and that we often will lose. If you lose a USB that has encrypted data, you don’t have to worry about someone getting their hands on your information. You only have to worry about replacing that USB drive.
In all of these scenarios, there was some type of key that was used to encrypt this information. This key is often built into the operating system, and it’s integrated into your login process. So it’s usually stored on your local machine, or in a central database, like an Active Directory database. So you might not only want to back up your data, you might also want to be sure that you have a backup of your encryption and decryption keys.
In a previous video, we described the process of password brute forcing, where someone tries every possible combination to try to discover what your password might be. One way that you can make this process very difficult for an attacker is to increase the amount of entropy in a password. This is a measurement of how unpredictable a password might be.
So you might want to use different character types. Try using uppercase and lowercase, and try using them in a form that does not make up any obvious password or a word that you might find in the dictionary. And you might want to include numbers or special characters to increase the entropy of the stored passwords. These days, strong passwords tend to be eight characters or more, so you might want to think about using a phrase or a series of letters that makes up a much longer phrase to make that password much more secure.
Another good best practice is to make sure that your passwords change on a regular basis. The password age is the metric that defines how long it has been since a password was last updated. Many organizations will set a password expiration to occur every 30 days, every 60 days, every 90 days, or some other interval. After that time frame, you are required to change your password so that it’s something different than what you’ve used in the past.
And that’s an important consideration. You don’t want someone using one password for 30 days, using a different password for the next 30 days, and then going back to the original password on the 30 days after that. Most systems will remember your password history and require to use a different password every time you update. And if you’re running critical systems, these passwords might update even more frequently. You might find that your password is required to be different every week, every 15 days, or some other very short interval.
Sometimes you may find that a device, an operating system, or an application has a default username or password associated with it. And when you first install that software, you use that default login to gain access to the system. From a security perspective, we want to be sure that we change those default passwords so that no one can come by later and use the default credentials to log in.
You might also find passwords being used during the boot-up process for your computer. These are BIOS passwords or UEFI passwords. And there are two different types that you commonly see. One is a supervisor or administrator password. This is a password you assign to the BIOS that prevents someone else from going into the BIOS and making configuration changes. Most users would not see this password because most users aren’t trying to make changes to the BIOS.
The password that most people will see during startup is a user password. This is a password you must put into the system for it to continue the booting process. And if you don’t put in the right password, then you’re not able to boot the operating system. And from a best practices perspective, we always want to require a password. You should never have a system that allows you access without putting in some type of authentication. And you want to be sure that it’s not a blank password. This would allow a system to automatically start, but it also makes that system completely accessible for anyone with physical access.
On most computers, after a predefined time of inactivity, it will automatically start a screensaver. That screensaver can be set with a lock to prevent anyone from gaining access to that system after the computer has gone idle. This screensaver password can commonly be integrated with your login credentials. So the same username and password you use to log in is the same password you use for your screensaver.
This is something that usually turned on control of the computers in your company. But if you’d also like to enable this at home, you can go into the personalization features in Windows, choose the option for lock screen, and you can configure all of the settings that will lock your computer when you’re away from your system. In some companies, users are required to manually lock their system anytime they get up from their computer and start walking away, but you can also configure your system to automatically start this after a certain amount of inactivity. This is a value that you can also set in these lock screen configuration options under the screen timeout value.
Not only do we need to enable these digital locks in our screen savers, but we also might want to think about putting on physical locks, especially with laptops, tablets, and anything else that can be easily picked up and moved. Most of these devices have a connection for a lock. You can wrap that with a cable around the table and prevent somebody from walking by and easily taking your laptop.
During a normal day, we might access sensitive information that is displayed on the screen of our laptop or desktop computer. This might include someone’s name, address, Social Security information, health care details, and anything else that might be considered Personally Identifiable Information, or PII. I’ve worked with many IT professionals, and it’s remarkable how many of them will simply type in their password as you’re standing next to them at their keyboard. Obviously, we want to be aware when sensitive information is either being input or output from our system, and we’ll want to be sure that we shield our hands or shield the screen so that sensitive information is not seen by others.
If you’re in public, you might want to consider using privacy filters. This is where your screen will look completely black to anyone who’s looking from the side. But if you’re looking at your screen directly, you’ll be able to see everything on that screen. This even works on a plane where somebody is sitting right next to you is not able to see the information that’s on your laptop display.
If you’re in an office environment, it might be a good idea to rearrange your desk so that the monitor is facing you and not facing outward where other people might be able to see it. And if you are in public, keep in mind that the information displayed on your screen might be seen by others, so it might be a good idea to only show non-sensitive information on your screen when you’re in those types of environments.
One of the reasons that attackers like to get their hands on lists of passwords and email addresses is because many people will reuse those passwords on all of the websites that they visit. This makes it very easy for an attacker to breach a password on one site, and then use that password on many other sites to gain access to your accounts. The best practice would be to use a different password for different sites. This way, if an attacker does gain access to a password on one site, they would not be able to use that password on any other site.
The problem with this, of course, is now you have to remember many more passwords on many other sites. Instead of writing these down, we might instead want to put all of these different passwords into a password vault. This password manager contains all of your emails, all of your passwords, and any other important information that you use to log in to multiple websites. This is obviously an important database, so it’s usually encrypted and protected with a very strong password.
You might find that this password management feature is built into the browser that you’re using, or it may be part of the operating system that you’re currently using. And many organizations will have password managers used for everyone in the company so that they know that all of those passwords are secure, encrypted, and safe from anyone else gaining access.
Here’s a sample screen of a password manager that shows the different passwords that have been saved. This user has 292 saved passwords, and you can see website one, website two, website three, and so on. You can see the username that was used to log in. On most of these, it’s the user’s email address. And then there is a separate password that is stored for each one of these sites. These password managers can often create new passwords that are automatically defined as a certain strength. You can configure using numbers, letters, symbols, and you can have that password automatically associated with a particular site.
Most organizations recognize that a good security best practice is to only assign rights and permissions that are necessary for someone to do their job. You would not want to assign administrator rights to everyone in the organization. This would effectively grant everyone access to all data in the company, and it would also make it much easier for an attacker to take advantage of the access that you’ve created. Instead, most organizations will create different groups, and they’ll assign security rights and permissions to those groups.
To use those groups, you would assign a user into the group. And every user you assigned into the group would take the rights and permissions associated with that group. This makes it very easy to have the right set of permissions for the right set of tasks, and it also makes it very easy to scale as more and more people join the organization.
Some companies will set login restrictions based on the time of day. So if someone is trying to log in during the hours of 8:00 and 6:00, the system will allow that. But if someone tries to log in at 3:00 in the morning, your system may not allow that because a login restriction has been previously configured.
Many operating systems will include a set of default accounts. Some of these accounts are used for system purposes, and other accounts are used for individuals to be able to log in. But not all of these accounts are necessary to run. And in fact, many of these accounts should be turned off by default. For example, you might want to disable the guest account on your system because it might be very unusual for a guest to log in to your computer.
And if some of these accounts are system accounts, you might want to disable the capability for that account to log in interactively. This means no one would be able to sit at your desk, type in the username and password of a system account, and be able to then gain access to your desktop and your file system. And if you’ve ever installed a new firewall, a new switch, or a new router, you may have noticed that the default user login is probably admin with a password of admin. This is obviously a set of default credentials that need to be changed as soon as possible to prevent someone else from gaining access to that system.
If someone wanted to find your password using a brute force attack, they could try an online attack where they’re presented with a login screen. They would type in your username and then try a password. And when that one didn’t work, they would try logging in again with your username and a different password. If that one doesn’t work, they try again with your username and a third password. And they keep trying this process until, hopefully, they’re able to brute force your account.
In most operating systems, we’re able to stop this type of online brute force attack by setting thresholds for failed passwords. If someone tries to log in more than five times with the wrong password, we can Institute a series of lockdowns that would prevent any other attempts. For example, Windows has a security policy that has a machine account lockout threshold. And if you were to look at the details of this– after a certain number of failed login attempts, the system reboots. And when it reboots, you have to provide the BitLocker credentials to gain access to that computer again.
We might also want to be sure that we’re using some of these policies to automatically lock the system after inactivity. Or if it’s able to tell that you’ve walked away, it might be able to lock the system automatically. And when you’re initially creating an account in your system, you might want to set an expiration date, especially if this account will be used by a temporary worker or contractor who’s only going to be using it for 30 days.
On very old versions of Windows– this would be versions in Windows Vista and earlier– there was a feature known as Autorun. Autorun worked by looking for special files that may have been added to media on a removable drive. So if you plugged in a USB drive, it looked for an Autorun file and began running executable files from that USB drive. This is obviously something that we would not want to happen in today’s security environments, and so Autorun has not been part of Windows since Windows Vista.
One feature that still is in Windows is Autoplay. This is in the Settings app. Under Bluetooth & Devices, you’ll see an option for autoplay. Unlike Autorun that focused on running executables, Autoplay focuses on running media. So this might be movies, music, or images. That’s certainly a much lower security risk, but you might still want to enable or disable that feature. You can find it under Settings, Bluetooth & Devices, and Autoplay.
Under the Autoplay options, you can choose to take no action when that media is connected. You can open the folder to view the files using File Explorer, or you can have the system ask you every time you plug in that media.
You’re probably very familiar with the applications you use on your Windows desktop, but there’s also a number of applications that are running behind the scenes that you never see. These are Windows services, and they are important tasks that keep our operating system running. Sometimes these services are installed with other applications to provide support services for that particular app.
The challenge, of course, is that any executable running on your system is a potential security threat. And these executables that are running as services are just as much a threat as applications that are running on your desktop. If you remove the service, you’ve removed the threat. So as a best practice, you might want to look at the services running on your system. And if you see any that you’re not using, you might want to disable those.