Equifax Unable To Protect Your Data

Equifax was just reprimanded by Congress in the recently published congressional report that detailed the Equifax breach that disclosed PII of nearly 150 million people. The report is lengthy, but contains some valuable lessons. Every Cxx should read it.

Maybe the biggest takeaway is the clandestine mode in which the cybersecurity industry seems to be operating. Brian Krebs did a review of some 100 top company’s web sites. Very close to none those companies listed a CISO or CIO on their web sites… ie, clandestine.

What do you think; do you perceive cybersecurity as clandestine? Is this by cybersecurity’s choice? Is that the way it should be? Is it really corporate neglect? Or just simply corporate unwillingness to invest in their customer’s privacy? Please comment below.

Keywords: cybersecurityrecap equifax congressional report broken breach vulnerability

Troy Frericks.
blog 15-Mar-2019
=
Copyright 2015-2019 by Troy Frericks, http://cybersecurityblog1.frericks.us/.
#

PASSWORD POLICIES

Admins, it’s time to change those ancient password policies. For years we’ve been told to carefully craft our passwords… add upper case letters… oh, and numbers… oh, and special characters… Oh, and in 30 days you’ll have to choose a new one. Quite annoying!

No more!

Enter “NIST Special Publication (SP) 800-63-3 Digital Identity Guidelines”. NIST is the National Institute of Standards and Technology, a US government agency (Commerce Department).

Bill Burr was the NIST employee behind the password policies that have been in effect for the last 15 years. According to an August 2017 Wall Street Journal article, he said he made a “mistake” with the password policy. He acknowledged that the 15 year old password policy was just as annoying and ineffective for security personnel as it was for end users. He acknowledged that these passwords were frequently hard to remember and easy to hack.

Because of that, NIST took action and drafted a new policy to become the standard. That standard took effect two years ago. It does away with special combinations of types of characters, password expiration dates, etc.

The new NIST password standard simple. Use longer passwords (suggest making a nonsense phrase, or combine words or parts of words). Don’t use/allow passwords that have been mined from prior breaches.

SP 800-63-3 deals in general with Identity. When implementing company policy, always refer directly to the standard, specifically the NIST SP 800-63B

A good security blogger would not pass up the opportunity to suggest considering 2FA when implementing an authentication mechanism!

If you’re fed up with the whole password thing in general, consider implementing SQRL.

Keywords: password, authentication, NIST, new guidelines, authentication secret, SQRL, 2fa, two factor authentication,

Troy Frericks.
blog 28-Jan-2019
=
Copyright 2015-2019 by Troy Frericks, http://cybersecurityblog1.frericks.us/.
#