Security Best Practices
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
Already have an account? Sign In »
8 hours 53 minutes
Hi. Welcome back to the main three. We're still looking at security in the main three and specifically in this module 3.2,
we're going to be looking at using security best practices.
So this will include password management will look at how to choose good passwords and how to enforce policies that make your users choose good passwords.
We'll also look at the concept of device heartening.
This is where your device is made, a less wonderful to attack in a variety of ways.
We're going to have a look at WiFi
and security related to wireless networks, and we're going to look at something called multi factor authentication.
So as far as possible management goes,
let's talk first about the concept off simple and complex passwords.
A simple password is considered to be one that just uses, say, lower case alphabetic characters or only uppercase alphabetic characters.
The problem with this type of password is it's very susceptible to different types of attacks to try and figure out what the parts of it is.
For example, a brute force attack just tries every possible combination of characters,
So if you have a lower case password,
then they just try every possible combination of lower case characters.
A dictionary attack, on the other hand, is based on trying words in the dictionary.
you should not be using passwords, which are made up of words in the English language, for example, words that I found in the dictionary.
A complex password is one that uses a mixture off lower case characters, uppercase characters, numbers and non alphanumeric characters, such as an exclamation point, a period of bracket and so on.
Also, the other alternative, if you don't like complex passwords that can be hard to remember, is to use very long passwords.
Now you might think a very long password is going also going to be hard to remember. But remember, you can choose a phrase.
So, for example, your password could be my very, very, very long password.
And to make it a bit more complex, you could, for example, make one of the letters in the middle of a word like the O. In long. You could make that up a case,
and that kind of password is also extremely difficult to crack because it's very long
and it takes a long time to cycle through all possible combinations of a very long password.
Now, how quickly can your past would be attacked? So here's an interesting website that I often use during my courses when I'm demonstrating this.
So here what this does is it makes the following assumption.
It assumes that somebody
is able to try a 1,000,000 parcels of Second. Now there are automated tools that can try that. And so if someone is trying a 1,000,000 parts with second
Hollywood, it take them to cycle through all possible combinations.
So let's start off. By doing this.
We're going to enter a five character, lower case password.
Now, if you look at this, it's telling me the following.
a 1,000,000 parts of try it
and your password was lower case five characters,
it would take just over 11 seconds to cycle through all possible combinations off five characters. Lower case.
Now let's change it slightly.
So now I'm going to add a number.
It's already my password is starting to get complex. It is six characters long now, and one of those characters There's a number, and you can see that the time taken to cycle through all possible combinations has now jumped to over 2000 seconds.
Now let's other non alphanumeric character about it. The hash character that.
And now we see that to cycle through all possible combinations off seven characters, which includes lower case letters, numbers and no, no, not alphanumeric characters. It would take over 86 days to cycle through all possible combinations,
and that's if you were able to try a 1,000,000 a second.
let's do this. Let's add an uppercase character.
So now this is truly a complex password. It has lower case up a case. Numbers are no not know alpha numeric characters. And now you can see it would take 210 years
trying a 1,000,000 passwords a second
to cycle through all possible combinations in order to try and figure out what your password is.
So there, you know you can see the benefits off longer passwords and complex passwords as far as keeping them secure from hacking attempts where people are trying to guess your password, that is brute force attacks.
Let's talk about default passwords
so some systems have default passwords. For example, your home router that connects you to the Internet.
It probably came with the default administrator account and password.
You should always change these passwords because if somebody is trying to attack your network from the Internet
and they can see your home router,
one of the first thing they're going to try is to log on with the default. I've been account.
And if you have not changed the default password,
they probably will get in extremely quickly. And remember, one second log into your home router. As an administrator, they can remove all the security that there is in place to protect you from the Internet.
What else? Password expiration
So possible. Expiration policy regularly requires users to choose a new password
in Windows by default. The password expiration is 42 days.
This is called a set. The setting is called Maximum Parts What Age?
So with this
every 42 days, users are prompted to choose a new password.
Now, why do we want to do that
for a couple of reasons? Firstly, it reduces the amount of time
in which a hacker can try and figure out your password. If you're changing it every 42 days, for example,
they only have 42 days to try and figure out what your part so it is
If they have actually figured out what your past, what is this, then reduces the time window in which they can use that.
let's say they figure out your password 20 days after you just changed your password.
Well, okay, so they've got your password, and they can try and log in to the network using that,
but only for another 22 days. Because at that point you'll be prompted. You will choose a new password, and they no longer know what your password is.
This is configured through a setting cold password history, which will have a look at in a moment.
Now let's look at how we can enforce the password settings that we want on our users
In Windows, there is something called the local security policy of the computer.
Now, just bear in mind this if you are part of a Windows domain, which allows for centralized management, and that's typically the case in a corporate network,
these settings are controlled centrally,
but at home, where you don't have a Windows domain established. Each individual computer has its own security policy,
so within the security policy, you will find password policy.
So let's have a look at some of the settings you can configure.
Firstly, enforce password history.
When a user chooses a new password, she's not allowed to choose one that has been used. The last X number of Times X is a value that you set. So if you said it to 10 for example,
then every time a user changes her password, she cannot use one of the last 10 that she had. It's used. In other words, Windows remembers the last 10 passwords that that user has used.
Maximum pass what age? This is how frequently passwords expire.
So by default in windows, this is set to 42 days, after which you are promptly to choose a new password.
Minimum pulse. What age?
This indicates the number of days you have to wait before you can change your password after you change it.
In other words, if I changed my password today,
can I change it again and again and again? Or do I have to wait a day or do I have to wait 10 days and so on?
So why have a minimum password age well, its main purpose is to prevent people circumventing the password history setting.
Remember, Password History says. For example, when you change your password, you cannot change it back to one that you've used say the last 10 times.
Well, a clever user could do this.
When it's time to change her password, she could say, OK, I want to go back to my favorite password, but it won't let me.
So what I'm gonna do is change my password 10 times immediately, one after the other.
And then once you've gone through 10 different passwords, she can go back to her favorite password.
This setting prevents that because with this setting, say, set the one day,
what happens if she changes her password?
Then she has to wait a least a day before she can change it again.
She would have to change her password every day for 10 days before she could get back to her favorite password.
The minimum length of the password can be set,
so this simply does what it says. Really says your password must be this many characters. Long,
Um, just be aware that you considered to zero, and if you said it to zero. That means the accounts are used to all I have are allowed to have blank passwords, which is, of course, a huge security issue if passwords are not required for user's to log in.
And what about making sure users do choose? Complex passwords are not simple passwords
as we saw it, the previous section Simple passwords are relatively easy to crack,
so there is a setting called password must Meet complexity requirements. Now what this actually requires in Windows is that you haven't least three off the
um, things within your password.
You must have lower case characters and uppercase characters. Numbers. No, nothing dramatic characters. So there's four different types of characters, but you have to have three of those four within your password
related to password policy is account lockout policy. So let's have a look at this.
The idea behind account lockout, which, as you can see, is also configured in the local security policy of the machine.
I can't look at policy, says this. If there are a certain number of failed log on attempts within a certain amount of time, the account becomes locked,
and this effectively blocks brute force attacks because, remember when we looked at that website, we saw that
if you are able to try a 1,000,000 password the second,
how quickly you could cycle through all possible combinations about five character password.
But what if we slowed you down instead of being able to try 1,000,000 a second?
What if he said, you could only try five passwords every 30 minutes?
Well, then it would take you probably till the end of time to cycle through all possible combinations.
So that's what I can't lock out policies about. So let's have a look at it settings.
Firstly, you can indicate how many invalid log on attempts will actually trigger the lockout. So this case, it's set to five bales log on attempts.
But you can also say this
those five attempts have to have happened within 30 minutes in order for the account to become locked.
In other words, if you miss, type your parcel today and then miss, type it again tomorrow 24 hours later.
That does not trigger the lockout policy. It's when there are five bed log on attempts within 30 minutes that the lockout policy is triggered,
and then the lockout duration
in most organizations, they will set that to something like 30 minutes to say. Okay, fine. Account becomes locked. It will automatically unlock itself after this amount of time.
If you change this setting to zero, it doesn't quite have the meaning. You might think it doesn't mean that the lockout duration is zero. It means the account lockout becomes indefinite, That is, until an administrator goes into unlock it.
The idea here is the administrator can investigate why the account became locked where there's something innocent like the use of forgetting her password?
Or was it something more insidious, like somebody else was trying to log into her account
the concept of single sign on
in early computer networks. Every computer had its own set of user accounts. Now that was true, for example, of Novell Netware.
When I first learned networking, we used to use novel netware on the service and in the early versions of Netware, every server required its own set of user accounts. So if I need a user to be able to log on it, several different servers I had to create an account for them on each of the service,
and you can imagine. As your network grows and you end up possibly with hundreds of servers, this becomes a real chore.
what happened is Microsoft released
the concept of Windows domains.
A Windows domain is a collection of users and computers that are managed centrally.
A domain user account allows the user to log on from virtually any computer in the domain and to access. Resource is on other computers, but without having to log on again and again and again.
Essentially, when you log on your logging onto the entire domain
and the Windows domain can include, you know, just a handful of computers five or six
or it could contain hundreds or even thousands of computers.
So this makes
logging onto the network really easy.
You log on once using your domain account, and then you can potentially access anything on the network that you have permissions fault.
This single sign on concept is also being tried on the Internet.
Currently, organizations that are big on the Internet, such as Facebook and Google and Microsoft
are trying to become the default identity provider for the Internet. In other words, they wanted to be so that when you go into the Internet.
You use your
Facebook or your Google account to log in at every Web site, and you might have seen this some websites. When you go to them these days,
they are ever ask you to create an account
or to use your Google account or your Facebook account.
And in that way,
they're not doing the authentication themselves when you lock in.
They passed that on Outsource it if you like to one of these big providers, like Facebook or Google,
so they become the identity provider for that website.
The problem where they say's. Although it's highly convenient that a single account logs onto multiple websites,
it's also highly dangerous.
Imagine what would happen if somebody discovered your log on credentials.
Now they can log in not just to one website, but maybe tens, maybe hundreds of websites across the Internet using that account.
So once again, this convenience comes at the cost of security.
Now let's look at the concept of device hardening
without refers to his locking down computing devices to reduce the attack surface.
We'll talk about that concept and then how it's implemented.
So what is reducing the attack surface that means removing or reducing the number of ways somebody could attack your computer.
If you have lots of things installed, lots of service is running, lots of applications running and so on.
An attacker could try and compromise any one of those, and if they can successfully attack it, they may be able to gain access to your computer,
so reducing the attack surface means removing everything that is unnecessary from a system.
For example, you can disable unused features.
Think about a smartphone or tablet.
It can not only connect WiFi, but it can also connect. Using Bluetooth on it can connect using an FC.
But if you have no use for Bluetooth or NFC, why not disabled out within the device?
Similarly, operating systems come with lots of additional features on many of these you may not need, so you could disable those.
You could also remove any unnecessary applications. I, for example, end up accumulating lots of applications because I'm testing them or trying them out and so on
on. So periodically, I go through and remove all the applications that I no longer need or maybe even never use.
Also, within operating systems, you can disable unneeded service is that run in the operating system.
For example, in Windows, there is a file and printer sharing service.
Now what this allows you to do is to share folders on your computers or other users, connect system
and share printers so other users on the network and access your printers.
But if you have no need to do that, why not disabled the service?
Another security feature worth implement thing is automatic. Lock out so that if you are, for example, not using your computer for a certain amount of time, let's say five minutes or so.
Then it locks itself,
and in order to unlock it, you have to sit down and logging and provide your credentials again.
You could also configure screen savers that will kick in automatically if you're not using your computer first, a certain amount of time. In that case, you could always require that to come out of the screen saver and get back to your desktop,
you have to enter your password again.
Why do we want to do this? We want to prevent a type of attack known that sometimes there's a coffee break attack or a lunchtime attack
This is where you have logged in
and you leave yourself logged in as you go off to have a coffee or have lunch.
Anybody walking past your desk sees that you're logged in. They could just sit down and start using your computer,
and since you're logged in, they can access all your files.
So that's not something we want to happen
to see happening.
Another security feature you should implement is the host fireball,
so a firewall is a piece of hardware or software that monitors all network traffic
passing in and out off a computer.
It will block certain types of connection attempts if, unless they have bean explicitly allowed.
Both Windows and OSX have built in firewalls.
Host firewalls can help to prevent malicious software spreading from device to device around the network.
There is a type of malware, for example, called a worm.
And if you get infected by a world,
one of the things that does is tries to replicate itself across the network to other computers on the network,
and a firewall could effectively prevent that.
Let's have a look at configuring the Windows firewall
to get to the interface to manage it you can click on the start button and then type firewall
that that you'll see there are two options. There is a simple interface, which is just called Windows Firewall.
And then there's Windows Firewall with Advanced Security.
So they're both different interfaces to the same tool.
One is a simplified interface. The other is a much more advanced into face. So for network administrators, the advanced interface is useful for configuring more complex policies for the firewall.
So here I am, clicking on Start and then typing in firewall.
So you see on the menu there's Windows Firewall, the Simpler Interface and Windows firewall with Advanced Security.
If we look at the simple interface tells me what kind of network I'm connected to,
and on the left hand side, we have some links.
So this one allows me to turn the firewall on or off for different types of networks, for private and for public networks.
And then this setting allows me to configure which programs are allowed to communicate
through the firewall to the network.
And then there's the advanced interface in here, administrators Congar Oh, in and they can run a wizard that creates rules that allow or block certain types of network traffic.
Another thing you should have running on your computer is anti malware software. Now this is more commonly just known as anti virus. Remember, our virus is just one type of malicious software, so malware is a catchall term, referring all types of malicious software, including viruses.
is a free anti malware program that comes with Windows,
oh, it's X has X protect.
You can also get third party anti malware software from companies like Symantec and McAfee.
One important point about anti malware software is it needs to be kept updated.
There is something called virus definition file, which is periodically downloaded by the anti malware software,
and that anti virus definition file describes what different types of malicious software look like. So all the latest malware that's being found
and how it's you can spot it and how you remove it
all that information is in the definition files.
The most anti malware software's configured that before he does a scan of your computer and download the latest anti violence definition files.
The other important point is this.
Keep your system patched with the later security patches issued by the operating system Brenda.
Both Microsoft and Apple
periodically released patches for their system, which fix
either existing security issues that have been identified
or protects you against new types of attacks that have recently become a parent.
So let's watch an anti malware program at work.
What is it going to do?
Well, as you will see, it's going to monitor
what I'm downloading from the Internet.
It will scan any execute herbal if I try to run it.
You can also set up a schedule, in which case the anti malware program scans your hard drive looking for any malicious software that might have made it onto the hard drive.
And you can also configure them generally to scan any external storage you plug into the computer, such as a USB thumb drive.
These types of programs will typically they find something that looks suspicious that could be militias. They will typically quarantine it,
and we'll have a look at quarantining a swell.
So let's have a look at all of this in action
now. Here I'm trying to download a malicious program
and you'll see how persistent the anti virus is.
The first thing is it pops up a warning in the browser itself says, Hey, this is a dangerous file don't downloaded.
But I say I'm gonna done noted anyway,
So the file is now being downloaded on Dhe. I can go and see the folder that it's downloaded, too,
and drag it and copy it onto my desktop.
Now I'm going to try to run it,
so I right click it and immediately I'm warned again, this is a malicious file,
and I could click on Maur Info to find out more information about it.
And then I can click a link that says,
I don't care. I want to run it anyway.
But instead of running it,
the anti virus program quarantines it.
Bye quarantining up file. It is preventing it from running.
So now I have to open up the anti bias application
and go find within its settings where quarantined files are listed.
And there it is.
If I unquantifiable
it now gets put back onto the desktop
while we're here. Let's have a look at the settings available for an anti virus program.
This is where I can configure automatic updating of the anti virus definition files and where I can schedule scans to run it regular intervals.
Another layer of security, you can add, is to encrypt your files.
So actually, in Windows, at least the business versions encryption is built in that is in Windows Professional or Windows Enterprise editions.
all you have to do in those cases to encrypt a file is this. You right, Click on the file and you go to its properties,
and then you click on the advanced button
in the Advanced Attributes dialogue box that you see here. There's a check box, which simply says, encrypt the contents to secure the data,
and then you click. Okay.
At that point, the file is encrypted before it's written to disk
only authorized users, that is, meet the person who encrypted it, or somebody else that I specify
cannot decrypt and read the file.
So, for example, if somebody steals your hard disk,
they'll have a hard time actually began to read any of the documents because there will be encrypted, and without the decryption key that is required,
they cannot decrypt the files and read their contents.
You can go one step beyond that and encrypt an entire volume, like so your entire. See, Dr.
This is a feature called Bit Locker that again is built into Windows but in this case only into the Enterprise edition off Windows.
And this is called whole volume encryption. Sometimes people mistakenly call it whole disk encryption.
It's not actually encrypting the entire drive. It's encrypting individual partitions or volume's within the drive.
Typically, whole disk encryption is implemented through hard way, not through the operating system
anyway. So this is whole volume encryption now. What if you don't have the Enterprise edition of Windows?
Well, there are third party encryption programs around.
There are both open source programs, like Vera Crypt,
And then there are paid programs like Axe Script.
So Axe Script is one of these where basic features are available for free. But then they have premium features for which you have to pay.
What about security for your wireless network? Well, there's two aspects to this one is
public WiFi hot spots. So, for example, if you go to Starbucks or McDonald's and you connect to their WiFi,
what's going on? Well, typically, these open WiFi networks don't do any kind of authentication, so you have no idea who's actually connected to that network
and they don't encrypt your network traffic. So all the data that you're sending and receiving across
across that connection
is actually traveling in plain text through the air.
So if you are going to use thes public WiFi hot spots, it's a good idea only to connect to secure websites. That is websites where the u. R l is http s rather than http.
And if you have to connect to some remote computers like, say, a work and network or a work of BP and server,
make sure you use VPN protocols that encrypt the connection.
And then what about your home networks or corporate networks? Well, if you're going to use WiFi, you should enable security
in domain. Four. We will look at the security available for WiFi, but essentially these days it's a matter of choosing between W P. A or W P. A tube.
There is an older standard called weap,
which you should not use because it is not secure.
Now let's look at the different ways off providing authentication,
so authentication refers to how we verify the identity of a user
so somebody tries to log on. They claim to be Fred.
How do we verify that? It's really friend.
We need them to prove their identity of some weight.
Most common way we do that was simply require users to also enter their password,
so they need to know what they use the name is and type that in,
and then they need to know what their password is and type that in.
And that is really the simplest way to verify the identity or a user. And that's called authentication.
So any system that contains any sensitive information should require authentication.
Sometimes, for example, people don't set up with indication for their smart phones because they want their phones to be easy to use. You just pick it up and start using it.
If you set up authentication, you might be required to enter a pin or draw pattern on the screen. Or use your thumb print something like that.
So there you know again, the convenience of using it
means you lower the security because if you don't have any authentication configured,
if you lose your phone or somebody steals it,
they can now just start using it and potentially if you have stored the past words for things like websites on that smartphone. They cannot connect to anything that you normally connected from that smartphone.
Now let's talk about authentication factors
on authentication. Factor refers to the different methods we can use for authentication.
the fact that could be something you know
for examples of this would be the user name or the password or the pin that you have to type in.
All of those are things you know, and you could be required to provide those to prove your identity to authenticate yourself.
But what about something you are?
This refers to biometrics. That is something about your body.
So, for example, your fingerprint could be used to authenticate you, or facial recognition, where the operating system scans your face and sees if it recognizes it,
or iris scanning where your eyes are scanned.
Apparently, people's irises
within their eyes are as unique as fingerprints off.
And then there's something you have,
so you could be required to log in by inserting your smart card into a reader or reading a one time password from a token token of the small Elektronik device with a screen
or your smartphone.
So, for example, you might go to a website
and say I forgot my password.
So what they do is maybe send you a link where you can reset your password.
But they also
send a one time code to your smartphone
so you not only have to know the user's email address, but you also have to have access to their smartphone in order to complete that process.
And so the smartphone is being used as proof of something you have, which proves who you are
Now. The safest way of doing authentication is to combine all those different factors.
It's a multi factor. Authentication refers to combining two or more factors. For example,
how about combining something you have with something you know?
So if you were required to insert your smart card, that's something you have,
and then enter your pin.
That would be something you know,
or what about something you are and something you know.
So you scan your fingerprint and then you enter your password or a pin,
so your fingerprint is something you are,
and the password or pin is something you know.
Just be careful about this because multiple uses off. The same factor is not considered multi factor authentication,
for example, you could be required to enter your username.
That's one thing
and your password. That's another thing. And your pin. That's the third thing.
But the problem is, all three things are something you know. They're all the same factor,
so that would not be considered multi factor authentication
types of accounts.
Operating systems have
all have an administrator account that is configured automatically during installation
in Windows that account this cold administrator
in Linux systems and our ***.
That account is called route
Now. Here's the problem with administrator accounts.
These are all powerful.
They cannot be prevented from accessing anything or changing any setting.
So, for example, even if
an administrator tries to access a file and the operating system says access denied because the permissions are not set to allow the administrative to access it,
here's what the administrator can do.
They can go and reset the permissions, giving themselves full access, and then they can access the file
so administrator accounts are very dangerous in that way.
Then there are standard user accounts, so most user accounts you create should be configured a standard user accounts they don't have all the administrative rights that the administrator account does, so they have very limited privileges.
Most operating systems also have a guest account.
So there is a guest accounting windows Onda guest, accounting of its ***.
Typically, this account is disabled by default and has very limited rights on that system.
You should give it a password as well just to make sure that random people can't log on its guest.
So why would you use it? Well, you can enable it to allow occasional or temporary access to your computer.
Imagine that some friends have come over and they want to log on to your machine and look for something on the Internet.
Well, one thing you could do is tell them what your user name and password is, in which case they log in
and they now have access to all your stuff, all your documents and so on. And they could accidentally not necessarily maliciously. But they got accidentally delete some of those files which they'll be able to do because they're logged on his U.
So what you do is you tell them to log on using the guest account
in OS X, the guest account automatically deletes everything they do when the guest account logs off.
Windows doesn't quite do that,
although it has a guest account and you could enable it and use us can log on its guest.
It does create a profile for the guest account, and it remembers what that account did rather than deleting everything when the user logs off.
So here are some best practices related to accounts
most user can't you create should be configured as standard users, not as administrators.
You should, in fact, only really have one administrator account because the more you have, the more possibility there is that somebody discovers one of the passwords for one of the administrator accounts.
You should also rename it in Windows, for example. The default name for the administrator account is administrator,
and you should give it a complex password
or, better yet, require multi factor authentication. When looking on this administrator,
it's also note that it is dangerous to carry out normal activities while logged on. It's an administrator,
for example, if your computer is infected with a virus,
if you log on his administrator, the virus runs and inherits your credentials
so that a virus now has full administrative rights on your machine and can do anything it wants
think about this. You've locked on his administrator, and then you use your browser to go to some website on the Internet.
So happens that's a malicious website, and it downloads a malicious program to your machine.
That program now inherit your administrative credentials and runs with full privileges.
So this is why you know Microsoft and other vendors recommend that you
never log on its administrator unless there's something you're doing that really requires administrative credentials.
And the guest account, which is disabled by default, should be enabled only if needed and should not be given additional privileges.
So the Summer Eyes module 3.2
Security Best practices
Here's what we looked at. We looked at how to choose good passwords that is longer and more complex passwords.
We also saw how in Windows you can enforce the password settings on your users.
We looked at the concept of device hardening.
This is locking down the system by removing all unnecessary features,
um, that are often installed by default within operating systems.
Disabling any unnecessary service is
disabling any types of communication. You don't need to use such as Blue, too.
We looked at some of the dangers of using WiFi without good security, particularly when connecting to public hot spots.
And we looked at the concept of single factor. Add multi factor authentication
and we saw that multi factor authentication is much more secure but is more complex to set up and possibly more expensive to set up.