Earlier this year, the administrators of CloudGavel, the electronic warrant solution from our Public Safety Stak, sent out a survey asking for feedback from their end users. There were a few small issues that popped up and a couple of good suggestions for future development, but the two biggest issues that were brought up on the survey were “password management” and “two factor authentication (2FA)”.
WHAT WAS THE FEEDBACK?
They hated both of them worse than anything else they could think of! Suggestions were made to end 2FA, to go back to simple passwords and to never cause their passwords to expire. People in all industries, especially outside of IT, want simple log ins, easy passwords and no extra steps to get into the application they need to use. It is understandable. Cyber security is an extra headache for everyone involved, from the people that implement the security all the way down to the end users that have to comply with it.
It is, however, the most important headache you’ll ever have to deal with.
BASIC APPLICATION SECURITY
So, what exactly is the security protocol in FusionStak’s Public Safety Stak applications, including CloudGavel and LENSS? Here are the major components:
- Passwords should be complex, having 8 characters that are a mix of numbers, capital and lower-case letters and a special symbol. An example of this might be “Blog@1639”.
- Passwords should not be something that is easy to guess like “password1234”!
- Passwords expire every 90 days, and the last 10 passwords cannot be reused
- Users are automatically logged out after being idle for 10 minutes
- A unique verification code is sent to users every time they log in, commonly referred to as Two Factor Authentication (or 2FA for short).
There are many other items involved as our Public Safety applications follow the FBI CJIS Security requirements. These additional items bring CloudGavel and LENSS well above these basic minimum security standards.
THE CONSEQUENCES OF LAPSED SECURITY
All of these things, while difficult to deal with, also make user accounts difficult to hack. Making sure that the users’ accounts and system data are secure is of the utmost importance in today’s cyber security environment. Hackers are happy to steal data, including Personally Identifying Information (PII) and financial information and to hold what they can’t use for ransom. This has happened across multiple private corporations, utility providers and government entities. City &county governments, hospitals, schools and more have had their data held hostage by bad actors that managed to slip in due to lax cyber security.
THE NEXT ELEMENT: 2FA
The newest and fastest growing of these requirements is two factor authentication (2FA). Like the example above, 2FA can take the form of a unique verification code that’s sent out every time you log into an application, a confirmation message sent when a new device or location is being logged into (Google and Amazon use this widely now), or the use of biometrics and facial recognition (banking websites and apps are good examples).
Another reason why 2FA is so valuable is that most people use the same password across multiple applications. This means that is one of their logins gets compromised, the same password can be used for the next – and it usually works. 2FA brings in another element that forces users to confirm it’s them before the login can be completed. If the hacker that compromised the account can’t get the 2FA code, provide the face or confirm the login from a trusted device, their attempt will be thwarted.
2FA isn’t perfect, but it’s a great leap forward in making sure your logins stay secure. You can also check to see if any of your accounts logins have been compromised by visiting https://haveibeenpwned.com/. This will let you know where you’ll need to go to change passwords or deactivate accounts.
WHAT DO WE DO NEXT?
First, you should do a quick overview of all of your accounts and make the following changes if necessary:
- Update your passwords – they should be changed every 3-6 months based on the risk
- Don’t use common or easy to guess passwords
- Don’t use the same password for everything (i.e. – the password for your email accounts shouldn’t be the same as your bank password)
- Don’t save your passwords, especially on shared or public facing computers
- DO use complex passwords – 8 or more characters, a combination of letters, number and symbols, and if you really want high security, don’t use real words or number in patterns or sequences
- Enable 2FA – have applications activate 2FA if available. It may be a headache, but it will save bigger headaches later on!
- Avoid public WIFI access at all times – if you can’t be at a trust location, use a VPN or your cell phone’s hotspot/data connection. This keeps others from seeing your internet traffic.
- Don’t click on emails that have come from people or businesses you don’t know or trust. There is a surprising number of systems that have been brought down by this very basic attack (called Phishing).
- Don’t provide any account information to anyone who calls or emails and asks. If they are calling you, they should have everything but your password, and they should never need that from you.
If you need any help or advice on setting up or improving your cyber security, please reach out to us at firstname.lastname@example.org and we’ll be happy to help.