Wednesday, August 21, 2019

Learn how hackers are stealing passwords to protect your own

Fixing the Leak: See How Hackers Are Stealing Your Passwords

There is no way you are going to win a battle you are not prepared for. By preparation, you have to know not only the battleground but what tactics the enemy might be coming at you with.

The same is true for the war against password hacking.

Before you go around with the intention of staying protected against hacks, you should know how they could occur at all. In this piece, we discuss some of the common ways by which hackers get your passwords, and what you should do to protect yourself against those techniques.

1. Dictionary and Hybrid Attacks

These have been lumped together because they follow almost the same pattern.

As the name of the former implies, a dictionary file is needed to make the hack happen. An algorithm is fed with this dictionary file so that the computer learns all the words in the dictionary. The computer then starts trying all these words in different combinations till it gets the passphrase you have used on such an account.

From the name, you can guess that it would work best against accounts that have passphrases instead of passwords.

No matter how long the passphrases are, it would only take a while for the dictionary attack to work.

Some other users are great with alphabetic substitutions. They prefer to use symbols instead of letters and numbers in the place of some letters too. This is the case with passwords like ‘p@ssw0rd,’ and a simple dictionary attack won’t work for that.

That is where the hybrid attack comes in to build on what the dictionary attack has done for improved results.

Fix: Even if your passphrase is not a logical sentence, that doesn’t keep these attacks from succeeding. The computer will also try different combinations of sentences that do not make any sense, so you are not safe with them.

Use a password generator to get a better and stronger combination of words for a better password instead.

2. Brute force attack
When all other forms of hacking fail, this is the one that the sophisticated hackers turn to. Brute force attacks will take a lot of dedication, resources and time – but they are worth it in the end since they come up with results.

The hacking algorithm is programmed with all the letters, symbols, numbers and all other special characters which could have been used to form the password at all. The computer combines these characters in different orders and lengths until it returns the password to each account. The brilliance behind this attack is that it chips away at the very core of the password slowly but steadily, and it doesn’t stop till it comes out with a suitable result.

Fix: There is almost no defending against brute force attacks – but that’s if you don’t know how passwords work in the first place. Using online password generation tools, you can create a unique and strong password that will take several years for even brute force to crack.

No hacker will stay on your password for that long when they could hack other accounts instead.

3. Man in the middle attacks
All the other password hacking models we have been talking about involves a hacker trying to guess your password with their algorithm. Man in the middle is one of those techniques where the user themselves serves their password to a hacker on a platter of gold.

The hack will often occur when an unsuspecting user is accessing the web via an unencrypted network. This makes it easy for a hacker to breach such a network and place themselves between the user’s computer and target server (any app, website or platform such a user is using on the internet).

Any and all interactions being made by this user will be visible to the hacker in real-time. In fact, the hacker can hijack conversations and tweak them to their own advantages. From here, there is no telling what other sensitive information the hacker can get access to, and how they can wield that over you.

Fix: The biggest unencrypted network that users unknowingly connect to every day is public Wi-Fi. Thus, the first thing is to ensure you stop connecting to them.

Likewise, your mobile connection might be unencrypted, but you can tighten things up by layering that connection over a VPN. You can do that for public Wi-Fi connections too to make them safer for use.

4. Phishing Scams
Haven’t heard of phishing before? Well, they are only the granddaddy of all social internet scams. You would think so too if you considered the fact that they account for more than 90% of all social scams ever – and they have been around than many other forms of hacking.

They leverage on tricking a user into clicking a link that leads them to websites, apps or platforms which look like the real deal. Here, a hacker could clone a bank’s website, make a copy of a healthcare company’s page or something of the sort, and send that link via mail to a user. Such email will also contain a message that informs the user to take some sort of urgent action on their account.

This urgency spurs the user into clicking the email link without giving it much thought. They are faced with a page that looks like the real thing, and they enter their passwords – thinking all is the same.

What the user doesn’t know is that the login details they entered are being relayed to a hacker on the other end of the server.

The hacker will then use these login details to access the actual account of such a user – and do as they please from there.

Fix: Never click on links in emails or text messages anymore. Be wary of attachments too – and you can even download an antivirus scanner to help with that.

Even though mailing services and antivirus scanners are now great at catching phishing attempts, they will sometimes fail. Always be wary of what you click on.

Wrap Up

The above are just some of the many techniques that hackers employ. Applying those fixes beforehand, though, you can ensure your accounts stay safe from many kinds of hacking attempts out there.

This is a guest post from Chris Jones @TurnOnVPN


Please Follow us.
Facebook
PageGroup
Twitter
Google+
Blog
Youtube
E-Mail

Sunday, August 5, 2018

Sunday, January 7, 2018

Keep your Information safe in your Computer & Mobile, Lesson 29

Data is classified into - Internal Use

Examples
Data must be protected to prevent loss, theft, unauthorized access, and unauthorized disclosure.
Data must be protected by a confidentiality agreement with a Third Party before access is provided to the latter.
Proprietary data must be stored in a closed physical location (e.g., filing cabinet, office, warehouse, or department where controls are in place to prevent disclosure) when not in use.
Data must not be posted on any public website.
Data must be destroyed when no longer needed, subject to the Group Data Retention Policy. Destruction of data can be in any of the following ways:
- Hard copies of documents containing confidential or proprietary information must be destroyed by shredding them or another approved process that destroys the data beyond recognition or reconstruction. Electronic storage media containing classified information must be appropriately sanitized by degaussing and physically destroying same.
Deleting files or re‐formatting media containing data in electronic format is NOT an acceptable method of destroying confidential or proprietary data.

Care Required
Data must be adequately protected to prevent loss, unauthorized access, and/or unauthorized disclosure.
Data must be appropriately destroyed when no longer needed, subject to the Group Data Retention Policy.
This type of information must not be made public nor posted on any public website.


Thanks for Read,
Please "SHARE" our post that your friends can read and learn and "COMMENT" us so that we can make our blog beautiful.

Please Follow us.
Facebook Profile
Twitter
Google+
facebook Page
Youtube
E-mail

Thursday, January 4, 2018

Keep your Information safe in your Computer & Mobile, Lesson 28

Data is classified into - Confidential or Proprietary

Examples
Business Policies and Procedures.
Business partner information not covered by a restrictive confidentiality agreement.
Internal organizational charts.
Audit planning documents.

Care Required
Data must be protected to prevent loss, theft, unauthorized access, and unauthorized disclosure.
Data must be protected by a confidentiality agreement with a Third Party before access is provided to the latter.
Proprietary data must be stored in a closed physical location (e.g., filing cabinet, office, warehouse, or department where controls are in place to prevent disclosure) when not in use.
Data must not be posted on any public website.
Data must be destroyed when no longer needed, subject to the Group Data Retention Policy. Destruction of data can be in any of the following ways:
 -Hard copies of documents containing confidential or proprietary information must be destroyed by shredding them or another approved process that destroys the data beyond recognition or reconstruction. Electronic storage media containing classified information must be appropriately sanitized by degaussing and physically destroying same.
Deleting files or re‐formatting media containing data in electronic format is NOT an acceptable method of destroying confidential or proprietary data.


Thanks for Read,
Please "SHARE" our post that your friends can read and learn and "COMMENT" us so that we can make our blog beautiful.

Please Follow us.
Facebook Profile
Twitter
Google+
facebook Page
Youtube
E-mail

Tuesday, January 2, 2018

Keep your Information safe in your Computer & Mobile, Lesson 27

Data is classified into - Strictly or Highly Confidential

Examples
Content of Audit Reports.
Personnel, Executive/Top Management Information.
Data identified by government regulation to be treated as confidential, or sealed by order of a court of competent jurisdiction.

Care Required
When stored in electronic format, highly confidential data must be protected with minimum level of authentication such as the application of strong password usage convention.
Access to highly confidential data must be recorded/logged, tracked, and regularly monitored.
When stored on mobile devices and media, protection and encryption measures provided through mechanisms (e.g., access/password controls and 128 bit encryption) approved by the Head of the IT Department must be employed. Data must be stored in locked physical storages like drawers, rooms, or warehouses or areas where physical access is controlled by
security guards, cipher locks, biometric controls, and/or card readers. Highly confidential data must be strongly encrypted when being transferred electronically to any entity outside of the Group.
When sent via fax, this type of data must be sent only to a previously established and already used/tested address or one that has been verified as using a secured location.
Highly confidential data must not be posted on any public website.
Data must be destroyed when no longer needed, subject to the Group Data Retention Policy. Destruction of data can be in any of the following ways:
- Hard copies of documents containing classified information must be destroyed by shredding the documents or another approved process that destroys the data beyond recognition or reconstruction.
- Electronic storage media containing classified information must be appropriately sanitized by degaussing and physical destruction.
- Deleting files or re‐formatting the media containing data in electronic format is NOT an acceptable method of destroying Strictly or Highly Confidential data.
The Data Owner must immediately be notified if Strictly or Highly Confidential data is accessed without proper authorization, lost, disclosed to unauthorized parties or is suspected of being lost or disclosed to unauthorized parties, or if any unauthorized use of Group information systems has taken place or is suspected of taking place.


Thanks for Read,
Please "SHARE" our post that your friends can read and learn and "COMMENT" us so that we can make our blog beautiful.

Please Follow us.
Facebook Profile
Twitter
Google+
facebook Page
Youtube
E-mail

Sunday, December 31, 2017

Keep your Information safe in your Computer & Mobile, Lesson 26

Data is classified into - Classified or Top Secret

Examples
Content of Corporate Investigation Reports
Top or Executive Management Compensation and Benefits
Business Plan/Strategy (both short and long-term)
Information relating to re-structuring and joint ventures

Care Required
When stored in electronic format, data, where possible, must be password protected and/or encrypted.
Access to data must be recorded/logged, tracked and regularly monitored.
When stored on mobile devices and media, protection and encryption measures provided through mechanisms approved by the Head of IT must be employed (e.g., access/password controls and 128 bit encryption).
Data must be stored in locked physical storages like drawers, rooms, or warehouses or areas where physical access is controlled by security guards, cipher locks, biometric controls, and/or card readers.
Data of this kind must not be sent via fax.
Data must not be posted on any public website.
Data must be opened by the intended addressee only.
Data must be destroyed when no longer needed, subject to the Group’s Data Retention Policy. Destruction of data can be in any of the following ways:
- Hard copies of documents containing classified information must be destroyed by shredding them or another approved process that destroys the data beyond recognition or reconstruction.
- Electronic storage media containing classified information must be appropriately sanitized by degaussing/bit by-bit formatting and physical destruction.
- Deleting files or re‐formatting media containing data in electronic format is NOT an acceptable method of destroying classified data.
Top Management must immediately be notified if classified data is accessed without proper authorization, lost, disclosed to unauthorized parties or is suspected of being lost or disclosed to unauthorized parties, or if any unauthorized use of Group information systems has taken place or is suspected of taking place.


Thanks for Read,
Please "SHARE" our post that your friends can read and learn and "COMMENT" us so that we can make our blog beautiful.

Please Follow us.
Facebook Profile
Twitter
Google+
facebook Page
Youtube
E-mail

Friday, December 29, 2017

Keep your Information safe in your Computer & Mobile, Lesson 25

Data Classification

Data classification is the most important part of Information Security Regulation. Data owners must define the classification for the associated information asset with the department / business unit. Care should be taken to not over‐protect or under protect data in a way that it hinders the execution of associated tasks or it exposes the organization to risks. The data classification methodology to be employed should take into consideration the following:

 Applicable laws, regulations and legislation
 Criticality and confidentiality of the data item to the department, business unit(s), or the Group as a whole.
 Risks and implications of disclosure, loss, or unauthorized public release or access
 Value of the data item to the organization or business
 Data Owners should ensure that there is adequate communication of data classification to Data Users and Custodians.
 Classifications must be applied as soon as data (or the information asset) is created or received from a third party. Failure to.classify information in a timely


Thanks for Read,
Please "SHARE" our post that your friends can read and learn and "COMMENT" us so that we can make our blog beautiful.

Please Follow us.
Facebook Profile
Twitter
Google+
facebook Page
Youtube
E-mail

Wednesday, December 27, 2017

Keep your Information safe in your Computer & Mobile, Lesson 24

Incident Management

Incident Management is another important part of ISR. Without a proper incident management, asset register alone will fail to cover to the ISR umbrella. Incident Management will outline a proper process for the identification and effective handling of information security incidents in order to minimize the adverse impact on the business of the entity.

Information Security Incident Management planning needs to be covered in a formal policy/procedure. Reporting and escalation of any Information Security Incidents should be done through all available reporting channels. Evidences will be gathered and retains and a knowledge base from all information security incidents will be maintained which includes details of previous incidents, their types, cost, and any other relevant information.

In view of the above our company has formulated Information Security Incident Management System which can be used to report any incidents that occur or are suspected to target information or information processing facilities owned or managed.

User needs fill in the Information Security Incident detail that occur or are suspected to target information or information processing facilities owned or managed related to Information Security, which then will be analyzed by the Information Security Incident Management Team and will take necessary action.


Thanks for Read,
Please "SHARE" our post that your friends can read and learn and "COMMENT" us so that we can make our blog beautiful.

Please Follow us.
Facebook Profile
Twitter
Google+
facebook Page
Youtube
E-mail

Monday, December 25, 2017

Keep your Information safe in your Computer & Mobile, Lesson 23

Information Asset Register

First and foremost requirement of "Information Security Regulation" (ISR) is to have a company wide Information Asset Register. It Identifies & documents all information assets, including the information and data assets and the related information processing facilities and components, such as software assets, people assets, physical assets, etc. and consider other details such as, physical location, license details, business value, and any other necessary information that may be required to avoid risks and recover from disasters.

You have to create a Program module “Information Asset Register” which covers all the requirements of a successful information asset register. Everyone will be update the asset under there department as per the definition of assets given.

The Information Asset Register will be used to support the ISR Objective of developing and maintain an Information Asset Register. This will ensure that all critical or important (i.e., high and medium risk) information is identified and monitored for the purpose of protection and risk management.

The Program module will allow departments and functions in custody of valuable information to list these down and maintain such in a secured environment or system. Such facility will also enable the information custodians to provide and save pertinent and useful information such as information asset type, location, relevant system/process or sub system, origin or source, data classification, and risk type, among others.

Asset Register, Storage details Data Owners/Custodian/Users are the important part of the program which will cover the details of information asset, its storage, it’s sharing and risk associated with it.

While entering in the Information Asset Register user needs to first identify their information under which category they fall. To support this formulated and finalized few policies like Data Ownership Policy, Data Classification Policy and Data Retention Policy. These policies will clarify and identify how and what type of data requires which level of classification.

Once populated the Information Asset Register will identify the key areas which needs to be protected and also the Risk Assessment will identify the risk associated with it which needs to be mitigated.


Thanks for Read,
Please "SHARE" our post that your friends can read and learn and "COMMENT" us so that we can make our blog beautiful.

Please Follow us.
Facebook Profile
Twitter
Google+
facebook Page
Youtube
E-mail

Saturday, December 23, 2017

Keep your Information safe in your Computer & Mobile, Lesson 22

User Manual

Introduction
The Information Security Regulation presents the minimum requirements for information security controls and is applicable to all Government Entities, including but not limited to employees, consultants, contractors and visitors who are not employed by the government but are engaged with it through various means. Furthermore the regulation applies to any government information regardless of its type and medium (e.g. Printed, Electronic and Non Electronic Verbal, Written, etc.), therefore, Government Entities are expected to implement this regulation in their entire entity and not to limit it to Information Technology (IT) divisions/departments only.
The scope of the government information assets must consider all the information processing facilities and components, which may include the following components or few of them:
 Storage (electronics storage device; logical and physical, paper documents, etc.)
 Infrastructure (hardware, applications, networks, etc.)
 Organizational (processes, policies, etc.)
 Personnel (administrators, employees, visitors, etc.)

Information Security Regulations (ISR)
We considers information, business process, and information systems among its most critical business assets, which require protection from unauthorized access, modification, disclosure or destruction.
The information Security Regulation is broken down into twelve domains. Each domain takes into
consideration one or more major classes of information security: Governance, Operation, and Assurance.
The Governance domains set high-level requirements for structuring and managing information security.
The Operation domains are technical or non-technical solutions an entity may use depending on the results of their risk assessment study. The Assurance domains act as the quality assurance for the entity,
ensuring that the implemented solution is working as intended. We are therefore committed to protect all our information assets against all threats, actual or potential, internal or external, deliberate or not.
In line with this, we also support and comply with the Information Security Regulation (ISR) pursuant to Executive Council about Government Information Security Regulation as stated earlier. The Information Security Steering Committee, in various capacities, responsible for maintaining the policies & procedures and providing support and advice during the implementation. All managers are also directly responsible for the implementation of the following Information Security
Domains policies and procedures. And ensuring mandatory compliance by employees concerned in their respective departments and external parties they deal with.

Information Security Regulation Structure 
The information Security Regulation is broken down into twelve domains. Each domain takes into consideration one or more major classes of information security: Governance, Operation, and Assurance.
The Governance domains set high-level requirements for structuring and managing information security.
The Operation domains are technical and/or non-technical solutions an entity may use depending on the results of their risk. The Assurance domains act as the quality assurance for the entity, ensuring that the implemented solution is working as intended.


Thanks for Read,
Please "SHARE" our post that your friends can read and learn and "COMMENT" us so that we can make our blog beautiful.

Please Follow us.
Facebook Profile
Twitter
Google+
facebook Page
Youtube
E-mail

Thursday, December 21, 2017

Keep your Information safe in your Computer & Mobile, Lesson 21 of 25

Data Classification Folders

Data Classification
Classification of data determines the extent to which data needs to be controlled / secured and is also indicative of its value in terms of business assets. For achieving data classification properly, every network drive will be updated with Data Classification folders which needs to be updated according to the data classification category.

1 - Classified or Top Secret Folder
 Contents like Corporate Investigation Reports, Top or Executive Management Compensation and Benefits, Project Master Drawings etc.
2 - Strictly or Highly Confidential Folder
 Contents like Internal/External Audit Reports, Personnel Information (HR) and Non‐Executive any data identified by government regulation to be treated as confidential, or sealed by order of a court of competent jurisdiction, etc.
3 - Confidential or Proprietary Folder
 Business Policies and Procedures, business partner information not covered by a restrictive confidentiality agreement, internal organizational charts etc.
4 - Internal Use Folder
 Company announcements or bulletins, General Project and Research data; i.e., not including projects which are classified or highly confidential, induction material content, etc.
5 –Public Folder
 Press releases the Marketing materials/Ads, Job postings, etc.


Thanks for Read,
Please "SHARE" our post that your friends can read and learn and "COMMENT" us so that we can make our blog beautiful.

Please Follow us.
Facebook Profile
Twitter
Google+
facebook Page
Youtube
E-mail

Learn how hackers are stealing passwords to protect your own

Fixing the Leak: See How Hackers Are Stealing Your Passwords There is no way you are going to win a battle you are not prepared for. By pr...