ITP Techblog

Brought to you by IT Professionals NZ
Menu
« Back to Home

Want to reduce cyber threats? Use a password manager - CERT

Peter Griffin, Editor. 20 August 2021, 9:18 am

The Government's Computer Emergency Response Team (CERT) has updated its list of "critical controls" for cybersecurity and is urging us all to use a password manager.

The use and reuse of simple passwords across multiple online services is a key method for cybercriminals to exploit to gain access to our online accounts, creating the potential for privacy violations, identity theft, and fraud.

Scanning the threat landscape and international cybersecurity reports CERT updates its critical controls list each year - the actions it considers essential to staying ahead of the latest threats.

Using a password manager is the newest addition to the list, along with "securing internet-exposed services".

Using an app to manage your numerous passwords and log-in details for websites and online accounts greatly reduces the risk of credential theft and phishing attacks, says Lindsay Brown, the Asia Pacific president of LogMeIn, one such password management service.

Screenshot 2021-08-20 at 9.16.40 AM.png

Going passwordless 

"Risks of credential theft and phishing can be minimised by adopting password managers with single-sign-on (SSO) and passwordless MFA to help organisations thwart modern password-related risk," says Brown.

"Strengthening your business' cybersecurity strategy should not just fall on the shoulders of IT teams. Organisations need to build a security-first culture through changing attitudes of everyone in the company to increase effectiveness against potential security breaches," Brown adds.

Numerous free and premium password managers are on the market and many corporate users of Microsoft products have access to one through the software maker's authentication app.

LastPass is one of the world's most popular password manager, with Dashlane and Keeper also widely used.

LastPass has some advice for stronger passwords:

"You should always be using a unique password for every account so one compromised account will not impact others. The ideal password is be made up of a random sequence of characters including uppercase, lowercase, symbols and numbers, and is at least 14 characters long. 

"As tempting as it is, never use personal details about yourself that can easily be guessed from looking at your social media account. Don't use your mother's maiden name or include any personally identifiable information in your passwords. One of the best ways to create a strong password that is also memorable is to make a "passphrase". A passphrase is a long sentence or series of words. 

"It's typically something random, but that has personal meaning to you, like: 'iwanttovisitparissomeday'. Now, just sprinkle in a few additional characters and you'll have an even stronger passphrase: "[email protected]".  In an age where we have dozens of online accounts we frequently use, the most practical way of managing this is using a password manager to auto-generate, auto-fill and store complex passwords while requiring only one master password from the user."

Changes to the 2021 CERT Critical Controls list

- Provide and use a password manager

- Secure internet-exposed services

CERT also updated two current controls:

- Implement application allowlisting (otherwise known as whitelisting)

- Configure logging and alerting

And it is splitting out one of its key controls:

Implement multi-factor authentication and verification

"In 2020, we've seen a number of campaigns targeting internet-exposed services. In response, we've developed a control to help organisations identify and secure any internet-exposed services," CERT reported.

"Providing and using a password manager is something your organisation can do to support good password hygiene.

"In previous years, we had combined multi-factor authentication (MFA) with our other authentication controls, however this devalued how critical MFA is. MFA remains one of our most common pieces of advice when helping organisations prevent and respond to incidents. The application allowlisting control will be refreshed, and the logging and alerting control will also receive a major update."

See the full, updated Critical Controls list here.


Comments

You must be logged in in order to post comments. Log In


Web Development by The Logic Studio