Skip to content

Cybersecurity Monthly: Tips Roundup for May 2021

Welcome back to our series, Cybersecurity Monthly, where we’ll be presenting you a round-up of updates from one of Impact’s security experts, vCISO Humberto Gauna.

You’ll learn about trends and strategies for SMB security and how you can improve your organization’s approach to ensuring the best cybersecurity practices.

If you'd like to learn more, check out the previous entries into the Cybersecurity Monthly series from February, March, and April.

Take a look!

Vector image of lightbulb on orange background | Cybersecurity Monthly: Tips Roundup for May 2021

Memorial Day

During my time in the Marines, I lost brothers and sisters that we remember during Memorial weekend. In their honor, I focus on becoming better.

I used the weekend to not only reflect on how lucky I was to come home but to continue to serve society. As a security subject matter expert, I am happy to provide advice to those who ask for it.

Memorial weekend was also a time I dedicated myself to learning a new skill—Open-source intelligence, or OSINT.

I've been fortunate enough to have had worked in organizations that had their own "Intelligence Gathering" teams, which then provided the required information.

I am learning to fish, then I will teach others to fish when I become proficient.

What did you learn on Memorial Day?

Slow and Steady Wins the Race

Everything we do has to be processed with two goals: service availability and deliver secure products.

We are moving at the speed of Moore's Law. We have the "need" to implement new technology and services as a first to market.

How about we are first to market in a secure manner? Are we exercising due diligence? Checked everything we can and correctly the first time?

I always told my charges, if you have time to do things over, you had time to do them right. I understand the whole model of getting it out the door, make money, then make improvements. With the risk profiles that are out there, this method should no longer be acceptable in cybersecurity.

Don't get me wrong, I enjoy the job security I have. Most of my time is spent making sure the basic foundations in security are implemented first, crawl phase.

Then move to the walk phase, which would be documenting and measuring.

The run phase is where the true experts come to play, improving based on needs, automation, advanced testing, and bliss (Note: this is a personal view and results may differ on an individual basis).

If you are making, due diligence is our best friend. If you are implementing, slow and steady wins the race.

Learning to Prioritize

What are you protecting? Have you defined the level of protection you need? Have you conducted a risk assessment to help prioritize your resources?

These are things that are necessary to build a business case for an adequate level of security.

Not all things need Fort Knox-level security; some require presidential-level security, while others require a combination lock (three disks). Using risk management maximizes resources where required while still identifying risks, processes, and gaps.

Learning from ISACA really reset my focus on risk assessments, frameworks, measuring risk, and communicating the value of risk mitigation.

There is one component I am guilty of omitting—the third axis. Most risk assessments focus on the level of consequence and probability. What was missing from my previous risk assessments, the occurrences per year, and the value of each occurrence.

Two things that we should focus on reducing, the level of consequence and the occurrence.

Think About Your Passwords

May is home to many special days, like Cinco de Mayo and of course Star Wars Day! Most importantly for us in cybersecurity, however, is Password Day.

What is Password Day? It is a reminder not only for all internet users to check and change their passwords, but it is also a reminder for admins to go and check their global password policy on their enterprise.

Let's also change the use from password to passphrase! Even the Cave of Wonders required the use of a passphrase.

Using a passphrase would be easier to create a 16-character string that contains UPPER and lowercase letters, numbers, and special characters.

Let's also consider the lifecycle of the passphrase, 90 days seems to be the standard to have users change their passwords, or passphrase, which causes fatigue since they need one for a dozen or more platforms. That is a lot of credentials to maintain.

Help your end-users out, get them a password or credential manager to help them manage those passphrases and not reuse them across different platforms.

One of the leading factors of account compromise is password reuse. Help stop that practice.

Organizations need to create a list of forbidden words to be used in passphrases. This list should include seasons, organizational names, project names, and years!

That’s all from Humberto this month for cybersecurity monthly. To learn more about cybersecurity, you can watch our 2020 Cybersecurity in Review webinar, where Humberto joins Impact’s Director of MIT Security Services, Jeff Leder, as they assess 2020 from a security perspective, analyzing the biggest breaches and providing valuable insights into what businesses can do better. Watch here.