LBS Information Security Newsletter – October 2019

Introduction

Welcome to the first LBS Information Security Newsletter to mark National Cyber Security Awareness Month.

The purpose of this newsletter is to keep all interested parties informed about what is happening around the School (and elsewhere) regarding information security. The newsletter will be produced regularly and present information on particular themes as well as highlighting anything new in the field of infosec that needs to be shared to LBS faculty/staff/students.

This month’s theme is passwords – the key to the door.

Passwords – why we need them and how to choose good ones

The “why” is a many-headed beast – passwords act as the key to the door

They’re never perfect, but they are what protects your account - they are what is used to allow you to prove who you are to systems - to get the access to your account and data that is appropriate to your needs. However, passwords can be broken (using programs to carry out brute-force attacks - trying common combinations of characters, but often working through entire dictionaries as computers can be quite fast!) or guessed or conned out of you (social engineering, e.g. phishing emails lure the recipient of an email to divulge some information or to go to a fake (often very good fake) website and enter it).

Passwords have a limited lifetime - often the longer a password is, the hard it is to brute-force and the longer it can be used safely, so password changing requirements tend to depend on the minimum password length in operation.

Not all organisations enforce a password changing policy, so you may choose to change a password you have used for a long time. You should certainly change a password if you think it may have been compromised (if you entered it somewhere you suspect may not have been genuine, if you think someone may have watched you type it or seen it over your shoulder, if you may have inadvertently given it out in response to a phishing email).

Passwords need to be known only to you so that you can be sure that nobody else has access to accounts/data that are available to you. Also - you are responsible for activity from your account, so you want to make sure nobody else can get you into a tight spot - even accidentally.

If you need to share data, do so, but by sharing and not be giving away your password. If you need to have email accessible to more than one person, either set up delegated access or consider using a group/email list. I am happy to advise or ask the IT Helpdesk.

It is also suggested that you don’t reuse passwords - why? Well, data breaches are making the news at alarming frequencies at the moment. If you used the same password and one of your favourite sites had a breach, then you would have to change your password everywhere else (because the bad guys publish these broken passwords and other bad guys try them out as passwords for other sites). The other problem is that data breaches are usually discovered many months after the first bad guys get in - and that means your password may be known for months before the breached site finds out and tells you. In that time, others may have already got access to other things using the same password. Sounds like a film script? Maybe, but it happens and happens often.

What more can be done?

Just as passwords are the key to the door, two factor authentication (2FA) can be used as an additional mechanism to protect the entry point to a system – like a code you enter. You can think of it as equivalent to the concept of a bank ATM – you need 2 things to gain access to your money – your card which is “something you have” and the PIN which is “something you know”.

For example, to get money out of a cashpoint, you use something you know (your PIN) and something you have (your bank card). Alternatively, a third means of authentication – something you are (a biometric like a fingerprint) - can be used.

Authentication, in this context, is the act of proving your identity to gain access to LBS system resources. Identity is proved using a variety of factors generally consisting of one or other of "something you know", "something you have" and "something you are".

Passwords are an example of "something you know". "Something you have" may be a physical token – either a card, a small device which can display or contain a code or a mobile phone. Biometrics, such as fingerprints or other encoding of a physical human feature, are "something you are".

Two factor authentication provides an extra layer of security. Many commercial and generally used systems already provide two factor authentication – sometimes as an optional extra. For example, banks utilise additional means of identification for their online banking systems and Google and Microsoft allow users the option of setting this up – generally using a mobile phone to receive a code. Google allows a user to have their machine remembered for a month before the need to receive and input a code again.

Two factor authentication provides enhanced security because it is difficult for someone trying to procure unauthorised access to gain more than one means of identification from their victims. Email phishing attacks can quite easily gain the "something you know" - the password – but needing a further token or biometric is not straightforward.

Keep up-to-date

If you’re responsible for a machine (your own or providing a service to others), then you need to keep it up-to-date on patches and keep any anti-virus software updated to have the best chance of staying safe online.

Training

Information Security Awareness Training on Canvas.

Please ensure all new staff members do this as part of their induction.

We particularly welcome suggestions for ideas for other online training/presentations that would be useful.

General

We welcome feedback/suggestions… what sort of information would you like to see on an information security website? What training do you think you may need related to information security? Let us know and we'll see what we can do.