Passwords, Passwords, Passwords

70% of all breaches are in Small Business

NIST Cybersecurity Framework Core Functions

Password Stats

• The average person has 27 online passwords

• 81% of breaches are due to passwords

• 73% of online accounts are guarded by the same password

• 40% of people have had a security incident

• 54% of people have 5 passwords or less

Most common passwords of 2017

1. 1234562. 1234567893. qwerty4. 123456785. 111111

6. 12345678907. 12345678. password9. 12312310. 987654321

The majority of passwords are

reused on different accounts

This multiplies your risk!!!

What risk is associated with the password?

• What Data is available?

▪ Information is valuable – what data is available with that password??

▪ What is the impact of compromise? (Does it affect just you/your company/your clients??)

• What Control is available?

▪ Does the password provide power to monitor/modify/disrupt systems?

• How can this impact your identity? (Personal & Organization)

▪ Anytime anyone logs in as “you” they have your identity

▪ Can that access be used externally? Does it affect you/your company/your clients?

Personal Online Account Passwords

• If a personal account has a company password, you are adding risk to your organization.

• Loss of control for your security team

• Any weak link on anyone else's system compromises your own

• You can’t really verify that your users are following this policy, but it needs to be taught. It helps them both personally as well as your organization.

Different levels of protection

• Controlling Password Difficulty:▪ Number of characters▪ Complexity▪ 2 Factor Authentication

• Password Management:▪ How often the password is changed▪ Password manager▪ Alerting/monitoring - Geo-IP tracking

• Password protection vigilance: ▪ Not reusing passwords on different accounts▪ Not reusing previously used passwords▪ Secure sites only (encryption)▪ Phishing training

2 Factor Authentication

– you need it!

• Adds great peace of mind

• They have to figure out how to crack your password and get your phone

Why you need it

• It’s pointless: “If someone steals my phone, 2-factor adds no value.”

• It’s adds more work to login

• I may not have my phone/token.

Common objections

Password Recovery

• Understand what you are doing with this

• Email address to recover your account password is probably not a work account

• It makes it easier for administrators, but it also weakens your security

• Small companies should have an administrator reset a password when needed

Password Managers

• Password Managers help enhance security

• Easier to use complex passwords

• Easier to make unique passwords

• Remember 1 password instead of 27

• Your organization can have access to passwords

Enforce policy where you can

• Enforce it:

▪ 12 characters

▪ Complex

▪ Changed every 6 months

• Train it:

▪ Phishing detection

▪ Use work passwords only for work

How Access Control is changing

• It doesn’t have to be a text password▪ Facial recognition

▪ Hand gestures

▪ Geo-location/behavior monitoring

The only goal of access control is to make sure you are who you say you are. How we accomplish that leaves a lot of possibilities!

WE’RE HERE TO HELP YOU BECOME #OXENSTRONG

888-296-3619ISP.OXEN.TECH

rpieken@oxen.tech