Preparing Your Infosec Program for Quantum Computing

 

Imagine a world where encryption, the bedrock of our current cybersecurity measures, can be unraveled in mere moments. This reality is not just conceivable; it’s on the horizon with the advent of quantum computing. A groundbreaking leap from traditional binary computing, quantum computing has the potential to redefine what we deem secure.

Delving into the peculiar realm of quantum mechanics unleashes power that eclipses the might of our current supercomputers. To truly grasp how this will reshape information security, one must understand qubits and the unfathomable processing capabilities they present. The security protocols we depend on today are poised for a seismic shift as quantum computers become more prevalent.

In this article, we embark on a journey through the landscape of quantum computing and its impending collision with the world of cybersecurity. From exploring quantum-resistant cryptography to pondering the role of agencies in securing data in a post-quantum Era, we will prepare your infosec program to stand firm in the face of this computational tidal wave.

Understanding the Basics of Quantum Computing

Quantum computing signifies a revolutionary leap from classical computers, fundamentally altering the landscape of data processing. The core of this transformation lies in the utilization of quantum bits or qubits. Unlike standard bits, which are confined to a binary state of either 0 or 1, qubits harness the peculiar properties of quantum mechanics. These particles can exist in a state of superposition, being both 0 and 1 simultaneously, which greatly expands their computational capacity.

To maintain their complex states, qubits require an environment that isolates them from any external interference. Achieving this usually involves extreme measures such as cooling systems that approach absolute zero temperatures. This delicate balance is essential to prevent the decoherence and degradation of the qubit’s information.

Another hallmark of quantum computing is entanglement, a phenomenon where qubits become so deeply linked that the state of one will instantaneously influence its entangled partner, regardless of the distance separating them. This interconnection paves the way for unprecedented speed and efficiency in computing processes.

Given the immense computing power quantum machines are expected to yield, they pose a critical concern for information security. Current cryptographic protocols, which rely on the computational difficulty of certain mathematical problems, might become easily solvable in a fraction of the time currently required. Therefore, in anticipation of this quantum threat, governments and institutions like the National Institute of Standards and Technology (NIST) are proactively working on developing and standardizing quantum-resistant cryptographic mechanisms. These intensified efforts aim to buttress our cybersecurity infrastructure against the potential onslaught of quantum attacks that could exploit the vulnerabilities of classical cryptographic systems.

Explaining Quantum Computers

Quantum Computers

Feature

Description

Qubits

Utilize qubits instead of bits, allowing for simultaneous representation of 0 and 1 through superposition.

Entanglement

A property where qubits are interconnected so that the state of one can instantaneously impact another.

Encryption Threat

Pose danger to current encryption methods due to their ability to solve complex cryptographic problems rapidly.

Quantum computers diverge entirely from the operational framework of classical computers. While traditional machines process data linearly, quantum computers leverage the dual state capability of qubits through superposition, allowing them to perform multiple calculations concurrently.

The intrinsic feature of entanglement in quantum computers enables a linked state among qubits, enabling immediate and correlated changes across them. This feature dramatically accelerates complex problem-solving and data analysis processes.

The exponential speed and power of quantum machines offer promising advancements but simultaneously challenge the integrity of cryptographic algorithms, including those protecting internet infrastructure. As quantum computers excel at calculating large numbers efficiently, they could potentially decipher encryption swiftly, rendering many of the security protocols we currently rely on ineffective. This quantum leap requires a reevaluation and reinforcement of encryption to secure data against the potential intrusion by these powerful computing entities.

Discussing Quantum Bits (Qubits)

Quantum bits – or qubits – are the quintessential building blocks of quantum computers. By being able to embody multiple states at once through superposition, they bypass the limitations of classical bits. This property permits an exponential increase in computing power, as each qubit added to the system essentially doubles its capacity.

Entanglement compounds this capability, fostering a network of qubits that synchronize changes over any distance. This drastically enhances efficiency, enabling rapid complex calculations and high-level problem-solving far beyond the scope of traditional computing.

The manipulation of qubits through quantum algorithms, exploiting both superposition and entanglement, allows quantum computers to perform functions in mere moments that would take classical computers years. However, it’s key to note that this power to swiftly navigate through vast computational possibilities not only offers solutions but also necessitates the evolution of cybersecurity measures.

Exploring Quantum Mechanics and Its Relation to Computing

Quantum Mechanics Principles in Computing

  • Superposition: Facilitates qubits to be both 0 and 1 concurrently, enabling parallel calculation capabilities.
  • Entanglement: Connects qubits, allowing information sharing instantaneously regardless of distance.
  • Acceleration: Propels computing processes at an unprecedented pace, opening new possibilities for industries.

Quantum mechanics and computing are intertwined, with the former offering an analytical lens for the latter. By viewing computing through the principles of quantum physics, a vast new computational paradigm emerges. The spoils of quantum mechanics, such as superposition and entanglement, permit the functionality of quantum bits, or qubits, fundamentally differentiating quantum computers from their classical counterparts.

These quantum properties allow for parallel calculations to be conducted simultaneously, something utterly impossible for classical computing architecture. With the formidable capability to expedite solutions and answer monumental questions across varied industries, quantum computing is expected to drive significant progress in the next decade.

However, the same properties that endow quantum computers with their power also render current encryption models, like RSA, profoundly vulnerable. Quantum computers can decipher complex numerical problems in a fraction of the time expected by traditional systems, therefore outpacing and potentially compromising existing cybersecurity measures. Consequently, acknowledging and preparing for quantum impacts on encryption is paramount, ensuring a secure transition into the impending post-quantum world.

The Implications of Quantum Computing on Cybersecurity

Quantum computing heralds a double-edged sword for the digital world; on one side, it promises unprecedented computational breakthroughs, and on the other, it poses a seismic threat to cybersecurity. The very nature of quantum computing, with its ability to solve complex problems that are intractable for classical computers, could undermine encryption methods that protect everything from daily financial transactions to state secrets. Data meant to be safeguarded for an extended period is at risk, as current encryption could eventually be rendered obsolete by quantum techniques.

Recognizing this, efforts to create quantum-resistant encryption are gaining momentum. NIST, among other institutions, is actively seeking post-quantum solutions, having sifted through 69 potential cryptographic methods. The road ahead is a paradigm shift in cybersecurity strategy: to adopt a multi-layered, quantum-safe defense and build an infrastructure resilient to the quantum age. Such a transition demands identifying and protecting critical data assets with diversified cryptographic solutions and contemplating novel, quantum-robust algorithms for enduring security.

As quantum technology advances, organizations must remain vigilant, continuously adapting to new cybersecurity regulations and principles like zero-trust architecture to fortify themselves against future quantum exploits.

Identifying the Quantum Threat to Cryptographic Algorithms

The Cloud Security Alliance forecasts a worrisome horizon for cryptographic algorithms such as RSA, Diffie-Hellman, and Elliptic-Curve Cryptography, indicating their susceptibility to quantum attacks possibly by April 2030. Such a development exposes organizations to ‘harvest now, decrypt later’ scenarios, where adversaries collect encrypted information, waiting to unlock it with mature quantum capabilities.

Notably, over half of the participants in a Deloitte Poll acknowledged this risk, attesting to the widespread concern regarding quantum computing’s impact on cryptography. The crux of this threat is the superior ability of qubits, the core units of quantum computing, to tackle multifaceted problems rapidly. Hence, the urgency to innovate quantum security measures is fundamental, demanding a robust cybersecurity edifice that can withstand advanced future threats.

Assessing the Impact of Powerful Quantum Computers on Current Security Measures

Contemporary cybersecurity rests on encryption algorithms like RSA, which powerful quantum computers could nullify. Post-quantum cryptography (PQC) seeks to mitigate this threat, ensuring our safety protocols are compatible with a quantum future.

The U.S. National Institute of Standards and Technology (NIST) is at the Knowledge cutoff: forefront, assessing 69 methods for such cryptography. Moreover, the ‘harvest now, decrypt later’ dynamic looms as a direct consequence of powerful quantum computing, prompting the necessity for quantum-safe countermeasures, without which industries face considerable security risks.

Recognizing the Challenges of Key Distribution in a Post-Quantum World

With the prospect of quantum computing, the secure distribution of cryptographic keys becomes ever more crucial, yet challenging. The landscape beyond the coming decade needs to account for quantum threats; organizations must ensure continued data safety while raising awareness among leaders and stakeholders.

Strategies like crypto agility are crucial, providing the flexibility necessary to transition between algorithms in response to emerging vulnerabilities or quantum threats. Additionally, the integration of traditional and quantum-driven security methods or technologies like Quantum Key Distribution could bolster our cryptographic defenses in this new computational era.

Analyzing the Implications for Crypto Agility in the Face of Quantum Attacks

The ascent of quantum computing casts a foreboding shadow over established encryption methods such as RSA and ECC. Algorithms conceived for quantum machines, like Shor’s and Grover’s, are primed to factorize large numbers expeditiously, undermining the foundations of conventional cryptographic security.

Post-quantum cryptography is the beacon of hope, looking at alternatives like lattice-based cryptography founded on the intricacies of lattice mathematics for quantum-resistant encryption methods. With 50.2% of respondents in a Deloitte Poll voicing concern over ‘harvest now, decrypt later’ threats, the imperative for crypto agility has never been clearer. Making a preemptive pivot towards quantum-resistant solutions is both a strategic and necessary stance to counter the coming quantum onslaught.

Quantum Technologies and their Potential Impact on Infosec Programs

Quantum computing represents a transformative force across sectors, boasting the ability to accelerate problem-solving capabilities to levels unattainable by classical systems. Within the sphere of cybersecurity, this computing paradigm foreshadows profound repercussions. Existing security protocols could falter as advanced computational techniques emerge, rendering them inadequate against quantum-powered attacks.

To hedge against this prospective quantum revolution, organizations are hastily directing focus toward post-quantum cryptography (PQC). This advanced subset of cryptographic algorithms is designed to be quantum-resistant, ensuring the protection of sensitive data even against adversaries wielding quantum tools. In a proactive move, NIST has earmarked four quantum-resistant encryption methods, setting the stage for a fortified cybersecurity infrastructure in the impending era of quantum computing.

Another trailblazing quantum technology is Quantum Key Distribution (QKD). QKD exemplifies a formidable approach to escalated security, exploiting the quirks of quantum physics to enable impenetrable key distribution, safeguarding against even the most sophisticated eavesdropping endeavors. As such, the confluence of PQC and QKD marks a pivotal junction in the roadmap for future infosec programs that need to anticipate the universal challenges posed by quantum technologies.

Examining the Role of Quantum Computing in Artificial Intelligence and Machine Learning

The symbiosis of quantum computing and artificial intelligence (AI) promises an era where data is dissected with unparalleled precision. Quantum machine-learning could significantly enhance AI algorithms, sharpening the detection of evolving cyber threats. Thanks to the deftness of quantum computers in sifting through extensive datasets, quantum advantage could lead to more astute and efficient pattern recognition, empowering real-time threat detection, and proactive response systems.

Furthermore, the nascent realm of quantum computing stands to revolutionize network security through its prowess in dissecting complex networks, uncovering latent vulnerabilities, and buttressing cybersecurity frameworks against imminent threats. The precipitous growth of quantum-informed algorithms suggests a future where AI and machine learning not only accelerate but also achieve greater energy efficiency in warding off novel cyber risks.

One cannot ignore, however, the demands such developments place on human capital. Quantum computing necessitates a cadre of skilled professionals, ushering in an educational imperative to train and cultivate expertise in this avant-garde technology.

Exploring the Integration of Quantum Technologies into Traditional Computers

In the advent of a hybridized technology ecosystem, quantum computers are poised to take on the mantle of specialized co-processors, alongside their classical counterparts. Such arrangements would enable classical systems to offload computationally intense tasks, particularly those well-suited to quantum’s nuanced problem-solving capabilities. Yet, this marriage of digital methodologies is not without its pitfalls.

Integrating quantum and classical systems may inadvertently create conduits for established cybersecurity threats to infiltrate quantum realms. The anticipated arrival of standardized quantum algorithms within the next several years provides some assurance, although the perpetual evolution of quantum computing techniques may challenge such uniformity.

Taking center stage in the convergence of quantum and traditional computing is the Quantum Key Distribution (QKD), an encryption method that leverages quantum physics to deliver keys with guaranteed secrecy. Despite these innovative strides, vulnerabilities highlighted by quantum factorization methods, like Peter Shor’s notorious algorithm, forecast potential threats, especially to cornerstone encryption protocols such as RSA.

Evaluating the Processing Power of Quantum Computers and its Effect on Cybersecurity

Quantum computing’s extraordinary processing power is derived from quantum bits, or qubits, which operate in a rich tapestry of states beyond the binary confines of classical bits. This quantum capability enables the performance of calculations at a pace and complexity that is exponential compared to traditional computing power. The crux of the matter for cybersecurity is the implications this has on encryption, as quantum computers can potentially break encryptions that classical computers would never feasibly solve.

The burgeoning presence of quantum computing introduces a myriad of challenges, not least the financial and accessibility barriers for smaller organizations. As advancements in quantum computing gain momentum, the cybersecurity landscape will need to adapt to an ever-evolving set of challenges, requiring vigilant monitoring and nimble responses.

To keep apace with the dynamic growth of quantum computing, a collaborative trinity of industry, academia, and government is imperative. Together, these stakeholders are the keystone in the archway leading to new cryptographic defenses, ensuring the enduring confidentiality and integrity of private information amidst the quantum computing revolution.

Strategies for Adapting Infosec Programs to the Quantum Computing Era

As quantum computing continues to develop, its potential impact on cybersecurity grows exponentially. Infosec programs, therefore, must evolve with the emerging quantum threat. Here are key strategies for ensuring that security frameworks remain robust and agile in the face of quantum advancements:

  • Evaluating Post-Quantum Cryptography (PQC): Proactively assess and integrate NIST-approved PQC algorithms into existing security protocols to ensure data remains secure against quantum computers.
  • Employing Quantum Key Distribution (QKD): Consider the practicality and benefits of QKD for safeguarding critical communications against quantum spying techniques.
  • Practicing Quantum-Secure Governance: Develop and instill governance principles that specifically address the unique considerations of quantum technologies to establish trust and mitigate risks.
  • Prioritizing Data Protection: Identify and categorize the sensitivity of organizational data to strategize encryption overlays and safeguard valuable assets.
  • Implementing Crypto Agility: Embrace a comprehensive risk assessment approach that prioritizes the swift adoption of quantum-resistant mechanisms and allows for quick adaptation to new cryptographic standards.

Developing Quantum-Resistant Cryptographic Algorithms

In anticipation of quantum computing’s potential to disrupt current cryptographic models, the development of quantum-resistant algorithms is critical. Lattice-based, code-based, multivariate, hash-based, and isogeny-based cryptography exemplify such pioneering approaches. These algorithms aim to withstand the computational supremacy of quantum mechanics. However, this futuristic cryptography frontier presents unique challenges, including the steep curve in development, adoption, and the required coordination among global stakeholders to achieve homogeneity in protection measures.

Implementing Quantum-Safe Key Distribution Mechanisms

The secure exchange of encryption keys is fundamental to confidential communication. Quantum key distribution (QKD) emerges as a cutting-edge mechanism, utilizing quantum states to thwart eavesdropping attempts detectably. Integrating QKD entails specialized infrastructure, such as high-quality fiber optics, and embodies the principle of forward secrecy. By leveraging the peculiar characteristics of photons during transmission, QKD introduces an inherently secure method of key exchange, bolstering defenses against both current and potential future quantum interceptions.

Enhancing Post-Quantum Crypto Agility

Crypto agility is paramount for organizations navigating the transition to post-quantum cryptography (PQC). Forward-thinking entities are recognizing the necessity of adopting NIST’s identified PQC algorithms as part of their cyber-defense arsenal. With an estimated 5 to 10-year window for full implementation, the race is on to redesign infrastructure with quantum-resistant measures. Achieving this elastic state of post-quantum crypto agility will ensure that organizations can seamlessly evolve alongside emerging cryptographic standards, mitigating quantum-related threats.

Leveraging Quantum Technologies for Enhanced Security Measures

The integration of quantum technologies offers a vanguard in security measures. Utilizing quantum random number generators lays the foundation for constructing encryption keys grounded in the incontrovertibility of physical laws, delivering unprecedented guarantees. Innovations such as the Quantum Origin platform are fostering stronger cryptographic resilience. Major tech players—eyeing the transformative trajectory of quantum computing—are already providing quantum capabilities through cloud services, underscoring the urgency for organizations to harness these emerging technologies to fortify their cybersecurity posture against quantum-scale threats.

Summary

  • Quantum Mechanics Leap: Quantum computers leverage quantum mechanics, outperforming traditional computers in certain tasks.
  • Superior Processing: They offer unprecedented computational power, solving complex problems efficiently.
  • Cryptographic Algorithms Crisis: Current cryptographic algorithms may become vulnerable to quantum attacks.
  • Quantify the Quantum Threat: Assessing the quantum threat is essential for future-proof cybersecurity strategies.
  • Post-Quantum Cryptography Need: Development of quantum-resistant encryption methods is crucial.
  • Quantum Bits Revolution: Utilizing quantum bits (qubits) fundamentally changes data processing and security.
  • Crypto Agility is Paramount: Organizations must adapt to crypto agility to respond to quantum threats swiftly.
  • Key Distribution Redefined: Quantum key distribution promises enhanced security in the quantum era.
  • National Security Implications: Government agencies are deeply invested due to implications for national security.
  • Global Race for Quantum Supremacy: Powers vie for control over quantum computing’s immense potential.

Implication Aspect

Traditional computing

Quantum Computing

Computational Speed

Limited processing power

Exponential capabilities

Encryption

Currently secure

Potentially vulnerable

Security Focus

Crypto stability

Crypto agility

National Security

Important concern

Top priority


In summary, the rise of quantum computing presents both an opportunity and a formidable challenge for cybersecurity, necessitating the development of robust post-quantum cryptography and strategic adaptation across global industries.

 

 

* AI tools were used as a research assistant for this content.

 

 

How to Rotate Your SSH Keys

SSH keys are used to secure access to and authenticate authorized users to remote servers. They are stored locally on the client machine and are encrypted using public-key cryptography. These keys are used to encrypt communications between the client and server and provide secure remote access.

When you log into a remote machine, you must provide a valid private key to decrypt the traffic. As long as the private key remains secret, only you can access the server. However, if someone obtains your private key, they can impersonate you on the network.

SSH key rotation helps prevent this type of unauthorized access. It reduces the risk that someone has access to your private key, and helps prevent malicious users from being able to impersonate you on your network.

Most security policies and best practices call for rotating your key files on a periodic basis, ranging from yearly to quarterly, depending on the sensitivity of the data on the system. Such policies go a long way to ensuring the security of authentication credentials and the authentication process for sensitive machines.

There are two ways to rotate your keys: manually, and automatically.

Manually

To manually perform key rotation, you need to generate a new pair of keys. Each time you do this, you create a new key pair. You then upload the public key file to the server you wish to connect to. Once uploaded, the server uses the public key to verify that you are who you say you are.

Automatically

An alternative approach is to use automatic key rotation. With automatic rotation, you don’t need to generate a new key pair each time you change your password. Instead, you simply update the permissions on your existing key file.

The following steps show how to configure automatic rotation.

1. Generate a new keypair

2. Upload the public key to the remote server

3. Configure the remote server to use the new keypair

4. Update the permissions on the old keypair file

5. Delete the old keypair

6. Logout from the remote server

More Information

On Linux systems, use the “man” command to learn more about the following:

    • ssh-keygen command
    • ssh-public-key command
    • upload-ssh-public-key command

The examples should provide options for command parameters and sample command output for your operating system.

For more information about the SSH protocol, you can review the Wikipedia article here.

 

SSL Certificate High-Level Best Practices

SSL certificates are an essential part of online security. They protect websites against hackers who try to steal information such as credit card numbers and passwords. In addition, they ensure that customers trust the site and its content.

Almost 50% of the top one million websites use HTTPS by default (they redirect inquiries of HTTP pages to URLs with HTTPS). (comodosslstore.com)As such, even pages that don’t deal with confidential data are being deployed using SSL. The underlying certificates to power the encryption are available from a variety of commercial providers, and even the pro-bono resource https://letsencrypt.org. No matter where you get your certificate from, here are a few resources for high-level best practices.

Trust Your Certificate Provider

Since certificates provide the basis for the cryptography for your site, their source is important. You can find a trustworthy list of providers for certificates here. https://www.techradar.com/news/best-ssl-certificate-provider. Beware of commercial providers not found on this list, as some of them may be sketchy at best, or dangerous at worst. Remember, the Let’s Encrypt project above is also highly trusted, even though they are not a commercial firm.

Manage Versions and Algorithms

Make sure you disable SSL and TLS 1.0 on the server. That version has known vulnerabilities. If possible, and there are no impacts on your users, consider removing 1.1 and 1.2 as well. 1.3 fixes a lot of the known issues with the protocol and supports only the known secure algorithms.

In cryptography, cipher suites play an important part in securing connections by enabling encryption at different levels. You shouldn’t be using an old version of a cryptographic protocol if there’s a newer one available; otherwise, you may put your site’s security at risk. Using secure cipher suites that support 128-bit (or more) encryption is crucial for securing sensitive client communications.

Diffie Hellman Key Exchange has been shown to be vulnerable when used for weaker keys; however, there is no known attack against stronger keys such as 2048-bits. Make sure you use the strongest settings possible for your server.

Manage and Maintain Certificate Expiration

As of Sept. 1, 2020, Apple’s Safari browser will no longer trust certificates with validity periods longer than 398 days, and other browsers are likely to follow suit. Reducing validity periods reduces the time period in which compromised or bogus certificates can be exploited. As such, any certificates using retired encryption algorithms or protocols will need to be replaced sooner. (searchsecurity.techtarget.com)

Maintain a spreadsheet or database of your certificate expiration dates for each relevant site. Make sure to check it frequently for expiring certificates to avoid user issues and browser error messages. Even better is to use an application or certificate management platform that alerts you in plenty of time to upcoming certificate expirations – thus, you can plan accordingly. Best of all, if possible, embrace tools and frameworks for automating certificate management and rotation – that makes sure that you are less likely to have expiration issues. Most popular web frameworks now have tools and plugins available to perform this for you.

Protect Your Certificates and Private Keys

Remember that your certificate is not only a basis for cryptography, but is also a source of identification and reputation. As such, you need to make sure that all certificates are stored properly, securely and in trusted locations. Make sure that web users can’t access the private certificate files, and that you have adequate back up and restore processes in place.

Make sure that you also protect the private keys used in certificate generation. Generate them offline, if possible, protect them with strong passwords and store them in a secure location. Generate a new private key for each certificate and each renewal cycle.

Revoke your certificate or keys as quickly as possible if you believe they have been compromised.

Following these best practices will go a long way to making your SSL certificate processes safer and more effective. Doing so protects your users, your reputation and your web sites. Make sure you check back with your certificate provider often, and follow any additional practices they suggest.

 

 

 

 

Interesting Talk on Post Quantum Computing Impacts on Crypto

If you want to really get some great understanding of how the future of crypto is impacted by quantum computing, there is a fantastic talk embedded in this link
 
The talk really turns the high level math and theory of most of these discussions into knowledge you can parse and use. Take an hour and listen to it. I think you will find it most rewarding.
 
If you want to talk about your thoughts on the matter, hit us up on Twitter. (@microsolved)

Beware of Drive Erasure Problems on SSD Drives

There is a lot of interesting research going on right now with the processes and tools that may be useful in erasing the new solid state drives that many laptops and other systems are using. The traditional methods of magnetic cleansing (degaussing), and even file over-write tools that have been in use now for decades in many organizations, have little to no effect on removing sensitive data on these solid state drives.

Here is a nice article explaining some of the problems.

As described in the article, it seems that many of our current data management and cleansing techniques simply do not apply to these solid state memory-based devices. This makes drive encryption all the more urgent, as these systems are beginning to pop up in many organizations that are starting their hardware refresh processes after delaying them due to economic conditions.

If you are an information security team, or an IT team considering such purchases, please make appropriate cryptography a part of your solution. Many solutions exist by a variety of vendors today with pricing ranging from near zero to the cost of full-scale commercial enterprise implementations in the hundreds of thousands of dollars. Complexity also ranges from trivial and built into the operating system to quite high, depending on centralized management and remote assistance capabilities.

No matter how you to choose to address the problem, the key factor is that you are aware that SSD systems are a different animal with unique challenges versus traditional hard disks. Knowing that will at least put you on the right path toward investigating a solution and updating your processes.

All Your Data Are Belong To Us!

My last post discussed some tactics for realizing what’s happening under the hood of our browsers when we’re surfing the web, and hopefully generated some thoughts for novice and intermediate users who want to browse the Internet safely. This week, we’re going to look a step beyond that and focus on steps to protect our passwords and data from unwanted visitors.

Passwords are the bane of every system administrator’s existence. Policies are created to secure organizations, but when enforced they cause people to have trouble coming up with (and keeping track of) the multitude of passwords necessary. As a result, people commonly use the same passwords in multiple places. This makes it easier on us as users because we can remember puppy123 a lot easier than we can those passwords that attackers can’t or don’t guess. Doing so also makes it easier on attackers to find a foot hold, and what’s worse is that if they are able to brute force your Yahoo! email account then they now have the password to your online banking, paypal, or insurance company login as well.

Hopefully some of you are thinking to yourselves “Is this guy telling me I shouldn’t be using the same password for everything?” If you are, you get a gold star and you’re half-way toward a solution. For those of you who are not, either you have mastered the password problem or still don’t care- in which case I’ll see you when our Incident Response Team is called to clean up the mess.

To solve this problem, find your favorite password manager (Google will help with this), or use what our team uses- KeePass. This is a fast, light, secure password manager that allows users to sort and store all their passwords under one master password. This enables you to use puppies123 to access your other passwords, which can be copied and pasted so you have no need to memorize those long, complex passwords. KeePass also includes a password generator. This tool lets users decide how long and what characters will make up their passwords. So you’re able to tailor passwords to meet any policy needs (whitespace, special characters, caps, etc) and not have to think about creating something different than the last password created- the tool handles this for you.

In addition to password composition, this tool lets you decide when and if the password should expire so you can force yourself to change this on a regular basis- this is an invaluable feature that helps minimize damage if and when a breach DOES occur. Once passwords are created, they are saved into a database file that is encrypted- so if your computer is lost, stolen, or breeched in some other manner, the attacker will have a harder time getting to your protected password data. There are many of these solutions available for varying price ranges, but I highly recommend KeePass as a free solution that has worked really well for me for quite some time. It’s amazing how nice it is to not have to remember passwords any longer!

Okay, so our passwords are now safe, what about the rest of our files? Local hard drive storage is a great convenience that allows us to save files to our hard drive at will. The downside to this is that upon breaking into our PC an attacker has access to any file within their permission scope, which means a root user can access ALL files on a compromised file system! While full disk encryption is still gaining popularity, “On the fly encryption” products are making their mark by offering strog and flexible encryption tools that create encrypted containers for data that can be accessed when given the appropriate password.

I have used the tool TrueCrypt for years and it has proven to be invaluable in this arena! TrueCrypt allows users to create containers of any size which becomes an encrypted drive that can be accessed once unlocked. After being locked, it is highly unlikely that an attacker will successfully break the encryption to decipher the data, so if you’re using a strong password, your data is as “safe” as it can be. This tool is one of the best out there in that it offers on the fly and total disk encryption, as well as allowing for encryption of individual disk partitions including the partition where Windows is installed (along with pre-boot authentication), and even allows these containers to be hidden at will.

Wow, we’ve gone through a lot together! You’re managing passwords, protecting stored data, learning what’s going on when your browsing the web, and becoming a human intrusion detection/prevention system by recognizing anomalies that occur in regular online activities! Visit next time as I explorer updates with you to round out this series on basic user guidelines.