How to Do Passwords Right: Password Management Best Practices

password best practices

Learn what your business is doing wrong with passwords. 

George Mateaki, CISSP
By: George Mateaki
With the recent release of PCI 3.2, one of the changes is the requirement that business must use multi-factor authentication within and out of the network. Multi-factor authentication includes at least two of the following:
  • Something you know (password, code, etc.)
  • Something you have (code sent to your phone)
  • Something you are (fingerprint scan, etc.) 
Part of the authentication process includes passwords, but unfortunately passwords can bring their own set of problems.

password best practices The problem with passwords

The biggest problem with passwords is they can be broken fairly easily through brute-force and dictionary attacks.  Programs like John the Ripper and L0phtCrack are used to crack even complex passwords.

Human nature also makes passwords insecure. Employees tend to choose passwords they can remember easily, often making it easy for a data thief to crack through social engineering. Many employees also tend to write down passwords or even share them with others for more convenience.

Finally, there’s the matter of storage. Many applications transmit passwords in plaintext, making it easy for hackers to find and use.

Unfortunately, many businesses don’t realize just how easily cyber thieves can crack a password, especially if it’s a common one. As a result, they have poor practices when it comes to password security.
Here are some things businesses are doing wrong with passwords.
  • Default configuration: businesses will often keep the default passwords that were established when their routers/POS systems were set up. Most default passwords have been published on the internet, so that makes it fairly easy for hackers to break into your devices.   
  • Sharing credentials: sometimes employees will share accounts and credentials to save time. However, this makes it easy for social engineers to quickly gain access to sensitive data. 
  • Not updating passwords regularly: for many hackers, it’s only a matter of time before they crack a password, so businesses that have had the same passwords for their accounts since the day the company started are vulnerable. 
  • Choosing words like “password” or “admin”: these passwords are very common and are likely the first words hackers guess when trying to break into your remote access.  
SEE ALSO: Top Ten PCI Requirement Failures: Where is Your Business Struggling?

Do we even need passwords anymore? 

It’s true that passwords alone will not secure your data very well, but it’s the baseline. The fact that many businesses aren’t even using basic password security shows how vulnerable their data may be.

Eventually passwords may not be needed anymore as technology develops, but currently your devices and applications will still need unique, strong passwords.

Password best practices 

So how do you make sure your passwords are secure? Here are some basic practices.

Assign employees unique credentials/change default passwords
Make sure your employees aren’t using the same password or usernames. This will prevent social engineers from getting access to sensitive data simply by targeting one employee. Many companies will create a numeric user name that has absolutely no association with the actual name of the user. Changing the administrator account name to admin may meet the letter of the law but misses the intent. The administrator user name should be changed to something that does not indicate an administrator. This goes for any elevated access account used as the master/root access if the technology allows for this.

You’ll also want to change all the default passwords on devices, otherwise you’re opening up your network to hackers.
Make passwords long and complex
The longer your password, the better. Just like larger encryption keys are harder to break, longer passwords are more difficult to crack. The PCI DSS recommends businesses have passwords of at least eight characters, though I recommend at least 10-15 characters.

You’ll also want to make them complex, using a mixture of numbers, symbols and letters. This seems like a no-brainer, but you’d be surprised how many people don’t follow this rule.

Reset passwords often
Train your employees to reset passwords at regular intervals. For example, you could have them change passwords every 30, 60, or 90 days. Switching passwords often can help prevent the vulnerabilities of brute-force attacks. The less time hackers have on your password, the less likely they’ll crack it before you change it. The best approach is forcing users to change their passwords using technology per the current policy.

Have limited login attempts:
Set a number of times your employees can try to log into a system. After a number of unsuccessful logons, have the account lock out the one trying to get in. This will help prevent brute-force attacks and social engineers trying to guess passwords.

SEE ALSO: 3 Data Security Best Practices

How to create a strong password

password managementNow days, using your favorite sport as a password doesn’t cut it anymore. Here’s a list of the top ten popular passwords for 2015:
  1. 123456
  2. password
  3. 12345678
  4. qwerty
  5. 12345
  6. 123456789
  7. football
  8. 1234
  9. 1234567
  10. baseball
Some additional passwords in the top 25 include, “dragon,” “welcome,” and “starwars.” None of these passwords are secure because they’re too easy to guess, being too common or relying on keyboard patterns. Hackers know these lists well and often use them as a first step to cracking your password.  If any of your passwords are on this list, you’ll want to change them as soon as possible.

Your best practice is to do a passphrase that’s unique to you. Take a phrase such as “I wear my sunglasses at night” and use the first letter of each word. Combine it with a number, such as a date, and you have a stronger password. Example: I wear my sunglasses at night= Iwmsg@n1980!

You likely know these, but a few other basic guidelines for passwords include:
  • Use a mixture of upper and lower-case letters
  • Don’t include name or other personal information
  • Replace some letters with numbers
  • Use nonsense phrases, misspellings, or substitutions
  • Do not use repeating patterns between password changes
  • Do not use the same passwords for work and personal accounts
You can’t really afford to have weak passwords. Ultimately a password isn’t going to completely secure your data. What you really need is to use a combination of multi-factor authentication, encryption, and other protocols to make sure your data is secure. But having a strong password is a good start.

George Mateaki (CISSP, CISA, QSA, PA-QSA) is a Security Analyst at SecurityMetrics with an extensive background in Information Security and 20+ years in IT.

SecurityMetrics Guide to PCI DSS Compliance
What do Forensic Investigations Do and How Much Do They Cost?

Learn what a forensic investigation accomplishes and how much it might cost.

David Ellis, CISSP
By: David Ellis
So you’ve been hacked. Now what? Well, most banks require breached companies have a cyber-forensic investigation completed. But what does that investigation entail, and how much will it cost your business?  Here are answers to some questions you may have.

SEE ALSO: How to Manage a Data Breach: 5 Steps to Keep Your Business Safe

Why is a forensic investigation helpful?

First of all, PCI forensic investigators (PFIs) provide an independent set of investigative eyes. PFIs are specially trained to look for and find evidence of a data breach and the security vulnerabilities that enabled it.  Even when companies believe that they’ve discovered the source of the compromise, PFIs routinely find evidence that was missed and the security weaknesses that will (when corrected) prevent the hackers from succeeding the next time. The PFI helps them to see what went wrong , which vulnerabilities were exploited in the breach, and what they need to do to harden their systems so that it won’t happen again.

One important facet of a forensics investigation is to provide some incident response assistance.  They  help close the window of opportunity of the breach, which may even take place before the real forensic investigation begins.  In this step(s) the investigator tries to find where you’re vulnerable, or how the attacker got into your system, and how to prevent future (successful) hacks. As mentioned, this may be obvious to the investigator at the outset or the investigation, or the vulnerabilities may be revealed a little later while examining the forensic evidence.  If an investigation only focuses on reporting what happened in the past, your company could fail to recognize important system security remediation items and be left open to more data breaches.
Here are some benefits to having a forensic investigation.
  • Find the hack quickly and prevent further damage
  • Itemize security issues your company needs to resolve (and how to resolve them)
  • Reduce the window of vulnerability
  • Help preempt damage to your brand

How does a forensic investigation work?

While an investigation is happening, there’s usually a lot of communication between the investigator and your IT manager so that you don’t need to wait for the final report to get the information you need to eradicate the problem(s) and harden your systems. Here are the typical actions a PFI would take.

Preliminary research
Forensic investigations begin with some research on the company. The PFI needs to “scope” out the merchant’s environment. This means finding out where their critical data resides, the systems that connect to it, and how the data flows in and out of the network.

Onsite data gathering
The forensics team then goes onsite and gathers data from identified devices (or in select cases may be able to acquire the data remotely). They may get the data from every single device, or, in the case of larger, disparate environments, from a representative sample of in-scope devices.

Analysis
The investigation team brings the data back to their headquarters and analyzes it thoroughly to confirm whether a data breach actually occurred, to determine what data the attacker was able to steal, and to discover which vulnerabilities were exploited in the breach. This is the longest part of the investigation and could take from several days to several weeks to pinpoint the attack.

Reports
About a week after the initial data acquisition, the investigator will issue a short preliminary report that shows whether or not they’ve discovered any indicators of compromise or other overt evidence of a data compromise.  After the forensic data has been fully analyzed, the investigator will submit a complete final report that includes how the attack happened, which vulnerabilities were exploited, and what data was at risk.

The report will also note steps the merchant has taken to prevent such an event from reoccurring—this is where it’s important to select an investigator that will take the time to assist the merchant in understanding how to remedy the problems.

How much does a forensic investigation cost?

Forensic investigations can be costly.  However, remember that the investigation involves one or more PFI’s examining a mountain of data. The cost will depend on the size of your organization; the larger your organization, the more data you likely have that will need to be examined.

Costs can range between $10K to more than $100K.  Here’s a listing of merchant size and typical pricing:
  • Level 4 merchant: $10-30K
  • Level 2-3 merchant: $30-50K
  • Level 1 merchant: over $100K
(Keep in mind these estimates are based on simple averages.  Depending on a variety of elements, such as system size, complexity, number of locations, etc., many merchants could see estimates exceeding those stated above.)

But a forensic investigation is only a portion of the costs you will probably incure in a data breach. Other costs may include:
  • Merchant processor compromise fines: $5,000 – $50,000
  • Card brand compromise fees: $5,000 – $5,000,000+
  • Onsite QSA assessments following the breach: $20,000 – $100,000
  • Free credit monitoring for affected individuals: $10 – 30/card
  • Card re-issuance penalties: $3 – $10 per card (this could be included in card brand compromise fees)
  • Security updates: $15,000+
  • Lawyer fees: $5,000+
  • Breach notification costs: $1,000+
  • Technology repairs: $5,000+
  • Loss of consumer confidence: often businesses lose 40% of customers after a breach
Remember, PFIs are there to help you. They can determine vulnerable points in your business and the point of attack much faster than if your company were to try to do it alone.  Getting breached is an unpleasant experience, but the forensic investigation will help you get back on your feet as quickly as possible.

David Ellis (GCIH, QSA, PFI, CISSP) is Director of Forensic Investigations at SecurityMetrics with over 25 years of law enforcement and investigative experience. Check out his other blog posts.

SecurityMetrics Guide to PCI DSS Compliance
3 Tips to Light a PCI Fire Under Your Merchants

Learn these psychological keys to merchant motivation. 

By: David Meyers
Most merchants and their acquirers are as excited about Payment Card Industry Data Security Standard compliance as they are about getting their car registered at the DMV. Nobody enjoys sitting for (what seems like) hours at the DMV, but the task is necessary to be a responsible vehicle owner. While most small business owners have heard of or even attempted PCI DSS compliance, they may not recognize its importance or the security risks that come from noncompliance. In short, they have no motivation to comply.

But things have changed.

Between the release of PCI DSS 3.2 and Visa expanding its PCI DSS validation program to include level 4 merchants, you can’t afford for your merchants to be non-compliant anymore.

Two deadlines have been set by Visa to motivate acquirers to get merchants compliant:
  • January 31, 2017: acquirers must ensure their Level 4 merchants validate full PCI DSS compliance annually.
  • January 31, 2017: acquirers must ensure all existing L4 merchants use PCI certified QIR professionals.
It is now every acquirer’s responsibility to get every last merchant PCI DSS compliant, no matter how small.

SEE ALSO: The Importance of the PCI DSS: Why You Should Get Compliant

Why do merchants lack PCI DSS motivation?

Before we look into how to get your merchants on the PCI compliance fast track, let’s question why they lack motivation. Merchants have plenty of reasons not to be PCI DSS compliant, but these appear to be their main excuses:
  • It’s a change from what they’re used to: People don’t hate change. They hate the chaos that comes with it. Moving from the way things are to an uncertain future means pain, new technology, uncertainty, fear, additional work, and changing responsibilities. 
  • It costs money: For L4 merchants, new security technology could end in massive expenditure. Why would they spend more money for something (they mistakenly believe) will make virtually no difference?
  • They don’t have time: Maintaining data security takes time away from actually selling and interacting with customers. Merchants are busy and push PCI DSS off for “more important tasks.”
  • They don’t understand PCI requirements: The PCI DSS is extremely technical, especially for merchants with no previous technical education. If a merchant doesn’t understand it, they won’t do it.

Three successful ways to motivate merchants 

As you dive deeper into why merchants don’t comply, take a step back and realize your merchants are, well, human. Psychology teaches of a handful of basic emotions that motivate humans.

Take a look at the three emotions I’ve chosen that apply to the merchant PCI DSS motivation situation, and how you can use them to get merchants excited about PCI DSS.

Safety/pain avoidance
A feeling of true safety only happens if you feel free from emotional or physical harm. Merchants feel safe if they know their business will turn a profit year after year.

Think about PCI DSS from a merchant’s perspective. If a merchant has had an account with you for 16 years, and all of a sudden you force them into PCI compliance, that doesn’t exactly create a feeling of safety.
Solid merchant communication is key to understanding security motivation.
Lack of communication promotes uncertainty, which breeds fear. Take the time to educate just how devastating security breaches are and why L4 merchants are targeted by criminals. Share the security benefits of PCI DSS compliance.

Marketing PCI as a security blanket instead of a must-do will help merchants feel like the standard is protecting their business and profits. If you can explain how you’ll minimize the chaos and dial down the intensity of the change from non-compliant to compliant, you’ll have greater success convincing merchants to care about the PCI DSS.

For greatest success, over-communicate. Clarify new roles and responsibilities, show them what they are accountable for, and explain any new policies. Send emails, use social media, upload new security information on your website, and host monthly security webinars. Introduce educational PCI videos into new merchant onboarding processes to set the stage for your expectations.

Incentives/rewards
Some human behavior is motivated by a desire for reinforcement or incentives. Understand that not all incentives are created equal. Whether the carrot is a prize, money, or recognition, this approach will take a bit of testing to see what your merchants respond to.

Instead of imposing more and more fines (fear approach), introduce positive reinforcement, maybe by reducing annual compliance fees as a reward for compliant merchants. Each portfolio is different; but with careful thinking about merchant motivation, you may find innovative ways to motivate your merchants.

Some acquirers successfully layer benefits in with a merchant’s overall PCI compliance strategy. For example, you could promise eligibility for protection from fines and fees with a card data breach protection program once a merchant is compliant. Breach protection programs can cover all merchant costs relating to a card data compromise up to a financial limit. This also helps create goodwill and appeals to the safety/pain avoidance motivation.

PCI DSS 3.2Fear of failure/consequences
Nothing makes humans more uncomfortable than fear. We hate missing opportunities, being punished, or not being accepted. I recommend using fear as a last resort when encouraging merchant compliance.

Sometimes just the threat of a noncompliance fee will jumpstart portfolio compliance, but you’ll always encounter merchants who won’t care, or who remain ignorant. The good news is all merchants have breaking points. You might consider implementing a regular schedule that increases noncompliance fees on some interval for stubborn merchants. Eventually, they’ll do what is necessary to stop receiving those fines.

Understand that the fear methodology may result in more attrition than other methods, but it’s definitely effective for getting merchants PCI compliant. It will also reduce the risk of card data breaches in your portfolio.

Getting your merchants compliant

No two portfolios are the same, which means you should micro-test these theories and suggestions to see what motivates your particular portfolio. No matter which method you choose to motivate your merchants, don’t forget the power of education. If merchants simply understood the power of true data security and the reasons behind the PCI DSS, they might feel differently about spending time implementing it.

It’s time to take an active role in your L4 merchant compliance, especially now that their compliance directly affects your relationship with Visa. I am hopeful these changes will finally help small merchants get on track with data security who otherwise may be unknowingly compromised, suffering life-changing consequences.

Need help in getting your merchants compliant? Talk to us! 

David Meyers is the Senior Director of Business Development at SecurityMetrics, with a 15-year background in finance and business planning. He is responsible for business strategy, international expansion, and maintaining SecurityMetrics’ strategic alliances. David graduated from Brigham Young University’s Marriott School of Management with a BA in Business Management, and has a passion for sharing his expertise to encourage other professionals to maximize their business security success.

SecurityMetrics Guide to PCI DSS Compliance
Configuring and Maintaining Your Firewall with SecurityMetrics Managed Firewall

firewall configuration

Learn why your firewall may make you vulnerable and how SecurityMetrics Managed Firewall can help.

By: Trent Gunderson
Did you know of the investigated breaches our Forensic Department conducted last year, they found that only 24% of businesses had properly configured their firewalls?

Unfortunately, not configuring your firewall can make you vulnerable to data attacks and potential breaches.

Why can’t I just plug in my firewall and forget about it? 

The PCI DSS requires that all firewalls should be configured properly to fit their business environment.
If your firewall isn’t set up, configured properly, and maintained, you’re not PCI compliant.
Having a firewall running won’t do you any good if you don’t have any rules established for what the firewall should be filtering. You need to set up your firewall so it’s restricting network traffic to only those authorized to access it.

firewall configurationIf a firewall isn't properly configured, you might as well not have one. In a recent data breach investigation, the organization had a fairly sophisticated security and IT system. However, two incorrectly written firewall rules (amongst 300 pages of firewall rules, with about 100 rules on every page) essentially negated the whole firewall, leaving the entire network exposed. It was through this vulnerability that the attacker accessed their network.

Your firewall is your first line of defense, so you should dedicate some time to make sure it’s set up correctly and functioning properly.

SEE ALSO: How to Configure a Firewall in 5 Steps

Why aren’t businesses configuring firewalls properly?

Many businesses don’t realize that firewalls aren’t a quick plug-and-play solution. They don’t realize it takes more to configure the firewall to help with their business’s unique environment.
Another problem is businesses run into the technical difficulty of configuring firewalls. There are many firewall rules to write, configure, and maintain. Just like the example above, one mistake could completely negate the effect of your firewall.

To ensure your firewall does what it’s supposed to, I recommend seeking the help of a third-party expert. This will prevent common mistakes and ensure everything is set up correctly.

SEE ALSO: Firewalls 101: 5 Things You Should Know

Let us help you!

SecurityMetrics Managed Firewall Service takes the complexity away from firewall management.

Here are some ways Managed Firewall can help your business get compliant and stay secure.
managed firewall
  • 24/7 firewall status surveillance and notifications: your firewall is being monitored all the time, and you’ll be notified if it suddenly stops working. 
  • Notification if suspicious activity is discovered: should we discover traffic patterns that indicate malware, we will quickly notify you of the problem.
  • Internal vulnerability scanning: The firewall scans your internal network to make sure everything is secure.
  • Log monitoring and alerting: Managed Firewall looks over your firewall logs and alerts you if something is suspicious.
  • Unlimited rogue wireless detection: Managed Firewall allows you to find any rogue wireless access points to help you protect your network.
  • Firewall backup and recovery: Should the firewall go down, we offer a backup and recovery options to keep your business going.
Remember, installing your firewall is only half the battle. Making sure your firewall is properly configured and maintained is the other half.

Need a firewall for your business network? Learn more about SecurityMetrics Managed Firewall service!

Trent Gundersen is the Senior Manager of Software Development and has been with SecurityMetrics for over 2 years. He graduated with BS in Computer Science from Utah State University, and has nine years of experience in software development. 

SecurityMetrics Guide to PCI DSS Compiance
HIPAA Audits Phase 2: What You Need to Know

hipaa audits

Learn what’s involved in the Phase 2 HIPAA Audit Program and how you can prepare. 


It’s that time again! The HHS Office for Civil Rights (OCR) has begun its next phase of audits of covered entities and their business associates. With these audits often comes many questions from covered entities.
Here are a few commonly asked questions about the Phase 2 HIPAA Audit Program.
hipaa audits

Is my organization in trouble? 

No, this audit is not the result of a whistleblower, or a possible HIPAA violation. It’s mainly for OCR to assess and gain an understanding of how healthcare providers are doing in HIPAA compliance, and if any changes need to be made.

Who’s being audited?

All covered entities and their business associates are eligible. This may include health service providers, health care clearinghouses, health plans, and many business associates of these entities.

When is this happening? 

If you’re being audited, you should have received your notification letters on Monday, July 11, 2016. Business associate audits will start in the fall.

How does the audit work?

OCR will do desk and onsite audits. These audits will look at compliance with specific requirements of the Privacy, Security, or Breach Notification Rules. All desk audits will be done by the end of December 2016.

For the desk audit, selected entities will be sent an email, asking for documents and other data. Once you’ve submitted your information, be prepared for an onsite audit.

The onsite audits will involve someone going to your organization and examining how your organization is complying with HIPAA. These audits will examine a broader scope of requirements from the HIPAA Rules and will be more comprehensive.

Auditees will then receive audit reports, which they can respond to any findings that were discovered in the audits. They will then receive a final report, which will describe how the audit was conducted, discuss any findings from the audit, and contain entity responses to the findings. This report should be provided 30 days after the auditee’s response.

phase 2 hipaa audits What happens after an audit?

OCR will review and analyze information from the audit reports. This will help OCR to better
understand compliance efforts within specific elements of the HIPAA Rules.

If an audit report shows a serious compliance issue, OCR may start a compliance review to investigate. OCR won’t post a list of audited entities or the results from an audit that identifies an entity, so your privacy is safe.

Do I have to pay for the onsite audit? 

No, the Department of Health and Human Services is responsible for paying the on-site auditors. Neither the entities, nor their business associates, will have to cover the costs of the audit program.

Getting ready for an audit 

Your HIPAA audit will go much smoother if you are properly prepared. Here are a couple of things to do to get ready.
  • Have documentation ready: make sure all your policies and procedures are documented and easy to access. This will save you and the auditor time. 
  • Conduct an internal audit: if you have time, conducting an internal audit is a good idea to find and resolve any problems before your onsite audit. This process begins with a HIPAA Risk Analysis.  
SEE ALSO: How to Prepare for a HIPAA Audit

If your organization has been selected, don’t worry. Make sure your organization and workforce members are properly prepared and willing to cooperate. By doing this, you’ll be helping OCR to make sure all organizations are properly protecting their patient’s data and privacy.

Need help getting HIPAA compliant? Let see what you need to do. 

SecurityMetrics HIPAA learning center