Ransomware has taken the world by storm this year, costing millions for businesses around the world. In the last 12 months alone, the number of ransomware variants spotted in the wild has more than doubled. As its prevalence has increased, so has the complexity of the attacks, and new ways to defend against them have been developed. Microsoft have been known to take the ransomware threat very seriously, even releasing a security patch for the long obsolete Windows XP operating system in the wake of the infamous WannaCry attack back in May. With the realease of the Windows 10 Creators Update (build 1703), now there are even more features built right in to the OS that can prevent and protect against ransomware. In fact, it’s so secure that Microsoft claim no Windows 10 devices were affected by WannaCry.
NIST is the US National Institute of Standards and Technology, and back in 2003, a password primer was written by one of its managers that put forward recommendations, many of which became the rules we have now. Special characters, mixture of upper and lower case letters, regular password changes – these have all been adopted into ‘best practice’ for password security since NIST made these recommendations. Now, however, these complexity guidelines and regular password changes have been repeatedly proven by experts to actually be less secure for companies, due to the work-arounds humans put in place to make remembering password easier. NIST thankfully have released their mistake and have provided updated best practice standards for password security. Why the sudden change of heart, you may ask? Well, over a billion passwords a year are breached by cyber criminals, and the data obtained shows that when presented with a long list of password criteria, people tend to try something basic first and then just tweak it until it fits. For example, ‘password’ becomes ‘Password1’, which may be more mathematically secure, but can be easily guessed instead.
Previously established guidelines are mostly being discarded, in favour of rules that simplify passwords for the user
No one looks forward to those mandatory password changes every few months, as it can be incredibly frustrating to constantly think of new passwords with the right mixture of capital letters, special characters and numbers. In fact, many people try to simplify the process by using a variation of their previous password – ‘Password1’ becomes ‘Password2’, and so on. In fact, the entire basis for issuing new guidelines stems from one simple fact; people can’t remember all the passwords that they have been forced to create, ultimately causing them to create less secure passwords than if they didn’t have to adhere to the guidelines in the first place. So with all that in mind, here’s a breakdown of the new best practices and why they’re easier and more secure:
A brute-force attack consists of an attack trying many passwords with the hope of eventually guessing correctly. The attack systematically checks all passwords until the correct one is found, carried out by some form of machine or program. The resources required to carry out a brute-force attack increase exponentially with the length of the password. Short passwords can often be brute-forced in a manner of minutes or hours. Longer, more secure passwords can be made prohibitively difficult to crack, as even a password with only lowercase letters but 15 containing 15 characters would take an estimated 1000 years to crack.
Two Factor Authentication, 2-Factor Authentication or 2FA is a method of accessing a computer or online account in which the user is granted access only after successfully providing two separate pieces of evidence to an authentication mechanism. This is usually done in the form of a factor that requires memorisation combined with a factor that typically requires physical possession by the user.
One of the most common examples of 2-Factor Authentication is withdrawing money from an ATM, as only the correct combination of a bank card (something you physically possess) and PIN (something only you know) will allow access to the account. Another common example is adding mobile authentication to an online account. For example, you set up 2FA on sites like Facebook that require you to sign in with your password in addition to a PIN that is sent to your mobile phone.
Combining multiple factors, especially those that require physical possession of something by the user, makes it much more difficult for hackers to gain access to an account.
GDPR, the EU’s new set of data protection laws, is coming in May of 2018. It is a complete overhaul of how user data is processed by companies and will supersede Irish law, consolidating Europe’s various national laws into one comprehensive regulation. GDPR is all about accountability, and as such, places equal responsibility on both businesses who hold EU data and any third-party providers that may process/hold data on their behalf. In practical terms, that means that if you outsource any aspect of your business, such as payroll to an external HR company, then both parties must be GDPR-compliant, even if the out-sourced company is not based in or even near the EU. So what does this mean for companies who outsource data processing or host data in the cloud outside the EU? Well, it means Microsoft’s suite of cloud services such as Office 365, SharePoint and Azure are now looking a lot more appealing – as Microsoft are offering contractual commitments to their clients to comply with the GDPR in time for the May 2018 deadline.
Microsoft Cloud has promised to be GDPR-compliant as deadline looms
According to Rich Sauer, Microsoft’s Corporate Vice President, “Trust is central to Microsoft’s mission to empower every person and every organisation on the planet to achieve more. So that you can trust the Microsoft products and services you use, we take a principled approach with strong commitments to privacy, security, compliance and transparency.”