You've got to involve your users when it comes to security. It's super important and might seem obvious, but it's usually overlooked. You can build the world's best security systems, but they won't protect you if the users are going to be practicing unsafe security. If a user writes their password on a post-it note, sticks it to their laptop, then leaves the laptop unlocked and unattended at a cafe, you could have a disaster on your hands. But making sure that your users take reasonable security precautions takes effort and can be really tricky. You have to make sure your users habits and actions involve having clear and reasonable security policies. But there's more that you can do to help ensure that your users are diligent about maintaining security. Let's assume that your employees are acting with good intent, and that leaks and disclosures are unintentional, and mostly due to improper handling of sensitive data. Leaks and disclosures can be avoided by understanding what employees need to do to accomplish their jobs. You also need to make sure that they have the right tools to get their work done without compromising security. If an employee needs to share a confidential file with an external partner and it's too big to e-mail, they may want to upload it to a third-party file sharing website that they have a personal account with. This is risky business. You should never upload confidential information onto a third-party service that hasn't been evaluated by your company. If sharing big files with external parties is common behavior for your employees, it's best to find a solution that meets the needs of your users and the security guidelines. By providing a sanctioned and approved mechanism for this file sharing activity, users are less likely to expose the organization to unnecessary risk. We covered password security when we discussed password authentication earlier, but there's more to talk about when it comes to users and passwords. I hate to say it, but generally speaking, users can be lazy about security stuff. They don't like to memorize long complicated passwords, but this is super important to keeping your company safe. So how do we resolve this conflict. If we require 20 character passwords that have to be changed every three months, our users will almost definitely write them down. This compromises the security that our complex password policy is supposed to provide. It's important to understand what threats password policies are supposed to protect against, that way, you can try to find a better balance between security and usability. A long and complex password requirement is designed to protect against brute force attacks, either against authentication systems or if a hashed password database is stolen. Since direct brute force attacks against authentication infrastructure should be easily detected and blocked by intrusion prevention systems, they can be considered pretty low risk. But the theft of a password database would be a super serious breach. We do have lots of additional layers of security in place to prevent a critical compromise like that from happening in the first place. So the two attacks that complex passwords are primarily designed to protect against, are fairly low risk. Now, we can relax the password requirements a bit and not ask for overly long passwords. We can even adjust the mandatory password rotation time period. Password reuse is another common user behavior. People don't want a bunch of passwords to memorize, lots of users find it easier to use the same password, for both their personal email account and their work account. But this undermines the security of their work password. If an online service is compromised and the password database is leaked, they're in trouble. The passwords in that database will find their way into password files used for cracking passwords and brute force attacks. Once a password isn't a secret, it shouldn't be used anymore. The chances of a bad actor being able to use the password are too high. That's why it's important to make sure employees use new and unique passwords, and don't reuse them from other services. It's also important to have a password change system check against old passwords. This will prevent users from changing their password back to a previously used potentially compromised password. A much greater risk in the workplace that users should be educated on is credential theft from phishing emails. Phishing emails are pretty effective. They take advantage of people's inclination to open emails without looking at them too closely. If an e-mail that seems authentic actually leads to a fake login page, users can blindly enter their credentials into the fake site and disclose their credentials to an attacker. While having two factor authentication helps protect against this type of attack, OTP-based two factor solutions would still provide usable credentials to an attacker, plus the attacker still has a password which is really not good even in a two factor environment. If someone entered their password into a phishing site or even suspects they did, it's important to change their password as soon as possible. If you can, your organization should try to detect these types of password disclosures using tools like password alert, which I've linked to in the next reading. This is a Chrome extension from Google that can detect when you enter your password into a site that's not a Google page. Being able to detect when a password is entered into a potentially untrustworthy site, lets an organization detect potential phishing compromises. But you can also combat phishing attacks with good spam filtering combined with good user education. You can help influence good user behavior by offering security training, which we'll discuss in another video. Next up, we'll do a quick rundown of the benefits and tradeoffs of third-party security. I'll see you there.
