It’s Cybersecurity Awareness Month! Ever since 2004, when Congress declared that every October will bring awareness and information about how to protect yourself and your data as more threats arise every day in our modern age. Here at the Digital Media Engagement (DME) Internship, the Web Security department works hard at not only protecting our sites and their users from these threats. They also work hard at finding new ways of improving security and informing the other interns at DME about tips on how to be safer online. It is surprising how easy it is to have something compromised, whether it be data, passwords, emails, or even an entire site. Here is how the web security department works to protect our work and the people who help out the site.
Web Security Projects
The web security department excels at teaching and practicing different programs and methods relating to security. This includes penetration testing, where users complete procedures to test and identify vulnerabilities in security. Interns also educate themselves and others on proper security practices while online. The interns also carry out tasks such as cybersecurity scans, auditing, and training in various fields.
The DME website itself is also managed by the web security department. This includes checking plug-ins the site uses to bring more functionality and design to the site in order to make sure that none of them are potentially harmful or vulnerable. This also includes user moderation and making sure passwords are kept secure and changed routinely. Interns also collaborate with the web development department to find new ways of improving the website in many ways, including new methods to help keep the website secure.
Not everyone is aware of the proper security practices while online. Attackers can attempt to steal your personal information through social media, text, wi-fi, unsafe websites, or email. Therefore, it’s important to raise awareness of good security practices. Because the interns of the web security department are educated in proper security practices, they share this knowledge to the community through security blog posts posted on the DME website.
WordPress is a very popular hosting site for websites. Because of this, WordPress is more vulnerable to cyberattacks that try to exploit the vulnerabilities of the website. While not the fault of WordPress having a bad security system, it’s more a factor of unsafe security practices that can occur while hosting websites. A WordPress site being hacked means the loss of a lot of data, and potentially worse, private information being stolen that could put users at risk. It’s up to the web security department to find out about these vulnerabilities, and ways of protecting the site. To learn more about WordPress and its security, and ways of protecting websites hosted under it, read this article.
2FA & Login Safety
Over time, many new methods to improve online security have been introduced. As everyone uses and relies on technology more each year, the higher the risk that malicious attacks can occur. One of these methods is 2FA, or Two-Factor Authentication. Have you ever logged into Google or another website, and were prompted to have said site send you a one-time password to your phone? That is a form of 2FA. This is all to provide extra security, and give users an opportunity to ensure that they are the one logging in.
Another form is present within Google. When you have 2FA enabled with Google, upon logging in, you will be prompted to check your phone as Google will send your phone a push notification to show some information about who is trying to log in. Microsoft OneDrive also does something similar. If someone attempts to log in, as long as you have 2FA enabled, you can deny access to the one who logged into your account. Of course, if this ever happens, it is best you change your password immediately afterwards.
A third form of 2FA is push-based 2FA; an example of this can be found in systems such as Duo Push, where one can send a prompt to one of your devices during a login. This prompt will inform the user that someone is trying to login, and will provide an estimated location for the login attempt. This method of multi-factor authentication is very convenient because acknowledging a request is much easier than typing in a code. Another advantage of this form of 2FA is that it provides the user with an estimated location of the login attempt based on the IP address from the login attempt. This can help individuals avoid phishing attacks because these attacks normally happen from different IP’s than the victims. So this form of 2FA can help users identify an attack in progress, which could save your accounts and sensitive information.
A fourth and final way 2FA is used today is in the form of biometrics; this form of 2FA includes a user verifying who they are by using their fingerprints, facial features, hand shape, or voice. This 2FA method is very common today with many smart devices having fingerprint detection and facial recognition. Using biometrics in combination with a secure password or pin can greatly increase the security of your devices and personal information. Biometrics adds an extra layer of security as well as protects your information from attacks like brute forcing and social engineering since attackers cannot gather biometric information online.
Best Password Practices
In honor of cybersecurity awareness month, we wanted to discuss one of the most important protection methods used today to protect your sensitive information: passwords. Passwords are very common today. They are vital for protecting our information from unauthorized access and other attacks. To ensure we are getting the maximum security from our passwords, there are some password practices that should be followed.
First, it’s important to remember that passwords and usernames are sensitive information. They should not be shared with anybody, if someone is asking for your password or username, then it is most likely a scam. Another common practice is passwords should not be composed of information that can be found about you, such as your birthday, name, age, where you work, etc. Also, complexity is vital. Try to include all types of characters such as capital, lowercase, numbers, and special characters. It’s also important to account for length. The longer a password is, the better. So combining length and multiple types of characters will make it more difficult for attackers to brute force your password.
Also, since it can be complicated to follow these rules, some try to make their passwords a sentence or phrase, which makes the password difficult to guess but easy to remember. An example would be “bananabreadistasty”, this method would work even better if you are allowed to have spaces. Another common password practice you should follow is changing your passwords often, about every 3-5 months. Most organizations already have their employees do this. But this should be done for your personal passwords as well. You should also try to use different passwords for different accounts. This way, if one account is compromised, the others will not be at risk.
Another way you can keep your passwords strong is to use MFA (multi-factor authentication). MFA adds another layer of protection to your accounts. The additional layer works as a token or mobile app on your phone that you use to confirm it is actually you logging into your account. As mentioned earlier, we have a lot of passwords, and most people cannot keep track of the multiple, long, complex passwords they have, so you can use a password manager. This is a tool that stores your passwords securely. There are multiple options that can be found online. Personal recommendations include NordPass, LastPass, or DashLane. Overall, password security is one of the most important ways to keep your information secure, and while there are many rules for making strong passwords, these practices will minimize the risk of you losing any personal information or accounts.
At DME, we value the online protection of not only our data, but the interns and volunteers who work hard at providing Veterans with the resources they need. The web security and web development departments work hard each week at following and following good security and password practices. They also work very hard at making sure everyone within their departments and outside are knowledgeable of cybersecurity practices.
Always take action to protect yourself online, whether it be using strong passwords, updating and changing passwords, using 2FA, reporting suspicious links, being aware of the sites you traverse, and more. Your data and privacy should be valued and kept protected. With Cybersecurity Awareness Month, the mission is to make these risks and problems known everywhere.
Writers & Editors: Christos Piliafas, Geoffrey Ramnath
Graphic Designer: Yasmine Pierce
Additional Help: Francisco Torres, Andrew Donigan