Follow this advice to help users and network admins to better protect login credentials to corporate systems. Credit: Tero Vesalainen / Getty Images How many passwords does the average network administrator have? The average end user? Plenty. What can you do to protect those passwords? How do you educate users on protecting their credentials?A recent article in Mashable revealed that an attacker found the credentials for several internal Twitter systems on a company Slack account. If this is true (there are conflicting reports of the source of the hack), it points out that network administrators don’t protect credentials well. If network administrators don’t, it’s probably safe to assume their users don’t either. What can you do to help your network administrators and users better protect their credentials? It comes down to education and awareness. Build resistance to social engineeringEducate both network administrators and end users about the impact of phishing and how attackers design attacks to go after our weaknesses. They will use social media to learn who holds what roles in the organization and whom to go after. Famed hacker Kevin Mitnick once used a Washington State book that listed company CEOs and their executive assistants to gain access to the companies. Warn users to limit their social postings in public locations to avoid exposing information to attackers. Protect information used in credential verificationWarn your users not to answer survey questions on social media locations. Often these “random questions” are built from typical password reset questions or password verification processes. If you’ve ever answered a Facebook post about your first job or your favorite car, attackers can accumulate a database of password reset answers. Train users to recognize a branded landing pageIf you use Office 365 or Microsoft 365, I recommend using branding to help educate users on the proper password landing page. Attackers are harvesting business images and using them to trick users into thinking they are providing credentials in the right place. To have a better landing page, you will need an Azure P1 or a Microsoft 365 Business Plus (which includes P1) license to do this. To set up company branding, select “Azure Active Directory,” then “Company branding,” and then “Configure.” You can now select settings for icons (including banner logos), background images, and username hints.Encourage the use of passphrasesEducate on the choosing of passphrases rather than passwords. We are horrible at choosing passwords. Even in 2019, the most-used password was 12345. Let applications generate strong passwords if possible. Encourage users to have password manager programs for their personal use and educate on their uses. For business, you may need to evaluate programs to determine which one meets your firm’s security mandates. There have been historical issues with web based password manager programs introducing risks. Evaluate carefully and review the recommended password management programs on an annual basis.Train uses on multi-factor authenticationEducate on the use of multi-Factor authentication (MFA) for applications, remote access, email, or any other login credential. Microsoft 365 with an Azure P1 license lets you add whitelisting to exempt locations from two-factor authentication. You can limit MFA to users with more risky remote access. The feature is called “named locations.” From the Azure portal, select “Azure Active Directory,” then “Conditional Access” from the “Security” section. On the “Conditional Access” page, select “Named locations” and then “New location.” In the “Name” box, type a name for your named location. In the IP ranges box, type the IP range in CIDR format and select “Create.” Teach staff to recognize safe websitesEducate on how secure websites work and look. When users browse to a website and enter credentials, they face a daunting decision process. Is this site safe? Are they entering their credentials into a proper location? Educate users about what the normal processes and prompts should be like.If you have a proxy filter or cloud service that may intercept your browsing traffic and provide blocking processes, set up the cloud service to provide actionable information to end users so they know if the website action they are trying to do is appropriate. For example, if your web filtering software blocks certain sensitive sites, ensure that the blocking communication clearly states that your firm’s actions are behind the blocking process.Educate users on what processes to look for when entering sensitive information. This used to be easier, but with the advent of search engines mandating SSL as a means for private browsing, it’s harder to determine which sites are safe. Have a process of vetting that may include sending the URL through an approval process. You might wish to limit browsing to only approved websites. Train on the proper use of computer equipmentUsers and network administrators should never use computer equipment from unknown locations to access corporate access. The kiosk computer in the hotel business center where you just printed out your airline boarding pass should never be used to access corporate assets. I still remember a widely reported security story where someone placed keylogger tokens on the computers in Kinkos in New York and collected 450 banking credentials as a result of this sniffing attack.Administrators and users should be aware of their surroundings when entering passwords. Someone could, for example, look over the shoulder of a user in front of you on an airplane and see what they were working on and possibly even catch their password.Deploy additional credential processes if necessaryWindows Hello for business is based on new type of user credential that is tied to a device and uses biometric authentication or a PIN. Windows Hello lets users authenticate to Microsoft, Active Directory, Microsoft Azure Active Directory (Azure AD), or identity provider services or relying party services account that supports Fast ID Online (FIDO) v2.0 authentication (in progress). Windows Hello for Business is more secure than Windows Hello Convenience PIN. It can be configured by Group Policy or mobile device management (MDM) policy. It always uses key- or certificate-based authentication. To set up Windows Hello for Business, review your hardware to ensure it has the needed TPM chips and other requirements before implementation. You can deploy these solutions with software-only implementation, but the process is typically more straightforward with laptops and desktops that are designed for the implementation. Related content news New CISO appointments 2024 Keep up with news of CSO, CISO, and other senior security executive appointments. By CSO Staff Apr 26, 2024 14 mins CSO and CISO IT Jobs IT Governance news Top cybersecurity product news of the week New product and service announcements from Forcepoint, Ionix, Amplifier Secutiry and Torq. By CSO staff Apr 26, 2024 81 mins Generative AI Security feature Looking outside: How to protect against non-Windows network vulnerabilities Security administrators who work in Windows-based environments should heed the lessons inherent in recent vulnerability reports. By Susan Bradley Apr 25, 2024 7 mins Windows Security Network Security Security Practices brandpost Sponsored by Palo Alto Networks Cloud security teams: What to know as M&A activity rebounds in 2024 Direct visibility is critical in M&A, and cloud-native application protection platforms (CNAPP) are ideal to provide this capability. By Amol Mathur, SVP & GM of Prisma Cloud, Palo Alto Networks Apr 25, 2024 4 mins Cloud Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe