RSS Feed
Tips from Virsage: Passphrases - December 2017
Posted by Andrea Montgomery on 13 December 2017 01:02 PM

Tips from Virsage: Passphrases

December 2017





Passwords   are   something   you   use   almost   every day, from accessing your email or banking online to purchasing goods or accessing your smartphone. However,  passwords  are  also  one  of  your  weakest points;  if  someone  learns  or  guesses  your  password they can access your accounts  as you, allowing them to transfer your money, read your emails, or steal your identity. That is why strong passwords are essential to protecting yourself. However, passwords have typically been confusing, hard to remember, and difficult to type. In this newsletter, you will learn how to create strong passwords, called  passphrases,  that  are  easy  for  you  to remember  and  simple  to type.


Guest Editor

My-Ngoc  Nguyen  (pronounced  Me-Nop  Wynn)  is a Certified SANS instructor and CEO/Principal Consultant for Secured IT Solutions. She brings expertise with top certifications and 14+ years of developing, maturing, and managing cyber security programs for various industries and sectors. Follow her on Twitter @MenopN and on LinkedIn at My-Ngoc “Menop” Nguyen.


The challenge we all face is that cyber attackers have developed sophisticated and effective methods to brute force (automated guessing) passwords. This means bad guys can compromise your passwords if they are weak or easy to guess. An important step to protecting yourself is to use strong passwords. Typically, this is done by creating complex passwords; however, these can be hard to remember, confusing, and difficult to type. Instead, we recommend you use passphrases--a series of random words or a sentence. The more characters your passphrase has, the stronger it is. The advantage is these are much easier to remember and type, but still hard for cyber attackers to hack. Here are two different examples:


Time for tea at 1:23

What makes these passphrases so strong is not only are they long, but they use capital letters and symbols. (Remember, spaces and punctuation are symbols.) At the same time, these passphrases  are also easy to remember and type.  You can make your passphrase even stronger if you want to by replacing letters with numbers or symbols, such as replacing the letter ‘a’ with the ‘@’ symbol or the letter ‘o’ with the number zero. If a website or program limits the number of characters you can use in a password, use the maximum number of characters allowed.


Using Passphrases Securely

You must  also  be  careful  how  you  use  passphrases. Using a passphrase  won’t help if bad guys can easily steal or copy it

  1. Use a different  passphrase  for  every  account  or device you have. For example, never use the same passphrase for your work or bank account that you use for your personal accounts, such as Facebook, YouTube, or Twitter. This way, if one of your accounts is hacked, your other accounts are still safe. If you have too many passphrases  to remember (which is very common), consider using a password manager. This is a special program that securely stores all your passphrases for you. That way, the only passphrases you need to remember are the ones to your computer or device and the password manager program.
  1. Never share a passphrase or your strategy for creating them with anyone else, including coworkers or your supervisor. Remember, a passphrase is a secret; if anyone else knows your passphrase it is no longer secure. If you accidentally share a passphrase with someone else, or believe your passphrase may have been compromised or stolen, change it immediately. The only exception is if you want to share your key personal passphrases with a highly trusted family member in case of an emergency. One approach is to write down your key personal passphrases (make sure they are not work related), store them in a secure location, and share that location with a highly trusted family member. That way, if something happens to you and you need help, your loved ones can access your critical
  1.  Do not use public computers, such as those at hotels or Internet cafes, to log in to your Since anyone can use these computers, they may be infected and capture all your keystrokes. Only log in to your accounts on trusted computers or mobile devices. 
  1. Be careful of websites that require you to answer personal These questions are used if you forget your passphrase and need to reset it. The problem is the answers to these questions can often be found on the Internet, or even on your Facebook page. Make sure that if you answer personal questions you use only information that is not publicly available or fictitious information you have made up. Can’t remember all those answers to your security questions? Select a theme like a movie character and base your answers on that character. Another option is, once again, to use a password manager. Most of them also allow you to securely store this additional information.
  1. Many online accounts offer something called two-factor authentication, also known as two-step This is where you need more than just your passphrase to log in, such as a passcode sent to your smartphone. This option is much more secure than just a passphrase by itself. Whenever possible, always enable and use these stronger methods of authentication.
  1. Mobile devices often require a PIN to protect access to Remember that a PIN is nothing more than another password. The longer your PIN is, the more secure it is. Many mobile devices allow you to change your PIN number to an actual passphrase or use a biometric, such as your fingerprint.
  1. If you are no longer using an account, be sure to close, delete, or disable

Subscribe to OUCH!

Receive OUCH! monthly in your email inbox. Join the community and subscribe to the OUCH! security awareness newsletter   at



Password Manager:          

Two Step Verification:       

Lock Down Your Login:     

SANS SEC301 - Five day course on cyber security basics:



OUCH! is published by SANS Securing The Human and is distributed under the  Creative Commons BY-NC-ND 4.0 license.

You are free to share or distribute this newsletter as long as you do not sell or modify it. For past editions or translated versions,

visit Editorial Board: Bill Wyman, Walt Scrivens, Phil Hoffman, Cathy Click, Cheryl Conley          /securethehuman           @securethehuman


Find this article online at:

Read more »

Tips from Virsage: Shopping Online Securely - November 2017
Posted by Andrea Montgomery on 15 November 2017 10:31 AM

Tips from Virsage: Shopping Online Securely


  November 2017


 Shopping Online Securely


‘Tis the Season to Be Cautious

The holiday season is close upon us and soon millions of people around the world will be looking to buy the perfect gifts. Many of us will choose to shop online in search of a great deal and avoid long lines and impatient crowds. Unfortunately, this is also a criminal’s favorite time of the year to commit online or financial fraud. This month, we explain the dangers of shopping online and ways you can protect yourself.

Guest Editor

Jonathan Homer (@JonathanLHomer) is a recognized leader in the Cyber Security Awareness industry and is active within both the government and private sectors. Jon specializes in audience engagement and leading edge training techniques.


Fake Online Stores

While most online stores are legitimate, some are not; they are fake websites set up by criminals. Criminals create these fake websites by copying the look of or using the name of well-known stores. They then use these websites to prey on people who are looking for the best deal possible. When you search online for the absolute lowest prices, you may be directed to one of these fake websites.

 When selecting a website to purchase a product, be wary of websites advertising prices dramatically cheaper than anywhere else or offering products sold out nationwide. The reason their products are so cheap or available is because what you will receive is not legitimate, is a counterfeit or stolen item or, in some cases, you never even receive anything. Protect yourself by doing the following:

  • Verify the website has a legitimate mailing address and a phone number for sales or support-related If the site looks suspicious, call and speak to a human.
  • Look for obvious warning signs like poor grammar and spelling.
  • Be very suspicious if a website appears to be an exact replica of a well-known website you have used in the past, but the website domain name or the name of the store is slightly different. For example, you may be used to going to the website for all of your Amazon shopping. But be very suspicious if you were to find yourself at a website pretending to be Amazon with the URL
  • Type the store’s name or URL into a search engine and see what other people have said about the website in the past. Look for terms like “scam,” “never again” or “fake.” A lack of reviews is also not a good sign, as it indicates that the website is very new. Remember, just because the site looks professional does not mean it’s If something about the site sets off warning bells, take time to investigate. If you aren’t comfortable with the website, don’t use it. Instead, find a well-known website you can trust or have safely used in the past. You may not find quite as great a deal or find that hot ticket item, but you are much more likely to end up with a legitimate product and a clean credit report.


Your Computer/Mobile Device

In addition to shopping at legitimate websites, you want to ensure your computer or mobile device is secure. Cyber criminals will try to infect your devices so they can harvest your bank accounts, credit card information and passwords. Take the following steps to keep your devices secured:

  • If you have children in your house, consider having two devices: one for your kids and one for the adults. Kids are curious and interactive with technology. As a result, they are more likely to infect their own device. By using a separate computer or tablet just for online transactions, such as online banking and shopping, you reduce the chance of becoming infected. If separate devices are not an option, then have separate accounts on the shared computer and ensure your kids do not have administrative privileges.
  • Only connect to wireless networks you manage, such as your home network, or networks you know you can trust when making financial transactions. Using public Wi-Fi networks, such as at your local coffee shop, may be great for reading the news, but not for accessing your bank account. Securely
  • Always install the latest updates and run up-to-date anti-virus software. This makes it much harder for a cybercriminal to infect your device.


Your Credit Card

Keep an eye on your credit card statements to identify suspicious charges. You should review your statements regularly, at a minimum at least once per month. Some credit card providers give you the option of notifying you by email or text messages every time a charge is made to your card or when charges exceed a set amount. Another option is to have one credit card just for online purchases. That way, if it is compromised, you can easily change the card without impacting any of your other payment activities. If you believe fraud has been committed, call your credit card company right away and explain the situation. This is also why credit cards are better for online purchases than debit cards. Debit cards take money directly from your bank account, and if fraud has been committed, it can be far more difficult to get your money back.

Finally, there is new technology that enables you to pay without exposing your credit card number. Consider credit cards that generate a unique card number for every online purchase, or use well-known payment services, such as PayPal, which do not require you to disclose your credit card number to the vendor.



OUCH! is published by SANS Securing The Human and is distributed under the  Creative Commons BY-NC-ND 4.0 license. You are free to share or distribute this newsletter as long as you do not sell or modify it. For past editions or translated versions, visit  Editorial Board: Bill Wyman, Walt Scrivens, Phil Hoffman, Bob Rudis             /securethehuman          @securethehuman 

Find this article online:

Read more »

Internet Connectivity - Comcast Outage RESOLVED - 1:30pm MT 11/6/17
Posted by Andrea Montgomery on 06 November 2017 01:44 PM

Internet Connectivity - Comcast Outage RESOLVED - 1:30pm MT 11/6/17


Comcast service interruptions should be resolved at this time and internet connectivity issues should be behaving normally.  Please let us know if you are still experiencing any difficulties by opening a ticket with the Virsage support team.


Thank you for your patience.

Read more »

Internet Connectivity - Comcast Outage- 12:20pm MT 11/6/17
Posted by Andrea Montgomery on 06 November 2017 12:55 PM
Internet Connectivity - Comcast Outage- 12:20pm MT 11/6/17

UPDATE:   Our network Engineering team has confirmed that the current performance issues that are impacting the Virsage services are directly related to a nationwide Comcast problem that is currently being worked on by Comcast.  The impact extends beyond the Virsage services as it is impacted by the Internet service provided by Comcast- this means it is impacting the Virsage data center as well as your local offices with Comcast services.  Services that may experience slowness include the following:  Virsage Citrix desktop, website access, internet browsing, VoIP phone quality and service, remote access to servers/services.  Any services accessed via the Comcast (Xfinity/Level3) network will likely be impacted and may be slow or unusable due to this Comcast outage.

This issue is wide-spread across the country for customers using Comcast/Xfinity/Level3 as their internet service provider, or using the Comcast network backbone for internet connectivity.  If your company has a secondary internet service provider, we would recommend switching to that secondary internet service provider as a temporary measure while Comcast works to resolve this issue.  If you would like assistance with switching to an existing secondary ISP, please open a ticket with Virsage and we would be happy to assist.  We will continue to provide updates as they become available to us from Comcast.


If you would like to track this Comcast outage, information can be found here.


Thank you for your patience.  

Read more »

Tips from Virsage: Social Media - October 2017
Posted by Andrea Montgomery on 10 October 2017 09:22 AM

Tips from Virsage: Social Media

October 2017

Social Media


Social media sites, such as Facebook, Twitter, Instagram and LinkedIn, are amazing resources, allowing you to meet, interact and share with people around the world. However, all this power also brings risk for you, your family, friends and employer.   In this newsletter, we explain what these dangers are and how to use these sites securely and safely.

Guest Editor

Tanya Baccam is a longtime security consultant. She has been a SANS author and instructor for over a decade, having taught and written SEC502, SEC542, SEC401, MGT414, AUD507 and many other courses. Follow her on Twitter at @tbaccam.



A common concern with social media is protecting your personal information.   Potential dangers include:

  • Impacting Your Future: Some organizations search social media sites as part of background checks. Embarrassing or incriminating photos or posts, no matter how old, could prevent you from getting hired or promoted. In addition, many universities conduct similar checks for new student applications. Privacy options may not protect you, as these organizations can ask you to “Like” or join their pages or certain posts may be archived on multiple sites.
  • Attacks Against You: Cyber attackers can analyze your posts and use them to gain access to your or your organization’s information.  For example, they can use information you share to guess the answers to the secret questions that reset your online passwords, create targeted email attacks against you (called spearfishing) or call someone in your organization pretending to be you.  In addition, these attacks can spill into the physical world, such as identifying where you work or live.
  • Accidentally Harming Your Employer: Criminals or competitors can use any sensitive information you post about your organization against your employer. In addition, your posts can potentially cause reputational harm for your organization. Be sure to check your organization’s policies before posting anything about your job. In addition, some of your social media posts may be monitored.

The best protection is to limit what you post. Yes, privacy options can  provide  some  protection.  However,  they are often confusing and change frequently without your knowledge.  What you thought was private can quickly become public for various reasons. In addition, the privacy of your posts is only as secure as the people you share them with.  The more friends or contacts you share with, the more likely that information will become public. You should assume anything you post can or will become a public and permanent part of the Internet. Finally, be aware of what friends are posting about you. If they post something you are not comfortable with, ask them to take it down.  If they refuse or ignore you, contact the social media site and ask the site to remove the content for you.  At the same time, be respectful of what you post about others.

In addition to privacy concerns, here are some steps to help protect your social media accounts and online activities: 

  • Login: Protect each of your accounts with a strong, unique password and do not share them with anyone else.   In addition, many social media sites support stronger authentication, such as two-step verification. Always enable these stronger authentication methods whenever possible.  Finally, do not use your social media account to log in to other sites; if it gets hacked, then all of your accounts are vulnerable.
  • Privacy Settings: If you do use privacy settings, make sure you review and test them regularly.   Social media sites often change privacy settings and it is easy to make a mistake.  In addition, many apps and services let you tag your location to content that you post (called geotagging). Regularly check these settings if you wish to keep your physical location private.
  • Encryption: Social media sites use encryption called HTTPS to secure your online connections to the site.  Some sites (like Twitter and Google+) enable this by default, while others require you to manually enable HTTPS.  Check your social media account settings and enable HTTPS as the default connection whenever possible.

Social Media

  • Email: Be suspicious of emails that claim to come from social media sites. These can easily be spoofed attacks sent by cyber criminals.  The safest way to reply to such messages is to log in to your social media website directly, perhaps from a saved bookmark, and then read and reply to any messages or notifications from the website.
  • Malicious Links/Scams: Be cautious of suspicious links or potential scams posted on social media sites.
  • Bad guys use social media to spread their own attacks.  Just because a message is posted by a friend does not mean that message is really from them; their account may have been compromised.   If a family member or friend has posted an odd message you cannot verify (i.e., they have been robbed and need you to send money), call them on their mobile phone or contact them by some other means to confirm the message is truly from them.
  • Mobile Apps:  Most social media sites provide mobile apps to access your online accounts.  Make sure you download these mobile apps from a trusted site and that your smartphone is protected with a strong password. If your smartphone is unlocked when you lose it, anyone can access your social media sites through your smartphone and start posting as you.

NERC CIP Version 5

Check out our free resources, including posters, blog and Video of the Month. This month, we’re covering NERC CIPv5 security training. View the video at



Two-Step Verification:                                 

Securely Using Mobile Apps:         

Educating Kids on Cyber Safety:    

Facebook Security:                         ,,;


OUCH! is published by SANS Securing The Human and is distributed under the Creative Commons BY-NC-ND 4.0 license. You are free to share or distribute this newsletter as long as you do not sell or modify it. For past editions or translated versions, visit Editorial Board: Bill Wyman, Walt Scrivens, Phil Hoffman, Bob Rudis             /securethehuman          @securethehuman 

Find this article online at:

Read more »

Tips from Virsage: Two-Step Verification - September 2017
Posted by Andrea Montgomery on 21 September 2017 01:41 PM

Tips from Virsage: Two-Step Verification


September 2017



Two-Step Verification


The process of proving who you are (called authentication) is key to protecting your information. Strong authentication attempts to ensure only you can access your information, such as your email, your photos or your bank accounts. There are three different ways to confirm who you are: what you know  (such  as a password),  what you have (such as your driver’s license) and what you are (such as your fingerprint). Each one of these methods has advantages and disadvantages. The most common method is passwords, which are something you know. In this newsletter, we are going to teach you how to protect yourself with two-step verification, something far more secure than just passwords and yet very simple to use. To better understand two-step verification, we need to start with passwords first.


Guest Editor

Keith Palmgren has over 30 years of experience in Information Security. He is a SANS Institute Certified Instructor and author of SANS SEC301, a five-day introductory  course  on  information  security.  When not teaching, Keith focuses on consulting and writing projects. You can follow Keith on Twitter at @kpalmgren.




Passwords prove who you are based on something you know. The danger with passwords is that they are a single point of failure. If someone can guess or gain access to your password, they can then pretend to be you and access all of your information that is secured by it. This is why you are taught steps to protect your password, such as using strong passwords that are hard for others to guess, using a different password for each account or never sharing your passwords with others. While this advice remains valid, passwords are outliving their usefulness; they are no longer effective in today’s modern age. The latest technologies make it far too easy for cyber attackers to compromise passwords. What we need is an easy to use, yet more secure solution for strong authentication. Fortunately, such an option is now commonly available. It’s something called two-step verification.


Two-Step Verification

Two-step verification (sometimes called two-factor authentication or 2FA) is a more secure solution than just passwords.  It works by requiring two different methods to authenticate yourself. One example is your ATM card. When you withdraw money from an ATM machine, you are actually using a form of two-step verification. You need two things to access your money: your ATM card (something you have) and your PIN number (something you know). If you lose your ATM card, your money is still safe. Anyone who finds  your card will not be able to withdraw  your money, as they do not know your PIN. (Unless you wrote your PIN on your card, which is a really bad idea.) The same is true if they only have your PIN and do not have the card. An attacker must have both to compromise your ATM account. This is what makes two-step verification so much more secure; you have two layers of security.


Using Two-Step Verification

Two step verification is something you set up individually for each of your accounts.  Fortunately, many online services now offer it. One of the leaders in two-step verification is Google. Google accounts are a prime target for cyber attackers, as they offer a variety of free, online services to millions of people around the world. As such, Google needed to provide stronger authentication. It was one of the first organizations to roll out two-step verification for most of its online services. If you understand how Google’s two-step verification works, you will understand how two-step verification works for most other sites, such as Twitter, Facebook, Apple, Instagram and many banks.

First, you enable two-step verification on your Google account and register your mobile phone number. Once completed, two-step verification works as follows. You log into your account just as before with your username and password. This is the first of the two factors -- something you know. Google then sends a text message to your mobile phone containing a unique code, specifically, a string of six numbers. Just like your password, you then enter those six numbers on the website. This is the second of the two factors. To successfully log into your account, you have to both know your password and have your mobile phone receive the unique codes. Even if an attacker has your password, they cannot access your Google account unless they also have your phone. To ensure your account is truly secure, Google will send you a new, unique code every time you log in.

There is another option for two-step verification with Google and many other sites. Instead of receiving the unique code via SMS text messaging, you can install an authentication app on your smartphone. The app generates the unique code for you every time you want to log in.  The advantage to using a mobile app is that you do not need to be connected to a phone service to receive your unique code; your phone generates it for you. In addition, since the code is generated locally on your phone and not sent to you, it cannot be intercepted.

Remember, two-step verification is not enabled by default; you have to enable it yourself. While two-step verification may seem like more work at first, we highly recommend you use it whenever possible, especially for critical services, such as your email accounts, online banking or storing your files online. Two-step verification goes much further to protect your information than just simple passwords.


Video of the Month

Be sure to check out our free resources, including the blog, webcasts and Video of the Month.   This month, we’re covering Software Development Life Cycles (DevOps).   View the video at



Sites Supporting Two-Step Verification:      


Google Two-Step Verification:                     

SANS Security Tip of the Day:                    ,;


OUCH! is published by SANS Securing The Human and is distributed under the Creative Commons BY-NC-ND 4.0 license. You are free to share or distribute this newsletter as long as you do not sell or modify it. For past editions or translated versions, visit Editorial Board: Bill Wyman, Walt Scrivens, Phil Hoffman, Bob Rudis             /securethehuman          @securethehuman  


Find this article on line at:

Read more »