Many startups in their infancy do not prioritize having a cybersecurity plan as they lay the groundwork for their business model because of budget constraints and a lack of resources. By hindering their security posture, they markedly increase their risk of becoming compromised.
A damaged reputation and a significant loss of finances can result, forcing startups to shut down their operations (E.g., healthcare startup myNurse). Brushing aside the importance of a cybersecurity plan can prove a costly grave mistake. It is therefore prudent for any startup or enterprise to begin implementing adequate security, even at a basic level at the very least.
!This is the second out of eleven articles in the series “Cybersecurity for startups”. The first article presented the Top 10 Practical Cybersecurity Recommendations for Startups with a limited budget.
Two of the most common security weaknesses are poor password policies and failure to enforce two-factor authentication.
Using weak passwords and having no authentication policy in place makes it effortless for cybercriminals, who prefer the path of least resistance, to exploit these common security weaknesses. They can successfully execute brute-force and phishing attacks and gain initial access to accounts and services, jeopardizing a startup’s assets at risk.
So what can startups on a low budget do to improve their security posture and deter cybercriminals at little to no cost?
💡 Tip: Use a password manager and two-factor authentication (2FA).
A secure password manager and 2FA are recommended by the NIST SP 800-63B Digital Identity Guidelines and meet the NIST standards for passwords and two-factor authentication. Using a password manager and 2FA prevents password attacks and unauthorized access to accounts and services.
Although a password manager and 2FA are not cure-alls for every existent cybersecurity threat, they assuredly aid in reducing cyber risks and augmenting the security posture of an enterprise or startup.
Learn more about each of them and their benefits.
What is a password manager?
A password manager is a computer program or software application that allows users to store, generate, and manage their passwords or credentials for local applications and online services. It is secure, convenient to use, and prevents the exposure of sensitive information. Per NIST standards for passwords, it meets their requirements.
NIST SP 800-63B standards for passwords:
- Must be at least 8 characters in length (up to a maximum of 64 characters).
- Avoid using commonly used passwords (e.g., ‘password,’ ‘qwerty,’ ‘1234567’), dictionary words, and repetitive or sequential characters (e.g., ‘aaaaaa’, ‘1234abcd’).
- Allow the space character, emojis, ASCII, and Unicode in your passwords.
- Do not reuse passwords!
- Don’t require users to select special characters in their passwords.
- Allow copy-and-paste functions in your password fields, because this reduces the time needed for multi-factor authentication and allows password managers to work.
- Avoid using hints! (If required, do not answer them with personal information. If an unauthorized individual accesses that info, they can use it against you).
- Avoid using context-specific words, such as the name of the service, the username, and derivatives thereof.
- Do not update passwords! (It is no longer recommended since users often revert to old passwords when changing them. Only change it when you have checked a list of compromised passwords and your password is on there).
- Utilize a secure password manager.
This is not the entire list, but you get the gist of it. A password manager is a convenient way to increase password security while meeting NIST standards.
Using a password manager is beneficial for these reasons:
- Generates strong and unique passwords
- Memorizing dozens of passwords is not needed
- Allows copy-and-paste functions in your password fields
- Conveniently accessible on local machines or mobile phone
- Eliminates the recycling of passwords
- Encrypted storage
- Storing passwords in your browser is not very safe
- IT department can audit and manage passwords of users
- Easy to use
Remedy weaknesses in password security by utilizing a secure password manager and avoiding becoming blighted by password attacks.
The most common successful password attacks are:
- Credential stuffing
- Brute force attacks
- Dictionary attacks
- Man-in-the-middle (MitM) attacks
Password management is readily accessible on your local machine and mobile phone when utilizing a password manager. There are over several options to choose from listed below.
The Top 10 Recommended Password Managers
According to Expert Insights, they have identified the ten best password management solutions recommended for businesses. You can go to this link to determine the best password manager for your startup, check its pricing and usability, and read what customers have to say about them.
Top 10 password managers recommended for businesses:
- Keeper (affiliate link)
- Hitachi ID
- LastPass (affiliate link)
- ManageEngine (affiliate link)
- NordPass (affiliate link)
- N-able Passportal
What is two-factor authentication (2FA)?
Two-factor authentication (2FA) is a subset of multi-factor authentication (MFA) that combines two types of authentication factors to verify a user’s identity before being granted access to accounts or services. It is more secure than single-factor authentication, which is highly vulnerable to attacks such as credential dumping, brute force, phishing, social engineering, man-in-the-middle, and keylogging.
Cybersecurity and Infrastructure Security Agency (CISA) added single-factor authentication to its list of Bad Practices in August 2021, stating the following:
“The use of single-factor authentication for remote or administrative access to systems supporting the operation of Critical Infrastructure and National Critical Functions (NCF) is dangerous and significantly elevates risk to national security, national economic security, and national public health and safety. This dangerous practice is especially egregious in technologies accessible from the Internet.”
Five broad categories of authentication factors are:
- What you are (e.g., biometrics)
- What you have (e.g., soft and hard tokens – think OTP or YubiKey)
- What you know (e.g., passwords, PIN)
- Somewhere you are (e.g., geolocation)
- Something you do (e.g., behavior like drawing a pattern on a grid of dots)
An example of using 2FA would be a mobile app asking a user for their password and fingerprints before the app grants them access to its services. The password and fingerprints are two factors, hence 2FA.
Why is 2FA important?
2FA supports privacy protection by mitigating risks of unauthorized access to users’ information. Using a password only for accounts and services is dangerous because once an unauthorized user steals it, there isn’t a second authentication factor that can stop them in their tracks. Instead, they can gain access to your accounts and services, compromise them, and permanently lock you out of them. All your private data is lost.
Take social media platforms, for example. Users are continuously getting duped on them by social engineers who may pretend to be one of their friends and convince them to click on a phishing link provided. The unsuspected victim believes it is their friend, clicks on the link, and gets redirected to a page where they type in their password.
The next thing they know, they are logged out of their account the following day and can no longer access it. By that moment, the social engineer has already changed their password and details, compromising the user’s account. We’ve all heard of this common scenario at least once.
Even worse is that the unfortunate situation was preventable with two-factor authentication enabled. Had 2FA been enabled, the social engineer would need to know the second authentication factor, such as the OTP from the user’s authenticator app or perhaps, a fingerprint they couldn’t possibly match.
2FA hinders unauthorized users from accessing another user’s account with their stolen credentials, serving as a nuisance to cybercriminals. In addition, it prevents both authentication and password attacks, which are practically identical.
2FA helps thwart the most common successful cyber attacks:
- Spear phishing
- Credential stuffing
- Brute force attacks
- Password spraying
- Man-in-the-middle (MitM) attacks
Top 4 Ways to Implement Two-Factor Authentication
Startups can begin implementing two-factor authentication for their accounts and services with any of the top four ways listed below, starting from the strongest as numbered one to the weakest as number four. From top to bottom: a physical security key, biometrics, authenticator app, and a text message code.
Top 4 two-factor authentication methods:
Physical security key: A physical security key (hard token) is ideal for high security, safer than authentication apps, and is arguably the strongest of all two-factor authentication methods. It contains a unique cryptographic code that informs a website or service when you log in. A physical security key looks like a USB flash drive that can fit on a keyring. Before logging into accounts or services on your device, you will enter your password and then plug your physical security key into the USB port of your device to authenticate. For mobile phones, you can use NFC and tap your physical security key at the back of your mobile phone in the proper area for authentication.
A great example of a physical security key is the YubiKey which can be purchased at prices starting at $55. According to its website, the NIST guidelines state that it offers impersonation-resistant verification. It also ensures that the authenticator is separate from the device, avoiding a single point of failure if your device is compromised. Because the security key must be in your physical possession to work, it provides high security and makes account takeovers extremely difficult, if not impossible, to happen. The only downside is that once you lose your physical security key, you will not be able to log into your accounts and services where you have enabled 2FA with your physical security key––you will get locked out permanently. So to avoid this, keep another spare copy (or more as needed) somewhere safe and secure.
Biometrics: Biometrics uses something you are, such as your fingerprints, face, or eyes (e.g., retina scan). It is considered one of the top secure methods for authenticating your identity due to its high level of accuracy. Biometrics is an option often offered for 2FA on a computer and mobile phone devices. It is also typically used for employees before entering secure buildings that require a scan of your retina or fingerprints, combined with other authentication factors such as a PIN or badge.
Authenticator app: An authenticator app (soft token) is an easy, secure method of implementing 2FA. A mobile phone is required to download and use it. It works by using a one-time password or OTP that generates a randomized, time-sensitive (usually 30 seconds long) six or eight-digit code that becomes invalid after the time limit has passed. This option can mitigate identity theft attacks by preventing a pair of stolen username/password from being used a second time. Hence, an OTP is called a one-time password for a reason! There are various authenticator apps to choose from that you can download on your mobile phone: Authy, Microsoft Authenticator, Google Authenticator, and Duo. The best part is, they are FREE! LastPass and 1Password have also recently incorporated an authenticator app into their password manager, making their services more convenient.
SMS code: Text message codes sent by SMS are the most popular and easiest-to-use type of 2FA. It is the quickest two-factor method to set up. However, it is the least secure method of 2FA because it is not encrypted, meaning your SMS codes can be viewable, intercepted, and easily stolen. A malicious actor can sniff your SMS codes, execute a man-in-the-middle attack or steal your phone and request an SMS code when they try to log into your accounts. If they installed a keylogger into your devices that receive SMS codes, they are able to read them in real time. Even though it is the least recommended method of 2FA, it is better than having single-factor authentication. Some security is better than none!
Using a password manager and two-factor authentication (2FA) is essential for improving the security posture of a startup to mitigate common cybersecurity risks. The NIST standards for passwords and authentication recommends using them to raise security levels and prevent various common attacks. Weak, insecure passwords and only using single-factor authentication will endanger any startup or organization. By following the NIST recommendations, any startup will indefinitely raise its level of security.
!The next article will highlight modern security frameworks for startups and describe their impact on software development security.