Cyber 101 – VPNs

With a new cyberattack reported every day, everyone is asking one question; how can I make sure I’m not next? Cyber 101 is a series of blogs focusing on the ultimate basics of cybersecurity. By utilizing these simple remediations, your networks and accounts will be on their way to defending against cyber actors.

What is a VPN?

Most folks have heard of a VPN and know it has something to do with network security, but what is a VPN exactly? VPN stands for Virtual Private Network and is best described as a “secure tunnel.” When a VPN tunnel is created, your browser makes a secure session to your content server and then routes all traffic through this tunnel. Now that we have the literal definition of a VPN, we can move on to the big question; do you need one?

Photo by Cedric on Pexels.com

Are VPNs secure?

Through aggressive marketing campaigns from NordVPN and PIA, many internet users have become convinced that a VPN is needed to conduct internet browsing safely. But what exactly are these services offering to their subscribers? In most cases, VPN tunnels simply change who can see your web traffic, not whether the traffic is more secure. When you open a browser and start surfing the web, you typically rely on your ISP (Internet Service Provider) to route traffic and create network sessions. You can alter this traffic by enabling a VPN tunnel and instead rely on your VPN provider to conduct your routing. The difference between these two session types is who establishes your connection and tracks your web sessions. If you are connecting to a website via HTTP/S, your traffic is, in fact, no safer from snooping in a VPN tunnel. The critical aspect of web browsing is ensuring that you establish secure connections, not who establishes the connections themselves.

When should I use a VPN?

The primary VPN use for a standard user is to mask the source of their traffic. Whether you are trying to hide from your ISP that you are pirating content or tricking your content provider into offering you another region’s availability, a VPN tunnel can change “where” a web request is originating. An important thing for consumers to remember is you are not anonymous when browsing through a VPN tunnel; you change who is watching your traffic to the vendor you subscribe to. If you are conducting illegal activity, your VPN provider can still report you, and under certain jurisdictions may be required to do so. Another typical use for VPN tunnels is when connecting to a company’s internal network. If you use your personal device to connect to work, you may be required to use a VPN. This tunnel is a security decision to protect the company’s resources, not your device. Companies can control who and what is allowed in at their VPN gateway by requiring VPN tunnels to access an internal network.

Now that you know what a VPN is, you can operate with a greater degree of certainty when deciding whether you need to subscribe to a company that offers them.

Cyber 101 – Password Requirements

With a new cyberattack reported every day, everyone is asking one question; how can I make sure I’m not next? Cyber 101 is a series of blogs focusing on the ultimate basics of cybersecurity. By utilizing these simple remediations, your networks and accounts will be on their way to defending against cyber actors.

Password Requirements: Do they work?

The odds are that at some point, you’ve had to battle your computer to find a password the system is willing to accept. So between requiring an ancient hieroglyph, the blood of a day-old fawn, and interpretive dance, why are password requirements so stringent?

Password requirements are built with two different principles in mind; complexity and uniqueness. By deconstructing each of these principles, we can highlight the importance of complex passwords in your environment.

Photo by Mikhail Nilov on Pexels.com

Password Complexity

One of the more common methods used to steal passwords is performed via what is known as a brute-force attack. In short, attackers run through a list of every possible password to an account until they find the correct combination. By introducing more complexity to a password, you drastically increase the possible options for the password. Let’s use some demonstrations with the example, password:

  1. If you have no requirements set, a user could simply choose the password of “password.” With eight lowercase characters, the range of possible passwords is just over 62 billion.
  2. If you set a requirement for an uppercase and lowercase letter in the password, you might end up with “Password.” The range of possible passwords is now over 30 trillion.
  3. Adding a requirement of a number to your password, you could use “Passw0rd.” The range of possible passwords is now over 118 trillion.

This demonstration highlights how password complexity can help prevent brute-force attacks; there are simply too many possibilities for an attacker to try.

Password Uniqueness

Another standard method used to steal passwords is by comparing the top exposed passwords from other breaches. It is widespread for attackers to sell lists of exposed passwords from other attacks. Many attackers will compare the top used passwords from different lists available, then run through the first several hundred options found against a known username or email address. In our previous example, you would expect “password,” “Password,” and even “Passw0rd” to be amongst the most frequently used passwords found. We already established that increasing password requirements increases the range of possible passwords chosen, decreasing the chance of selecting a common password.

The next time you ask your user base to create an intricate password, this Cyber 101 post will hopefully help explain the reasons behind the requirements. An informed user base is an active user base, the best hope we have in recognizing and preventing cyberattacks.