Category: Tech tips

Understanding password requirements

The Cybersecurity and Infrastructure Security Agency (CISA) just published new password requirements and it can be counterintuitive to say the least. Unfortunately, it doesn’t seem like they did a great job of explaining why things are changing and what the changes mean, so I’ll do so here.

For at least five years now, researchers have been showing that complexity and rotational requirements, special characters like ^%$! and rotating to new passwords every 90 days(or 30, 60, 120), is actually less secure. This is where it becomes counterintuitive and when trying to just say we’re going to change the password requirements based on new standards falls flat. You would assume that making things more complex and changing them makes a password more secure, and you would be right in a technical sense. When taking the overall picture, though, this breaks down. Special characters means passwords are harder to come up with and harder to recall and being forced to change them four times a year is a burden, especially when you consider the average user has to have passwords for 30 different things between their work and personal life. (LOOK THIS UP!) So, the average user with their average amount of passwords is now making it as easy as possible to remember and that means using the same password everywhere they can and as often as possible, only changing up with a different character. Most people in IT know that Spring2022! is pretty insecure, but usually works within password requirement restraints. Oh, and then when it’s time to change we’ll just go ahead and make it Summer2022!. Problem solved.

So, the likelihood of a breach becomes higher because your users are now reusing their Pinterest password, bank password, and work domain password. Cybersecurity does not exist in a bubble and neither should the policies we live by. I’m sure from a technical standpoint password requirements can be created to not include common words, dates, and whatever else we could dream up, but users will probably still write them down and lose them, email them to themselves, put it in a spreadsheet with all their other passwords in a Google Doc, or whatever else they could do to make it easier. They flow in the path of the least resistance and we need to give that to them. In the case of passwords, the path of least resistance is longer but with fewer constraints. At least 12 characters, but with no requirement for special characters and don’t reset it unless there’s some need. Tell them to use a phrase that makes sense to them. I look around my office walls for words to make into phrases.

Fiscally speaking, you aren’t going to have as many calls coming into your IT help desk or lone IT person for help with a password. If you can cut down on workload you can keep from having to add staff or be able to concentrate on projects and priorities that matter to the organization more than helping someone reset their password four times after they reset it because they can’t recall it or wrote it down incorrectly (once again, writing it down!)

History of my home lab

Putting together a history for  two reasons: 1) I’m giving a talk on Wednesday and 2) It’s fun

My home lab traces back to my first Macbook in 2008. I wanted to run Windows, for reasons I can’t recall but probably were just, “I can’t”. A friend down the hall in my dorm did IT support for the college and gave me a key for VMWare Fusion. I never got Windows installed, but did get Ubuntu and Fedora installed. I was slightly familiar with GNU/Linux before and had even tinkered a little bit, but having a virtual machine on my laptop was next level.

Fast forward almost ten years and I’m working in technical support. Want to push my skills past a help desk into the world of cybersecurity. Someone gave me a list of tools to learn and off I went. Spun up virtual machines on my gaming desktop to learn tools and then learn the fundamentals and more. Slightly backward, but hey I’m getting there. Someday I’ll figure out how these computer things really work.

Today that gaming PC is just a sticker-laden shell of what it was. The case is there, but that may be it. It’s now a Frankenstein of server parts: An AMD Opteron 16 core server processor, 32GB of ECC RAM, a hodgepodge of hard drives, a cool server motherboard with IPMI, and four NIC’s. That’s just the big server. I have some Raspberry Pi’s, an Nvidia Jetson Nano board for AI development, laptops, small computers, and a full stack of Cisco Meraki networking gear.

What’s it doing lately? I host Plex on my NAS because I constantly blow away my hypervisor for some reason. The biggest benefit is that the NAS sucks less power I assume. Plus, it’s always going to be on anyway. The big server is mostly used for testing these days. I’m running NextCloud on a small computer with an Ubuntu server image. Another small computer is hosting the Security Onion stack as a SIEM.

Home lab resources

Giving a presentation on getting your feet wet in home labs, so put together a list of resources. Feel free to add to it!

Reddit.com/r/homelab is a great place for help, reassurance, community, pretty pictures

Check out this new to post: https://www.reddit.com/r/homelab/comments/5gz4yp/stumbled_into_rhomelab_start_here/

They also have a wiki: https://www.reddit.com/r/homelab/wiki/index

 https://www.reddit.com/r/selfhosted/ is also a good place to get inspiration/ideas

Hypervisor(This is where your lab systems go to live and you go to play!)

 VirtualBox. Great for your laptop or desktop and can easily spin things up.

https://www.virtualbox.org/

 VMWare. The defacto standard I’ve seen in business is Vsphere ESXi. They also have workstation products like Fusion for Mac and Workstation for PC. Some items are free and it’s a solid type 1 hypervisor for home use. I’d start with this for a dedicated box!

https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.esxi.install.doc/GUID-016E39C1-E8DB-486A-A235-55CAB242C351.html

 Proxmox. An open source hypervisor built on Debian(Ubuntu’s parent). Uses custom layers to work with Linux KVM. A solid choice for a homelab and really popular with r/homelab folks. I’m currently using this.

 Straight KVM. Cowboy up!

System and software images:

Windows 10 dev environment, which is great for testing and playing around with. 90-day license.

https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/

 Windows servers. Server 2019 trial. Hyper-V is free for perpetual use.

https://www.microsoft.com/en-US/evalcenter/evaluate-windows-server-2019?filetype=ISO

 Want to hop Linux distros and play with either the most popular or strangest variants of GNU/Linux?

https://distrowatch.com/

 Ubuntu

I recommend the LTS (long-term support) version that’s most current

https://ubuntu.com/download/server

https://ubuntu.com/download/desktop

I would go with Ubuntu if you want to learn Linux or play with Linux. You will be told there is easier to set up distros and there are, but nothing is as popular which means you can always find an answer. You’ll be compiling your own kernel and pointing out distributions are for amateurs in no time. (no time being a relative and subjective term; my no time = 10 years)

CentOS is a good alternative for servers, is the latest upstream(or downstream? I don’t remember; it’s just slightly more bleeding edge) of RedHat, which has been the default enterprise Linux I’ve seen in the United States. It really does not matter; I thought at some point I should learn CentOS instead of Ubuntu or whatever else, but under the hood, it’s about all the same. 

Networking:

Whatever you got! Really, do not worry too much about it for now.

Ubiquiti gear is great if you want to spend money. Works great for home and business. Lots of dashboards and easy to use.

PFSense. This is when you want to start getting into the weeds. It’s easy to set and forget, but if you want to start tinkering you can go all out.

Cisco? Chances are high the company you work for uses Cisco. You can get gear super cheap for your lab on craigslist usually. Or ebay. Anything less than 10 years-old should be okay. 

Buying stuff

Ebay.com Craigslist.org Facebook marketplace Goodwill Tech recycling places (in GR we have CompRenew and it’s like a nerd vacation for me every time I go.) https://www.reddit.com/r/hardwareswap/

Watch out for things that may require a license. A lot of things work without licensing, but all the fancy bells and whistles get turned off.

Setting up remote workers

What’s needed to get companies up and running remotely so employees can work from home.

Need people to work from home? Probably. These tips are especially useful to key decision-makers and will help get people up and running quickly. Silicon Valley has an obsession with something called, “Minimum Viable Product,” and that will be your goal here. You don’t need to wait on everything being perfect to get value and you can really start having people work from home with a few things.

  1. A computer. Their computer, your computer, whatever. Don’t wait on Amazon to have a good sale on laptops, just get your people out the door. Their computer is going to be a little more anxiety-inducing than sending a computer home from the office, but it will be okay. There are a few ways to mitigate that anxiety we’ll get to.
  2. The internet. Obviously.
  3. Email. Make sure they can remotely access email. If you use Google or Microsoft Office 365 you are already set. If you use an on-prem email system it may take a little bit of work, but not much.
  4. Instant Messenger +. Microsoft Teams is awesome and currently free. If you have Office 365 definitely use Teams. You can also use Slack, which is pretty slick and free(there are some paid items you can research later if you want them, but no need right away). These applications keep email inboxes from being clogged and allow more streamlined and collaborative communication. I call it an instant messenger + because they do so much more than just messages.
  5. Multifactor authentication. Set this up where you can on your applications. It will really help with security. On the useful-easy to implement curve, it’s about the highest thing.

Those are the basics. If you can do them, send everyone home right now; it will be fine. At some point, you may want the following if you need access to files on computers or servers, payroll databases, etc.

  1. VPN or Virtual Private Network. It’s a fancy tunnel into your company’s network and is great for remote workers needing to access on-premise items. If you have a business firewall, you probably have one already and it just needs to be set up. A small warning with firewall VPN’s is they slow down and cause bottlenecks a lot quicker than a dedicated VPN server. If you have over 50 people or start noticing a slowdown on your network, I would recommend going with something like Watchguard or OpenVPN or Cisco AnyConnect. You can also set it up to split the tunnel into items required to be on the business network and those that aren’t, such as Spotify.
  2. Remote Desktop Services. Setup correctly this will help those folks using their own computers be a little more secure on your network. It creates a session to a Windows desktop in your network and allows employees to work as if they were in the office. If you have a Microsoft Windows environment, it’s not too difficult to set this up and provide direction to your employees. I prefer the ease of a VPN, but if your employees are using their own computers, this may be a better choice for you.
  3. Softphones. This is the coolest piece of technology to me. Either your IT department or phone vendor can probably set this up. Employees download a fancy little application on their computer or cell phone and now have access to the phone that sits on their desk.

I look forward to seeing what other types of advice people have. This is by no means written in stone by me and so many people have been studying and implementing these things for years.

If you have any questions or would like some help setting up, don’t hesitate to reach out. I can be reached via email at contact@benstitt.com or called at ‪(616) 552-9759‬