Overview of the Canadian Supply Chain Security Landscape – an Opinion

“I cannot forecast to you the action of Russia. It is a riddle wrapped in a mystery inside an enigma, but perhaps there is a key. That key is Russian national interest.” Sir Winston Churchill said this in 1939 regarding what role the Soviet Union might play in World War II. That war is over, and the cold war with the Soviet Union has seemingly transformed into an even colder war with China, and yet I find it a fitting way to begin a piece around Supply Chain Security. Of course, there are several other high risk foreign actors you can add to the list.

In this era of constant complaints around the marketing of fear, uncertainty, and doubt (FUD) in our industry, and after more than two decades of avoiding it everywhere I have worked (in favour of more common-sense approaches), I have finally found the need to market some FUD, even if only to raise attention.

For many of us with a traditional Enterprise perspective, confronting the numerous risks that emerge when attempting to establish Supply Chain security forces us out of our comfort zone. As I am currently embarked on the security evolution of a Major Capital Project, the number one concern continues to be the Confidentiality, Integrity and Availability (CIA) of the Crown’s information assets. A secondary and related goal is to ensure the Prime Contractor can apply the same tenets down the entire supply chain. Due diligence in these, and many other, segments of security/cybersecurity is noticeably absent from either a legislative, policy, or process perspective when compared to our FVEY partners. If left unsupported, this void can lead to significant security breaches in Canadian Government, Defence, and critical infrastructure.

The international complexity of supply chains, the increase in potential interferences, and emerging cybersecurity risks caused by threats and vulnerabilities of information systems, have dramatically increased the possibility that:

• Process and product quality could be compromised by inadequately monitored suppliers;
• Lower-tier suppliers could intentionally or unintentionally introduce software, firmware, or hardware in which confidentiality, integrity, and availability have been compromised;
• Supply chain disruptions could create a scramble for parts that enables poor quality or counterfeit products to enter the chain;
• High value intellectual property shared with suppliers could be misused, creating unforeseen operational, security or liability risks;
• Service suppliers, including contract manufacturers, outsourced legal and accounting, or repair and maintenance providers, could tamper with a company’s information based on tier access to its information system if the data is not adequately protected; and
• Adversaries could use vulnerabilities of different components within the supply chain to attack the company’s information systems.

Traditionally, the Return on Investment (ROI) on addressing mature assurance of your supply chain would be based on appropriate security policies, controls, and procedures that should be implemented, based on cost-effective risk approaches. This would normally result in monetary and/or productivity savings, better brand protection (vis a vis reduced risk of counterfeit, improved protection of IP, and greater risk intelligence), and a level of compliance capability based on regulatory/legal requirements being met with greater confidence at lower cost. All this would be further demonstrated by protection of shareholder value, customer satisfaction, brand protection, and boosting the bottom line.

However, we are not witnessing that level of maturity from Canadian policy or law makers.

At the time of writing this, the Canadian government agencies responsible for advising on security have been remarkably quiet regarding revelations of an explosive data breach of Texas-based Solarwinds. According to reports, hackers were able to infiltrate an email system used by federal agencies. They were also able to insert malicious code into a software update of the Solarwinds Orion product, which was subsequently downloaded by more than 18,000 customers. The scale of this breach is enormous, yet Solarwinds simply released an advisory with known mitigation steps, and the Canadian Centre for Cyber Security (CCCS) repeated it. No responsible disclosure around whether (or which) government departments may be affected, if any Canadian businesses might also face risks, if any investigative actions have been initiated into the Canadian government supply chain or other vulnerabilities, or if compromises have been enabled through the gateway opened by the SolarWinds breaches.

https://www.cnet.com/news/solarwinds-hack-officially-blamed-on-russia-what-you-need-to-know/

Why would Canada’s leading agency on cybersecurity be so quiet on the issue? One reason is, and I have been told this personally, that other policy-making departments fear that putting too much security rigour into the supply chain could hurt Canadian small to medium businesses (SMBs) by imposing additional costs. Perhaps this is why we have such a stark security policy, or dare I suggest legislative, perspective on Cybersecurity in this country. It is either that or something completely disconcerting; Canada is just not prepared or capable. Are they missing the argument that the long-term benefits of investing in security in an increasingly digital world will pay dividends vs focusing on the short-term costs of getting started? Certainly, hiding Canadian government breaches is not the long-term strategy?

The powers that be must see that we are at a crossroads. The longer they wait to address these cybersecurity challenges, the higher the risk that Canadian critical infrastructure will be targeted – with more severe outcomes than those of the past.

The federal department of Industry, Science and Economic Development (ISED) has wandered down the advisory path with the evolution of the Canadian Centre for Cyber Security “Top Ten” security actions into a body of work retooled through collaborative efforts of the Standards Council of Canada. In somewhat easy to understand language, it advises Canadians to secure the most common elements of their business and suggests an audit process to ensure you have implemented security measures correctly. Completely voluntary, it is nonetheless incomplete as it does not include the crucial elements of physical security.

Comparing the weak Top Ten advice to the mandatory Cybersecurity Maturity Model Certification (CMMC) requirements of the United States Department of Defense, that are now creeping into Canada for organizations that sell to the US Department of Defense, is like comparing apples and oranges. By way of its legislative approaches and compulsory assurance framework, the U.S. can quantify and react to the tens of billions of dollars lost through malicious software activity. Foundationally built on the National Institute of Science and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (CSF), NIST SP 800-171, other NIST guides, and Carnegie Mellon CERT documents, the CMMC consists of mature processes and cybersecurity best practices to provide structure and alignment to a set of capabilities within each security domain.

Canadian practitioners in the cybersecurity industry know full well how long law makers have been ignoring cybersecurity in this country. A simple reflection of the now 20-year-old body of legislation, standards, policy, guidance, and processes being implemented South of the border, compared to Canada’s smattering of clauses and advice with no consequences, and you will see we fall short. Although Canada can prosecute cybercrime, there is nothing in place to compel Canadian companies, other than the heavily regulated industries, to secure themselves in advance of a potentially devastating breach. Nonetheless, ISED’s work is touted as a good step here in Canada.

By establishing a cybersecurity regulatory framework for conducting business with Government, the payoff will be in increased trade and trust in Canadian products vs regulatory resources wasted on rear view prosecutions.

Why are standardized and regulated processes important? Without these instruments, Canadian businesses, and specifically those selling to the Crown, have no urgent incentive to secure themselves (and, by extension, the people whose data is contained within their databases). Those of us trying to fill those gaps at the project level are attempting to create requirements that raise the proverbial bar – only to be told such measures are too difficult or too expensive to institute, or they become watered down by authorities who do not fully understand the domain, or the depths of its risks.

The body of work to establish the regulatory framework is out there and available for public adoption. It begins with solid systems engineering discipline, established through the systems and software engineering standards of ISO 15288/12207. To properly ensure good security engineering the International Standards should be complemented with the Systems Security Engineering practices found in NIST SP 800-160 Volume 1. These can then be augmented with myriad other coordinated ISOs and NIST guidance that will put you on the path of solid supply chain security.

Starting off by using standards-based procurement instruments, such as Statements of Work and effective Data Item Descriptions (DIDs), can not only ensure that project elements are properly addressing security and cybersecurity but can also create the much-needed dynamics to evolve and fortify supply chains. It is important to reach even the most remote tiers of your supply chain, as they are the most vulnerable. All too often, procurement processes follow decades-old methods that have not evolved as an engineered system of systems and do not address the breadth and depth of your supply chain or its current challenges.

Procurement activities should focus on through-life lifecycle processes detailed in the Agreement family of ISO 15288, and security based on standards such as ISO 27036 and ISO 28000. The ISO 27036 series, Information technology – Security techniques – Information security for supplier relationships, is a multi-part standard that offers guidance on the evaluation and treatment of information risks involved in the acquisition of goods and services from suppliers. The context is business-to-business relationships and information-related products.

ISO 28000, the specification for security management systems for the supply chain, identifies key requirements, including those aspects critical to security assurance of the supply chain. Security management is linked to many other aspects of business management. Aspects include all activities controlled or influenced by organizations that impact supply chain security. These aspects should be considered directly, where and when they have an impact on security management, including transport of goods along the supply chain.

Additionally, the National Institute of Science and Tech has been prolifically addressing supply chain issues through a series of guidance instruments. Notably, I have used NIST SP 800-161, Supply Chain Risk Management Practices for Federal Information Systems and Organizations; NISTIR 8276 (Draft) Key Practices in Cyber Supply Chain Risk Management: Observations from Industry; and NISTIR 7622 Notional Supply Chain Risk Management Practices for Federal Information Systems. These standards and guides augment the baseline systems engineering lifecycle to build solid requirements for security of the supply chain. In time, they may very well lay the groundwork for the International Standards in this area.

The frameworks and expertise exist. It is hard to argue the benefits to Canadian citizens and industry. From a legislative perspective, adopting standard practices clearly outweighs the effort. And from an ethical perspective, the effort to mitigate a serious breach far outweighs the devastating, long-term damage that can come from being ill-prepared. Would you buy a vehicle to transport your family without the Transport Canada safety marks of certification?

All that remains is the recognition that it makes business sense to provide digital assurance that Canadian physical and digital products are trustworthy in the global market, and the commitment to do something about it.

Patience

Being friendly and approachable will have an impact on all qualities of a great cybersecurity consultant. It is something that Wendy Nather, from Duo Security, calls being a “master of social engineering”. Our space is unique. Not many roles work across every line of the organization like cybersecurity. You need to have patience and tact to work across diverse organizational teams. Get to know how all the pieces of the puzzle fit. Entrench yourself and lean how the organization works; that is the first order of business. I make an effort to schedule time with the leadership to learn about their pain points regarding my task. It is amazing how much you will learn in 15 minute blocks by doing this. 

 

Most importantly in all of this, you need to understand that change in any organization is not an overnight story. It takes many years to make visible and long lasting changes to a company culture. A consultant needs to consider this in their advice and deliverables. Strong, clear paths need to be set so that your client can be the nexus for the change you are proposing. Why? Because if the leader of change gives up, sure enough the rest will follow.

Ability to Align Security with Business, no, Mission Goals

Good cybersecurity consultants will help their client align their programs and projects with the mission of the organization, understand how to communicate with leadership, who after all own the risk, in ways that are culturally aware, and enable those leaders to make effective decisions.

A very important facet of being a top-notch cybersecurity resource is to remember that you can create a system so super secure it would be unbreakable and un-hackable and information could not escape. However, this system is probably going to impede mission success. After all, an organization needs information to flow. A great cybersecurity consultant will always balance between what is good security and what is good for mission success.

Businesses, above all, are about creating wealth through products and services. Public sector organizations focus around mandates and missions. It does not matter what sort of organization you are working within, but if you cannot look at the bigger picture and align their objectives to the overall goals and mission, you will be set to fail. An important factor in all of this is the culture, especially if processes need to change. Who do you engage? Who will be affected? Other people will be a part of the decision-making process and that mean you need to be approachable and friendly – there it is again.

The Dichotomy of Cybersecurity

A great Cybersecurity consultant is a highly sought after resource. Not just because there is currently a huge gap in available resources, but also because the role combines great technical skill with great management and a terrific personality. Finding someone with such all-round skills that can also fit into the organizational culture is like finding a needle in a haystack.

Certainly, anyone can appreciate why great tech and management skills are important, but in cybersecurity roles, I have found that you have to be very fluid. You have to understand the technical, as well as, the management goals. That is where your personality comes into play. Being friendly and approachable will mean getting some odd questions, but it will also mean that when something big happens, folks will not be afraid to come to you with it.

I have almost 40 years’ experience now in Intelligence and Cybersecurity roles, with the traditional long CV that goes with IT positions. The number one challenge in those roles is being able to be an interpreter. Any solid cybersecurity resource should be able to take the technical jargon and translate it into language that your leadership will understand to make the risk decisions you are looking for.

Fortunately, I have developed a risk model that will create that bridge right from the start of any initiative and have tested it on small and significantly large projects. It works and makes the perceived burden of progress reporting, begging for money to make further progress, ensuring cybersecurity goals are met and having to explain why if they haven’t that much less complicated.

With these skills, you can build trust with your leadership over time and that can turn into more honest, open and frank collaboration on future strategies, suggestions and requests. I will be back another time to write about the qualities you should want in a good cybersecurity consultant, but if you are that eager, get in touch now.

Cybersecurity Awareness Month

Remember, October is Cybersecurity Awareness month. With kids back to school it’s a great time to teach them how to deal with the negative aspects of being connected online. Parents and teachers alike share the responsibility to educate them how to be good cyber citizens. Also, don’t forget the seniors in your life; they’re even a larger target. I’m always available to answer questions or go to your location to provide education.

There’s great resources out there: https://staysafeonline.org/ncsam/about-ncsam/

 

 

Can We Talk?

Note: I published this piece several years ago. I’d certainly like to understand if anything has changed for the better in this regard.

An effective Information Sharing mechanism boils down to trust.

Like most, I have had the pleasure to meet people working the security industry across this country through number venues. Like many affiliations these days, while we only get to see each other at a conference or marketing even once in a while, we are typically connected virtually through discussion boards and close knit forums, which give us the opportunity to continue broad and specific discussions at our leisure.

Over time you get a good sense about the people you deal with on a day to day basis. Familiarity flourishes, giving you the latitude to establish trust in the people you are engaging. Trust is the foundation of any successful Information Sharing paradigm. Any effort to initiate a program for sharing information in and around Information security is doomed to failure unless it is initiated by and with people who have already established professional or personal relationships and trust each other.

There are two core facets to trust; first you have to be willing to receive and accept information and secondly you have to be prepared to share true and accurate information. This shouldn’t be too difficult in an industry that is inundated with codes of ethics, security clearances and the like. Do anything to set the precedent that you are untrustworthy and the matrix will become unraveled.

Why has it been so difficult, then, for the Government of Canada to initiate an information sharing program around Critical Infrastructure? Lack of trust.

Participants inside and outside the Government don’t trust each other. Internally, basic human instincts are dictating how people decide to engage each other interdepartmentally. A number of Government stakeholders are competing with each other with regard to the mandate. Careerism also takes its toll on the evolution. External participants will not share information due to the fact that the Department with the mandate has introduced clauses in their legislation that will not protect the proprietary information of the participants from disclosure. What kind of trust model is that? Is it unreasonable to be reticent if the security of the proprietary information of your company is subject to a simple Access to Information Request?

There are some models for this kind of collaboration that have been successful for a long time. I refer to the ITAC Cyber Security Forum, an industry-government policy roundtable that has been meeting at least quarterly since 2000. A great deal has been achieved by that group and they are a good example of thought leadership and information sharing. It is an excellent example for other likeminded groups. The collaboration that goes on around International certification providers, like that of the CISSP program at www.ISC2.org is another good example. While it’s not Canadian, the participants certainly put a Canadian identity to their contributions. Other virtual collaborative groups, such as the forum sponsored by Winnipeg’s Dan Swanson has Global reach in the Audit and Security spaces where there is no discernable cultural differentiation.

Associations like the Information Systems Security Assoc. (ISSA), Armed Forces Communications & Electronics Assoc (AFCEA), and the Federal Assoc. of Security Officials (FASO) all have the ability to drive this agenda. However due to the fact that they are regionalized and do not have the mechanisms in place to easily push a National agenda with cooperation between all the facets of Critical Infrastructure perhaps makes them ill-suited for the task.

The Crown has taken the opportunity to listen to the successes of other government bodies within the “trusted” community. They solicited advice from subject matter experts in Canada and abroad to listen and share their views on what would work best. There was discussion around the need for proper information management and categorization in the private sector, security clearances and the like that would facilitate a higher trust level.

Perhaps the truly workable solution is not one hosted or moderated by the Government. There are many public companies with the expertise and who share the Crowns concern that we need a better grasp of the security threats to Canada’s critical infrastructure. Many of these organizations are already set to participate, given they assisted the Crown stakeholders in the evolution that is Critical Infrastructure Protection in this Country. However, the Government of Canada should take a long hard look at what works. Perhaps a public/private/partnership will elicit the necessary mechanisms to make cross-sector information sharing, in the form of the US Information Sharing Analysis Centers or Infraguard possible.

It will take some investment, but anything is better than waiting another seven years for this part of a mandate to unfold.

Texting can be Dangerous to your Relationship!

We all lead busy lives. Many of us are, or have been, in relationships with partners with whom we don’t live in the same household. With that in mind, like any form of communication, texting has become a preferred means of communication. However, it can also creates problems in a relationship.

Although texting is a convenient technology and it’s usually faster and easier to send a text than to make a telephone call. It also affords some additional privacy, if you’re not in a position to make a call, depending on the subject matter of the conversation. However, you’re not getting the context of what’s going on at the other end–and that can create miscommunication.

Over the phone, you can tell how the person feels, through their tone, a pause, whether they are laughing or crying. With texting, you get none of that and it’s impossible to know how your significant other is reacting to what you’re saying on an emotional level.

Text messages can easily be misunderstood. It’s happened to me and I was astounded at how upset I got when I received a series of text and think it means something, but my partner meant something totally different.

Often fights and arguments ensue because of misinterpretation of text messages. It’s impossible to tell the difference between emotions like anger, sadness, sarcasm, sincerity within a text message. A person might be joking with their partner, and he or she interprets it as their partner being angry. Then texts or rather lengthy calls have to be exchanged to unravel the miscommunication.

The irony is that we see texting is a fast way to communicate, but when it leads to a misunderstanding in our relationships, it can take hours to undo the damage.

Another problem is while texting during an argument, continuing to text when a text message has created an argument.

In the middle of an argument, you can end up sending dozens of texts rather than doing the sensible thing and picking up the phone or meeting in person. Trying to resolve by text is easy to do, because it’s normal to be hopeful that you can clear it up in the next text, but it usually isn’t! You can end up spending hours texting back and forth when they should really just pick up the phone or meet in person.

The last thing you want to do is communicate by text in the middle of an argument. Just one bad misunderstanding coupled with intense emotions can lead to irreparable damage to a relationship.

Also, leveraging text messages to avoid conflict can also be concerning. I can appreciate that sometimes people are afraid to talk to their partner on the phone or meet in person when their partner is angry, because they think that will make things escalate, but texting often makes things worse.

The other problem with texting is expectations that a person’s significant other–or even someone they’re casually dating–will respond immediately to their text.

Now the expectation is that is that we’re supposed to be available 24-7 to our significant others, and respond immediately to their text messages. People get angry or think their partner is upset with them when a text isn’t returned promptly. ‘You didn’t respond to my text until an hour later!’ But we are not always available.

This is compounded by the unreliability of the technology, and the occasional text that doesn’t arrive until a couple hours later. There are some couples that like to stay in touch during the workday, but when there’s a delay in responding it creates conflict.

Some good advice is to not text at all unless it is a short positive message that can create bonding. Instead at some point during the day pick up the phone and say ‘hello.’ For extremely emotionally charged topics, it would probably be best to not text at all. It’s amazing how that alone can restore some stability.

I’m sure people have broken up over text messages, but it takes two to tango. If your significant other wants to text about important issues in your relationship, you can say ‘sounds important, let’s talk about it tonight, I don’t feel comfortable discussing this via text.’ Think before you text.”

Ontarians are at risk and we don’t know how!

Up to four Million of us in Ontario could have had our identities stolen and we still don’t know exactly what that data comprised. It’s about time that Departments and Ministries were held accountable by the public. Some finger pointing by Ann Cavoukian simply isn’t enough! Oh, by the way, if you live in the Ottawa South Riding, as I do, you’re impacted! The very least the Province should be doing is providing potentially impacted constituents with identity theft insurance to mitigate the risk they created!

http://www.itbusiness.ca/it/client/en/home/News.asp?id=68433

City of Ottawa Pension Breach – Poor Contracts? Say it ain’t so!

There’s been a great deal of chatter around the recent City of Ottawa pension fund data breach.

The City hired Towers Watson to conduct a fund review and, while in the process of transferring the data, unencrypted I might add, to a new computer system, they discovered the hard drive was missing from a safe.

The identifying information of approximately 800 former City of Ottawa staff, including police officers, firefighters and their beneficiaries were impacted. Not a huge disclosure for anyone who keeps up on such incidents, but significant to the 800 former City employees who had their names, birthdates, social insurance numbers and pension amounts lost.

Now while Towers Watson has done its due diligence and sent letters indicating they will compensate these pensioners with a credit monitoring service, it is seemingly stalling until September to provide an update. This event occurred in May; six full months is required to investigate?

It’s important to understand that this breach did not occur in Canada. I know, we all like to think our private information is stored, in a secure fashion, within our own borders, but that was not the case for this group of 800, or for many other Canadians either.

The hard drive in question was being stored in the Philippines.

Again, the chatter in the security community is rife with the normal discussion around contract details and clauses that protect the client from these incidents, and so on. I have seen, read, written, counter proposed and laughed at 1000’s of these contracts over the years and one thing they fail to protect us from is insider abuse.

Having a mitigation plan, or a compensatory set of clauses in the event of an incident might help the two parties (the City and Towers Watson in this case) sleep better at night, but I bet the 800 impacted pensioners aren’t sleeping so well right now. Not with the worry of identity and possibly pension theft to mull over.

Some have indicated that in this age of evolving openness, transparency and the “age of networked intelligence”, that the important aspect is the need for “accountability”.

To a certain extent, that mantra is correct, but I would suggest that the City is fully accountable. They were the ones who decided to sign off on a contract with a vendor who has let this Personally Identifiable Information go across, not only the Canadian and US borders, but to the Philippines.

What verification and due diligence was there to ensure that the resources in the Philippines were trustworthy? All this rhetoric around open Internet is one of the base causes for breaches of PII in the first place. I’ve always stood my ground on the concept of keeping the data in Country when and if you can. There is absolutely no reason why the City of Ottawa could not have found this service in Canada. If they could not, the data could have been kept in Canada.

For the sake of argument though, if they had no other choice but to go outside the country, the due diligence from a privacy and security perspective should have been commensurate with the sensitivity of the data, as should have the mitigation plan and contract details. That said, we all know how poorly the City of Ottawa writes contracts! As a CISM for a Canadian Financial Firm, I face these challenges daily and I am sick of the spun stories, clauses and promises to keep data safe, only to see a meteoric rise in breaches!

Here is a link to the US government news release yesterday announcing US participation in the Asia-Pacific Economic Council’s cross-border privacy-rules system:  http://www.commerce.gov/news/press-releases/2012/07/26/acting-us-commerce-secretary-rebecca-blank-announces-us-participation. I wonder how this stacks up against the Canada-US border deal that was the subject of news stories a few weeks ago, for example this one, titled “Border privacy pact puts personal info at risk, says privacy watchdog”:  http://www.vancouversun.com/news/Border privacy pact puts personal info risk says privacy watchdog/6863413/story.html. The immediate subject of that concern is the “Border Action Plan: Joint Statement of Privacy Principles”, as announced in a Public Safety Canada news release at: http://www.publicsafety.gc.ca/media/nr/2012/nr20120628-2-eng.aspx.

These efforts outline a set of privacy principles, which of course translate into security controls, that are intent of committing to protecting privacy and ensuring safeguards are in place. There are a dozen of them, all grand to read and give me that warm and fuzzy feeling I need to help me sleep at night.

However, the devil is in the details. While the Governments of Canada and US may consider this a step forward to helping the economic flow, here in Canada I’d suggest we get our legislative ducks in line and provide some additional oversight and prescriptive controls to ensure that Canadian infrastructure, critical or otherwise, enables itself to participate in such grand partnerships.

Then, when it comes time to prepare and review contracts, they will be solid enough for the ink. Moreover, 800 pensioners wouldn’t have to worry about their future!

Time to Change your LinkedIn Password

While LinkedIn indicates that it is still investigating,  I can attest from even more reliable sources, that anyone using LinkedIn should immediately change their password. They have suffered a breach of over 6 Million accounts. Here is my experience yesterday, where my Gmail account is noted on my LinkedIn profile, attempts were made against that account yesterday, resulting in Google forcing a password change (they monitor for account breaches). I don’t believe in coincidences, so that password was changed as well.

One particular piece of advice, NEVER use the same password for multiple accounts!!! I cannot repeat that enough, especially for cloud based services; NEVER!!

From LinkedIn, one of the best ways to protect your privacy and security online is to craft a strong password, to change it frequently (at least once a quarter or every few months) and to not use the same password on multiple sites. Use this as an opportunity to review all of your account settings on LinkedIn and on other sites too. Remember, no matter what website you’re on, it’s important for you to make sure that you protect your account security and privacy.

Here are some account security and privacy best practices that we recommend for our members:

Changing Your Password:

• Never change your password by following a link in an email that you did not request, since those links might be compromised and redirect you to the wrong place.
• You can change your password from the LinkedIn Settings page.
• If you don’t remember your password, you can get password help by clicking on the Forgot password? link on the Sign in page.
• In order for passwords to be effective, you should aim to update your online account passwords every few months or at least once a quarter.

Creating a Strong Password:

• Variety – Don’t use the same password on all the sites you visit.
• Don’t use a word from the dictionary.
• Length – Select strong passwords that can’t easily be guessed with 10 or more characters.
• Think of a meaningful phrase, song or quote and turn it into a complex password using the first letter of each word.
• Complexity – Randomly add capital letters, punctuation or symbols.
• Substitute numbers for letters that look similar (for example, substitute “0″ for “o” or “3″ for “E”.
• Never give your password to others or write it down.

A few other account security and privacy best practices to keep in mind are:

• Sign out of your account after you use a publicly shared computer.
• Manage your account information and privacy settings from the Profile and Account sections of your Settings page.
• Keep your antivirus software up to date.
• Don’t put your email address, address or phone number in your profile’s Summary.
• Only connect to people you know and trust.
• Report any privacy issues to Customer Service.