You may have read recently about Dyre, the latest piece of malware that is circling the internet and that monitors victims’ browser traffic in an effort to steal login credentials. Although there is no evidence that any Salesforce users have been affected by this malware, it is important to take threats like Dyre seriously and remain vigilant. And as with its internet bad guy predecessors ILOVEYOU and Heartbleed, Dyre can be easily thwarted by taking a couple of extra security measures.
Salesforce has always been among the best in the business when it comes to internet security, but perhaps the discovery of Dyre is a good opportunity to run through a few security best practices that we, along with Salesforce, recommend you review and implement.
We recommend rotating passwords and enforcing character minimums and complexity requirements. AIM users can make passwords more secure and harder to break by requiring users to define complex passwords, setting up password expirations, and implementing lockouts.
To set password policies, click:
Setup>Security Controls>Password Policies
To force users to reset their passwords, click:
Setup>Security Controls>Expire All Passwords
SMS Identity Confirmation
The ability to access your portfolio management software from anywhere is one of the major benefits of being on the Salesforce.com platform. Risks are mitigated by requiring identity verification when users log in from a new location. This has historically been in the form of an email but a new SMS-based confirmation is currently being rolled out as the default option. You may be prompted to enter your mobile phone number when logging in. We recommend you do this.
Update Session Settings
We recommend you take these two steps under session settings:
- Require secure sessions to protect messages in transit.
- Decrease Session timeout thresholds to protect against unauthorized access when a session is idle.
To update your settings go here:
Setup>Security Controls>Session Settings
Identify a Primary Security Contact
Inform your users about the security policies and why they are important. Designate an administrator as the point of contact if anyone has questions or concerns. For example, if someone receives a verification request that they didn’t trigger, it will be important to have the internal feedback loop in place so that login history can be immediately reviewed for suspicious activity.
Login history can be reviewed here:
Setup>Manage Users>Login History
Use the Salesforce1 app
Salesforce’s mobile app, Salesforce1 provides an additional layer of security with 2-step verification. The app is available via the iTunes App Store or via Google Play for Android devices.
And finally, here are some unofficial, common-sense security best practices that we recommend that will benefit you throughout your digital life:
- don’t open unexpected files from emails
- never send login credentials through email or via text message
- don’t use ancient and unsupported software
- install updates from your OS and browser vendors
- don’t insert USB drives you find on the sidewalk
- don’t leave your computer unlocked in a coffee shop while you walk away to refill your latte
- don’t give remote access to random people from Lagos who call and say they work for Microsoft
- don’t ignore warnings from your browser
If you’d like to review your current security preferences or if you have questions, please contact Altvia support.