Security

Top lessons learned from recent high profile hacks

Organizations we assume have all their ducks in a row when it comes to network security often don't. These six incidents, and the lessons to be learned from them, are examples of why it's so important to take security seriously.

A common thread among high profile hacking incidents: Organizations we assume have all their ducks in a row when it comes to network security often don't. Government agencies, cloud service providers and banks have all suffered embarrassing data breaches in recent months despite the fact that there are proven strategies for preventing them. The following six incidents, and the lessons to be learned from them, are examples of why it's so important to take security seriously:

Lesson #1: Force users to change passwords regularly

Unfortunately, way too many companies play with fire when it comes to protecting sensitive corporate data. Case in point, Dropbox, the popular cloud storage service. In August, the company disclosed that a password stolen from another site was used to access an employee's account that contained an internal document with user email addresses. Even though the users whose email addresses were stolen did not suffer any financial losses, they did have their inboxes flooded with spam advertising gambling websites.

One important takeaway from this incident (among many) is that users should be forced to change their passwords regularly to lessen the chance of someone gaining unauthorized access to your corporate network if a user's log-in credentials happen to be stolen.

Lesson #2: Hash and salt passwords

Using basic encryption techniques to protect users' passwords is ineffective against a bunch of determined hackers, as LinkedIn found out this summer.

In June, hackers stole six million LinkedIn passwords and posted them to a Russian website to get help cracking them. The passwords were encrypted at the most basic level, making it relatively easy for the hackers to figure them out in a matter of days.

Security 101: Hash, salt, and hash again - then store the account credentials on a secure web server that's located in its own little bubble on your network to insulate it from attacks.

Lesson #3: Back up encryption keys

Recurly provides subscription billing services, credit card storage and related services to companies that do business over the Internet. At the beginning of September, its primary encryption device failed. The problem then cascaded to the backup slave device. In the process, the encryption keys protecting the credit cards used to process subscriptions were corrupted.

Recurly's mistake? It failed to back up the encryption keys needed to access the billing info.

After the hardware failure, engineers couldn't access the billing info to process payments because the encryption keys were either wiped out entirely or corrupted. And since there were no backups available, the process of restoring the service that processes the recurring payments was slow and painful.

Lesson #4: Verify security procedures of business partners/3rd parties

This past summer, a group of hackers stole the email addresses and passwords of more than 450,000 Yahoo account holders. The breach affected users of Yahoo Voices, formerly known as Associated Content, a service that allows people to upload blog posts, videos and other content. The hackers exploited a SQL injection vulnerability to access a text file that listed the account information.

The file, however, was old and only contained information from users who joined Associated Content prior to May 2010, when the service was acquired by Yahoo. Given the age of the data compromised, it appears the breach was carried out by exploiting a left-over vulnerability. That doesn't mean Yahoo is off the hook though - businesses should always make sure they verify the security of the third-party organizations they partner with.

Lesson #5: Train users in types of social engineering attacks

Nowadays most users know not to click on suspicious links in emails from an address they don't recognize, but cybercriminals still find ways to dupe people into clicking by making email look like it's from a legitimate source.

Hackers used such "phishing" emails to steal the log-in credentials of employees at Maine-based construction company Patco. Cybercriminals used the stolen credentials to gain access to the company's bank account and managed to transfer $600,000 before the breach was discovered. The bank was able to block some of the transactions ($243,000 worth) but Patco ultimately lost $345,000.

Since more breaches are caused by unwitting employees than cybercriminals, according to research firm Forrester, it's vitally important to train users to recognize social engineering attempts like phishing emails.

Lesson #6: Institute strict change management policies

In March, cybercriminals accessed a server at the Utah Department of Technology Services (DTS) that contained data for the state's Medicaid program. Around 780,000 records were compromised in all; officials estimated 280,000 Social Security numbers may have been compromised and the names and birth dates of around 500,000 others may have been accessed by hackers.

As it turns out, a few mistakes were made when the server was upgraded that left a door wide open for the hackers who walked right in. One, the default factory passwords weren't changed; two, the data stolen wasn't kept behind a firewall as the server was being upgraded; and three, old, unencrypted data that should've been deleted was left on the server.

This incident highlights the importance of instituting strict change management policies. Many breaches occur because companies configure systems properly, but fail to make sure those settings are carried over when a machine is upgraded or another change is made. Also, it's a good idea to conduct regular security audits to make sure devices are configured properly and identify data that's no longer needed and get rid of it. About the Author: Megan Berry is a Senior Tech Editor with Progressive Business Publications providing in-depth coverage of topics such as virtualization, cloud computing, IT security and green IT, among others. Connect with PBP on LinkedIn.
6 comments
KindredRanger
KindredRanger

Some of these top lessons are the same on song and dance. We need to remember that the best practice is a layered defense. You need to secure and encrypt the data and encrypted access to the data. If the data is secured from access and encrypted, it makes it a lot harder for a hacker to figure out how to get the data, unencrypt it and not get caught in the process. So many systems now are capable of software based and hardware based encryption. Protecting the data should always be priority #1. If you value it, it should be protected and passwords are not protection.

Deadly Ernest
Deadly Ernest

it the cost and trouble involved as against the benefit received for it. few systems warrant such a cost.

Snak
Snak

This will continue to be the case until a better alternative than passwords is available. And by available, I mean 'in common use'. A mouse that 'recognises' the hand upon it, a keyboard (or Touch Screen) that recognises fingerprints etc. Even a webcam that can recognise a face/eyes. It can't be technologically difficult can it?

Dyalect
Dyalect

Frequent changes are all well and good, until people write down the passwords. Or store them in a text file on desktop.

kelskye
kelskye

With each site implementing this same policy, it becomes a nightmare for anyone to keep track of all the passwords and which is used on what site. It may be good security practice for any given site, but combined it creates an entirely new problem.

Editor's Picks