I’m astonished that major data breach stories are still occurring and still generating unnerving headlines. How many of these instances do we have to read about before we finally take at least basic action to protect our customer information?
As a result of the latest attack in October, adult dating and pornography website company Friend Finder Networks exposed the private details of more than 412 million customer accounts. The hackers scooped up email addresses, passwords, browser information, IP addresses and membership statuses across multiple related websites. According to monitoring firm Leaked Source, the number of accounts compromised made this attack one of the largest data breaches ever recorded.
What basic best practices are we failing to implement to address security vulnerabilities?
Password management
Friend Finder stored customer passwords in plain text format or encrypted using SHA1 hashed. Neither method is considered secure by any stretch of the imagination.
A better practice is to store your account passwords and perhaps all your data using AES-256 bit encryption. At the AES encryption website you can experiment using the encryption and examine an example source code that implements the encryption.
AES encryption is not complicated or expensive to implement, so please take action.
Account management
The leaked Friend Finder database included the details of almost 16 million deleted accounts and mostly active accounts for Penthouse.com that had been sold to another company, according to Leaked Source.
Clearly your business processes need to include deleting sold, terminated and inactive accounts after a defined time period. This trivial and seemingly logical recommendation runs smack dab into our pack rat tendencies and paranoia that a future event may occur where someone important asks about how many accounts we or customers terminated over some prior period.
The avoidable damage to your personal and company reputation that a data breach will cause should help you overcome these tendencies and take action to only keep active data.
Not learning
In May 2015, the personal details of almost four million Friend Finder accounts were leaked by hackers. It appears that Friend Finder management took no action after the first data breach.
The dereliction of duty by the Friend Finder CIO is astonishing. I hope the CIO was fired over this data breach. Sometimes the issue isn’t a lazy CIO but that management turned down the CIO’s request for resources to reduce the risk of data breaches.
The lesson is that improving security and reducing risks to the company reputation as a consequence of a data breach is now everyone’s business. The CIO is likely the best person to lead the effort. The rest of the management team should be supportive.
Server patching
Friend Finder failed to patch its servers. This disregard makes any computing environment more susceptible to attack.
Neglecting patching can become embarrassing if it facilitates a data breach. Best practices for server patching are not complicated and are well understood. Some organizations license patching software that helps manage the process.
Staff effort is required to monitor servers and perform patching. This work should not be seen as discretionary even if the budget is under pressure.
Losing laptops
Some Friend Finder employees lost their laptops. Unfortunately, that loss or theft can happen to anyone. Laptops contain lots of information about your organization and your credentials. Most browsers include a Password Manager that stores user ID’s and passwords for ease of login. While this feature makes life simple for the rightful owner, it also makes unauthorized access a breeze for a hacker that has illicitly acquired your laptop.
Companies should issue a security cable for every laptop that may leave the company premises. Using the cable deters laptop thefts because such theft becomes a lot more complicated.
Companies should install software that phones home on every laptop. The software checks if it’s been reported stolen shortly after every login. If so, the software wipes the hard drive. LoJack is one of a number of software packages that can perform this task.
If you act on the relatively simple points described above, you’ll greatly reduce the risk of data breaches. Click here for more elaborate and expensive best practices that will reduce the risk of data breaches even more.
What is your experience with implementing improvements that reduce the risk of data breaches at your organization?