- Don’t keep what you don’t need. Most businesses hang on to too much data for too long. And it’s often data that they don’t need. Or worse, didn’t realize they even had. So do a spring-cleaning. Do an inventory of all your data and everywhere you keep it. Identify what you don’t need, then get rid of it forever. And not by simply hitting the Delete key, but overwriting it to military standards or shredding it. When it comes to data breaches, you can’t lose what you don’t have.
- What you do keep, know where it is. So many data breaches result from data being in the wrong place at the wrong time. Like highly sensitive customer or employee information being carried around town or across the world on an unprotected laptop. As part of your inventory you need to know where your data is at all times so that you can protect it at all times. That means checking servers, desktops, laptops, websites, tablets, phones, removable storage, filing cabinets, storage lockers, warehouses, third parties and anywhere else it might be hiding.
- Classify your information. Not all information is created equal. And understanding that you can’t protect all data all the time, you have to focus on the stuff that’s worth protecting. That’s where data classification comes in. There are a number of different ways to classify data, but they’re usually a series of three to five categories of importance – from top secret to simply private and confidential. By assigning a security classification to your data, you make it easier for employees to instantly understand how they need to handle that data.
- Encrypt. In most states, you get an almost free pass on data breaches if the breached data was encrypted. That’s how good encryption is at making data useless to hackers. Encryption is getting much easier to implement and afford. Encryption isn’t just for credit cards and online transactions. In any business you can easily encrypt files, folders, hard drives, texts, phone calls and emails, photos and videos, and just about any kind of data.
- Comply with PCI. The credit card companies are pretty good when it comes to protecting information, which is why PCI compliance is a great baseline. It’s not perfect and not a guarantee, but you should never be without it.
- Lock down your website. Many of today’s breaches start with the exploitation of poorly protected and patched websites. Which is really a shame because it’s so easy to protect your website. Make sure you’re using some kind of web scanning or monitoring service that will find and fix security holes before hackers do.
- Turn every employee into a data sentry. Technology only goes so far when it comes to preventing data breaches. People fill that gap, and the most important people are your employees. Every employee needs to understand the value of data, the risks of breaches, and how their choices can make all the difference
- Try not to move it. If you know where your data is and you don’t plan to move it any time soon, then it’s very easy to lock it in place. But data is at its most vulnerable when it’s on the move – like stored on a traveling laptop or phone, sent on tape to a third party like a payroll processor, or even being emailed between employees.
- Don’t forget paper records. It’s estimated that one in every five data breaches involves paper records. That means documents stolen from a briefcase or in a burglary, dumped without shredding, or simply mislaid. So as part of your inventory you need to go through the piles of information in every office, pick what you have no more need for, and shred it.
- Use layers of security. While antivirus software is important, it’s not enough. While website security is essential, it’s not enough. While good passwords are a must, still not enough. Hackers after your data are relying on the fact that you might be relying on just one or two layers of security between them and your data. Good security is about creating multiple security perimeters that convince hackers that you’re just not worth their time and energy.
Tag: Hacker (Page 1 of 2)
Seems like just about everyone thought that the massive Target data breach earlier this year would be the biggest for a while. Yet only a matter of weeks later, eBay announced a data breach that was even bigger.
Now we’re learning of a hacker haul that makes those earlier breaches look like chump change. Security researchers in Milwaukee revealed that they’ve been monitoring a hacking gang operating from a small Russian town, and found the gang had managed to amass a database of more than 1.5 billion stolen credentials.
Here’s just a sample of what the investigators learned about the hackers, and the implications of their haul:
“There are two types of companies: those that know they’ve been breached, and those that haven’t figured it out yet.” Those were the words of a highly successful venture capitalist behind some of the most successful cybersecurity companies. And while the chances of being a victim of a security breach are very high, it’s not a forgone conclusion. There are steps every business should take in order to avoid falling victim, or at the very least limit the damage.
- Plug Your Holes. So many attacks on businesses are exploits of holes the hackers found before you did. And probably because they were looking for the holes while you weren’t. For most businesses, most of those holes are in their websites, and mainly caused by either poor security configuration or a failure to update programs and third-party plugins.
- Monitor Your Website. You can bet that even if you’re not monitoring your website, hackers are. And all the time just waiting for you or an employee to make a single simple mistake. Services like SiteLock monitor your site just like the hackers do, sniffing out vulnerabilities and weaknesses and helping you plug them before they can be used by hackers as a backdoor into your website.
- Guard Your Passwords. I know, that message is getting old. But for all the warnings about passwords, many businesses and their employees are still not getting the message. Even bigger companies may not be. The recent massive security breach at eBay that exposed more than 130 million customer accounts may have all started with the exploit of weak employee passwords. So to repeat: strong, random passwords everywhere, changed often, and guarded closely.
- Control Access. Hackers are never supposed to be in your networks, website, or data. But neither are some employees. Yet many businesses allow their employees to access all kinds of sensitive resources that they have no reason to access. By restricting access to key assets, like your website, you minimize the risk of a careless employee handing over the keys to a hacker.
- Mind Who You Hire. That’s not just a warning about how you screen your employees, but also making sure they’re the kind of people most likely to follow your security rules, understand their role in protecting their workplace, and not engage in behavior that can put your business at risk.
- Drill your employees. I’ve said it before but I’ll keep repeating. Your employees can be your best defense or your greatest vulnerability. It all comes down to how security aware and vigilant they are, and that all comes down to how seriously you take their role. Train, remind, test. Train, remind, test. Rinse and repeat.
- Be Selective With Plugins. One of the great things about developing a website today is that you don’t have to develop much. There are thousands of developers who offer great tools at affordable prices that can be plugged in and running in a matter of minutes. But that comes with a downside, if those plugins are not free from major vulnerabilities. Like the recent case of the SEO plugin for WordPress that is used by millions of businesses and was recently found to have a major security hole.
- Mind Your Mobile. Mobile devices have become the bane of many businesses, particularly as employees use them for both personal and business tasks. The theft of a smartphone or tablet, or an employee who downloads malware to one of those devices, can expose valuable business information or create a backdoor for hackers.
- Think like a hacker. Who would want to breach your business and what would they zero in on? Keep asking yourself that question. Look at your website like a hacker would. Look at your employees and their behavior, your email, the way you protect your information and what kind of information it is. The view from beyond the wall is always different than from your side.
- Be Paranoid About Malware. New malware is now appearing at the rate of 160,000 different varieties every single day. If that pace continues, by the end of this year there could be more than 50 million varieties of malware. To add to the hundreds of millions already out there. Most malware consists of smart and dangerous Trojans that get smarter every day. If you’re not paranoid about avoiding malware, chances are lots of it will slip past.
If tackling website security sometimes feels overwhelming, we get it. You already have a full-time job. Some things need to be done by you (password policies, hiring practices, etc). But much of the heavy security lifting (malware detection and removal, vulnerability scanning, and threat blocking) can be left to SiteLock. Because protecting your website is our full-time job.
It’s not often we get a chance to attend a security breach postmortem — a step-by-step, hack-by-hack, mistake-by-mistake account of what went so horribly wrong. The U.S. Commerce Department recently gave us such a chance with their report into all the mistakes Target made, and which could have avoided, in its recent massive data breach.
The report provides what’s referred to as an “intrusion kill chain” that highlights all the places Target had a chance to spot the breach and stop it. But missed. For example:
- The hackers were able to identify a potential Target vendor or supplier to exploit because Target made such a list publicly available. That was the starting point for the hackers.
- The vendor targeted had very little security in place. The only malware defense they appeared to have used to protect their business was free software meant for personal and not business use.
- The vendor’s employees had received little if any security awareness training, and especially on how to spot a phishing email. So the hackers used a phishing email to trick at least one of those employees into letting them in the back door.
- Once in the vendor’s systems, the hackers were able to use stolen passwords without the need for authentication because Target did not require two-factor authentication for low-level vendors.
- The hackers are suspected of gaining further access from the vendor by using a default password in the billing software the vendor used. If the default password had been changed, the attack might have stopped right there.
- There were few controls in place to limit access the vendor had on the Target network. Once the vendor had been compromised, Target’s entire networks were exposed.
- When the hackers installed their Point of Sale malware on Target’s networks and began testing the malware, that activity was detected by Target’s security systems but the alarms were simply ignored.
- When the hackers created an escape route and began moving the stolen data off Target’s networks, that activity triggered alarms too but once again, the alarms were ignored.
- Some of the data was moved to a server in Russia, an obvious red flag for Target security which once again was missed.
- The login credentials of the vendor were used throughout the attack, yet Target’s security system wasn’t able to detect that those credentials were being used to perform tasks they weren’t approved for.
We keep saying that every business large and small has important lessons to learn from Target. Don’t waste the opportunity. Double-check your own security and see if there are any obvious gaps you haven’t spotted but need to be sealed.
Speaking in a recent interview on CBS’ 60 Minutes, Tim Sparapani, a former privacy lawyer for the American Civil Liberties Union, commented “Most retailers are finding out that they have a secondary source of income, which is that the data about their customers is probably just about as valuable, maybe even more so, than the actual product or service that they’re selling to the individual.”
It was a chilling admission that the world has changed in ways most of us never expected, and that there may be more value in information about people than in selling goods and services to those people. Or stealing from them.
- You’re too small to be of interest to them. Let’s face it, it’s the most common excuse made by business owners. It seems preposterous to them that of the tens of millions of businesses around the world, many of them very lucrative, busy hackers would have time for them. What they don’t realize is that cybercrime has become automated and the hackers have sophisticated tools that will scour the internet looking for unprotected websites and poorly protected or unpatched computers and networks.
- You have nothing worth stealing. “I don’t take credit cards,” or “It’s all handled by a third-party processor” are common responses, and based on the belief that hackers are only after credit cards. All data, any data, is of value. That can include names, addresses, phone numbers, email addresses, buying habits, purchasing history, employee records, Social Security Numbers, intellectual property, passwords. And often the hackers don’t want to take, they want to give. Like using your unprotected websites to hide malware that will be spread to visitors to your site.
- If there is a breach, it won’t be a big deal. In reality, the smallest security breach can be a really big deal. There have been many cases of smaller firms being wiped out by a single piece of malware accidentally downloaded by an employee. And if the hackers don’t get you, the lawyers might. There is now an army of lawyers whose only focus is to sue businesses on behalf of customers whose data was exposed in data or security breaches. And of course there are all the regulators and the fines they can impose, not to mention the long-lasting damage to your brand and reputation if your customers think they can’t trust you.
- Antivirus software and a firewall are all you need to be safe. Don’t get me wrong, they’re essential, but there’s so much more to security. Businesses that have relied on just the basics have found out the hard way that hackers are way too determined to be deterred by the basics.
- A website is really just a flashy billboard to advertise your business. Your website is so much more. It’s often the only way customers can find your business, so if it’s compromised, blacklisted, or otherwise not available, your customers are going elsewhere and probably not returning.
- Your employees pose no risk. No one would ever accuse Irene in accounts of being a hacker’s best friend, right? But many security and data breaches are as a result of exploitations by hackers of mistakes by employees. If your employees are not trained to be sentries, they’ll be quickly turned into vulnerabilities.
- Your password is perfectly fine. How often do you think about your own passwords, let alone those of every other employee in your business? One weak password is all it takes. But in reality, most passwords are weak and exploitable. And if that include FTP access, a complete stranger may end up owning your web site.
Security is as much about avoidance and deterrence as it is about protection. You’re not just trying to keep the bad guys out of your website, you’re doing everything you can to not even come to their attention. Or just persuade them that you have so many layers of security in place, you’re not worth their time. The unlocked car with the purse on the back seat is almost certain to be robbed. The locked car with no visible valuables inside has a much better chance of being ignored. And when it comes to hackers, being ignored is just right.
What’s worse than being recognized as the biggest data breach in history? How about finding out that the culprit responsible for a major hit on your brand and reputation that will eventually cost you billions of dollars was a teenager.
That’s exactly the news Target is dealing with, as security researchers suggest that at least one of the hackers behind the malware used to attack Target is barely 17 years old. Yet this teen was apparently able to develop a pretty sophisticated piece of malware, known as BlackPoS, that was used to infiltrate Target’s systems undetected. And in spite of his young age he’s reported to have already earned a reputation for developing lots of advanced malware. It’s not believed that the teenager is personally responsible for the attacks on Target, but instead sold his malware to dozens and possibly even hundreds of hackers and criminal groups. And one of those groups was behind the Target breach.
As we continue to dissect the massive data breach at Target, we’re going to learn lots of lessons. But probably the biggest lesson you can take away from it is that if it can happen to Target, it can certainly happen to you. Even if it’s on a much smaller scale, it could still be big enough to matter to you.
When news broke last week that security researchers had found more than 2 million stolen passwords hidden on a hacker’s website, it didn’t take long for media around the world to get on the case. It appears the passwords were stolen over many months, and from users of Facebook, Twitter, Google, LinkedIn and many other sites.
The story that seemed to get the most attention from the media and from security experts was what these 2 million passwords told us about the password habits of users. That they were awful. Not that that’s really news, but still, once again we discovered that the most common passwords included in the haul were 123456, 111111, and perhaps worst of all, password.
However, we noticed something else, something that other security experts seemed to miss completely. The initial suspect in the heist was a keylogger, a tiny piece of malware that will infect computers, steal things like logins and passwords, and pass them back to the hackers.
On the very same day the media frenzy started, we noticed that a security firm OPSWAT revealed some very scary test results. When they planted a basic keylogger on one of their test computers, and ran scans with more than 40 of the most popular consumer and business antivirus products over two weeks, only one product caught the keylogger. Which probably means most consumers and even small businesses probably won’t be able to detect it either.
While the better antivirus brands are generally good at catching the most common malware, a study by the University of Alabama found that those same products only catch around 25% of the more advanced malware. And that’s the stuff that can do the most harm.
Keyloggers are typically in search of logins and passwords, but they don’t just log what you type. They can also capture screenshots of what’s on your computer, screenshots of the websites you visit and the folders you open, and even what you search for. And software isn’t the only variety. There’s a growing trend towards hardware keyloggers – keyloggers designed to look identical to a plug or connector you’d expect to find at the back of a computer or even a cash register. One such hardware keylogger was recently found plugged into the back of a cash register at a Nordstrom store in Florida.
If keyloggers make their way on to computers in your business, the hackers may be able to steal logins and passwords to your website or bank account. They might also be able to steal payroll and customer information. They might even be able to hop from your computers to your website, and from there infect visitors to your site. Which could end up with your business being blacklisted by the search engines until you solve the problem.
So what can you do cripple this menace?
- Start by talking to your employees, explain what a keylogger is, how it can threaten your workplace, and how you can all work together to protect against them.
- Require all your employees to use anti-keylogger software, like Key Scrambler (free). They won’t protect your business against every type of keylogging but are a good defense against the more common software based. Some work by instantly encrypting or scrambling all your keystrokes so that they’re unusable to hackers.
- Make sure you and your employees use one of the many safe surfing tools or plugins, like Web of Trust (WoT). As users become more wary of malware hidden in email attachments, hackers are turning to websites instead. Known as watering holes, hackers will find vulnerable websites, load them with keylogging malware, and simply lie in wait for visitors to those sites. SiteLock is finding as many as 5,000 small business web sites every single day already compromised and requiring malware removal. Safe surfing tools will help alert you of suspicious or dangerous websites before you click on them.
- Always have good antivirus software on every computer and device you use in your business and at home. And encourage your employees to do the same. Some of the best is free, including for your smartphone and tablet. And scan often — at least once a week is recommended.
- All employees should change their passwords often and think about passphrases instead.
- Be careful what you allow employees to download and install. Poor security habits and hygiene are a leading contributor to malware infections. Slow down, guard up, verify first, and only download if you’re really sure and you really need to.
As you may have noticed, we see the biggest shopping season of the year as the biggest risk season too — at least for online threats. Let’s face it – most of us shop (and many of us sell) online to avoid the long lines and hustle of the crowds, and to make it easy for our customers.
In sticking with the theme of online shopping (and keeping your business and customers safe while doing so), being protected from hackers, and even hearing the website’s story in its letter to Santa practically begging for some attention, we are introducing a fun and informative video about some very real risks that website owners face, and what they mean for their online business. At a time when they can least afford to be exposed.
The content in this custom rendition of “The Twelve Days of Christmas” video is created entirely for educational purposes, taking the approach that even in risky times, awareness is the best form of prevention. A little fun never hurt (so we use that too), but what you don’t know can hurt you, so please be safe!
Enjoy the video! And caring is sharing – so tell your friends!