Internet-connected devices can make our lives easier, from home assistants like Amazon Echo, to interactive toys like CloudPets. However, they’re also inherently insecure and easily hacked, a factor many overlook in favor of convenience. In our latest Decoding Security podcast, Website Security Research Analysts Jessica Ortega and Michael Veenstra discuss the risks of using internet-connected devices in our everyday lives, and the costs of security versus convenience.
Tag: password security
In light of the recent Equifax breach, you may be wondering how you can secure your website and prevent a similar event from happening to you. Join Web Security Research Analysts, Michael Veenstra and Jessica Ortega, for a refresher course on the basic steps every website owner should take to protect their website from hackers and cybercriminals.
If you found this week’s episode helpful, visit Decoding Security on your preferred podcasting service, including iTunes and Google Play, to leave a review and subscribe so that you don’t miss future episodes!
“There are two types of companies: those that know they’ve been breached, and those that haven’t figured it out yet.” Those were the words of a highly successful venture capitalist behind some of the most successful cybersecurity companies. And while the chances of being a victim of a security breach are very high, it’s not a forgone conclusion. There are steps every business should take in order to avoid falling victim, or at the very least limit the damage.
Budget should never be a reason for ignoring security. Neither should worries that you’re technically challenged. Here is a list of ten things you can do to help defend against cyber risks.
- Look in the window. Most business owners look at their websites and security risks from the inside-out, and never see what it looks like from a hacker’s perspective. Even a cursory inspection, but even better a basic website scan, could easily help you spot vulnerabilities quickly.
- Understand what the risks are. After all, you can’t fix them if you don’t know what they are. A little light reading on common business and website risks could tell you all you need to know. Focus on technical and procedural risks – from exploits of unpatched vulnerabilities to common errors by employees.
- Focus on passwords, and especially to your FTP account. Passwords can be the keys to the kingdom, and even the biggest security breaches at the biggest businesses have been traced to the smallest password mistakes.
- If your business has a lot of sensitive information to protect, consider having your website developers use a dedicated computer to access the website. This can significantly reduce the risks of things like keyloggers, which can steal website passwords and give hackers access. By using a dedicated computer that’s not used for anything else, you eliminate the risk of downloading a keylogger or other malware through drive-by downloads, email attachments, or infected files.
- Create a list of your Top 10 security rules, that everyone has to follow, and make that everyone knows what those rules are. Ten is a good number. You could easily have a hundred but too many could cause more harm than good. Focus on the biggest risks and vulnerabilities and pursue them relentlessly.
- If you accept credit cards, make sure you’re PCI compliant. Achieving PCI compliance is not difficult or expensive, especially for smaller businesses. Not only is PCI a great security place to start, you don’t have an option. Failure could mean big fines and the inability to accept credit card payments.
- Don’t forget to get physical. Not all attacks or exploits have to be digital or virtual. Hackers can walk into an unprotected business or rummage through a dumpster. And many of the information-rich laptops and tablets stolen in burglaries end up in the hands of cybercrooks.
- Control who you give access to. That can range from access to buildings and rooms to access to computers, networks, and websites, to access to specific files and privileges. It’s not about people getting access to sensitive data, it’s about the wrong people getting access.
- Choose your web hosting provider carefully. There are thousands to choose from so pick yours thoughtfully and focus on what they say about security. If they don’t talk about it at all, that could be a warning sign. If they do mention security, present them with your list of top security worries and risks and see what their response is.
- Review your security regularly, with a comprehensive top-down review at least a couple of times annually. Nothing stands still, and new vulnerabilities are being discovered or created daily.
Of all the threats that could be stalking your business daily, it is most unpleasant to think about the fact that the biggest threat could already be inside your walls, maybe even on your payroll. Unfortunately there’s plenty of evidence to suggest that the biggest source and cause of security incidents is the humble employee.
The good news is that few of these incidents are deliberate attacks or frauds by your most trusted insiders. Instead they tend to be innocent mistakes which could easily be avoided but which are quickly taken advantage of by hackers.
Well, I’m not really sure where to begin. Not only was it the first time I’ve received a letter asking me for website security for Christmas, but also the very first letter I’ve ever received from a website. And trust me, I’ve been doing this for quite a while, long before that internet thingy I started for Al Gore.
I am very sorry to hear how worried you are about security, and especially hackers and malware. Not really for yourself, but for your owner. I know that most business owners are so busy building their dream, they sometimes forget that there are some very bad people out there who can too easily steal it all.
I have to admit, I wasn’t really sure where to start. If you’d asked me for a Kindle or an “i” something-or- other, or even just a toy or a scarf, that would be easy. But I feel a little like most business owners do, not really knowing how to protect you and even where to start.
But when I had some downtime on my sleigh (don’t worry – it has cruise control, so it was perfectly safe), I did some research and I hope you’ll be happy with what I came up with.
So here it goes:
You said you wanted someone to watch over you. Well, while I’d love to be able to do that, you understand I have my own full-time job, even in the off-season. So I sent your owner a very nice letter advising her that the best thing she could do for herself (and for you) was to sign up for SiteLock so that you aren’t so vulnerable to all those hackers and malware removal is automatic.
I love giving gifts like that. They’re not extravagant so there’s no need to feel guilty. They’re very simple to use, so your owner doesn’t have to spend her holidays pouring over an instruction manual or looking for batteries. And once you switch it on, SiteLock will guard you and your business around the clock, from the most advanced threats and determined hackers.
So what was next? Oh yes, better passwords. I hear that. It’s a nightmare for my toy business. Who knew so many employees, elves especially, are so careless with important passwords? Like FTP. I mean, why have a lock on the front door of your business if you insist on leaving the keys in it?
But I’ve got you covered. I sent every employee a password manager (don’t worry, some of the best are free). Now they can create and protect the most complex of passwords, and store them all in one safe place. So not being able to remember all those big and clumsy passwords is no excuse. And some of these programs will even remind you when it’s time to update your passwords, so forgetting is not an issue either.
Let me see, what else did you ask for? Sorry, my memory isn’t what it used to be. Oh yes, you wanted to get rid of all that outdated content and code on your website because you think it’s slowing you down. Tell me about. Every year about this time, when the rush dies down, we promise to tidy up the place so that we can run more efficiently as we prepare for next year.
And every year that resolution goes out the door as quick as Christmas itself. Not to worry. I created a special note just for your webmaster. In exchange for his list, I gave him a list, too. It’s pretty simple. I told him to go through every page of the site and remove any outdated content and images, and clean up or remove outdated code — we all know how dangerous that can be.
I also told him to get a patching and updating regimen in place so that all critical patches are installed as soon as they’re available, and outdated software and plugins don’t leave you vulnerable.
I think that’s it. Hope I’m not missing anything. When I think about it, I wish every website would send me a letter like this. I can easily find their owners and lean on them a little.
I mean, if this is the season of goodwill and joy, why shouldn’t it start with your website, the face of your business? For more information, just ask the experts at SiteLock. Give them a call at 855-378-6200. They’re available 24/7 to help.
When news broke last week that security researchers had found more than 2 million stolen passwords hidden on a hacker’s website, it didn’t take long for media around the world to get on the case. It appears the passwords were stolen over many months, and from users of Facebook, Twitter, Google, LinkedIn and many other sites.
The story that seemed to get the most attention from the media and from security experts was what these 2 million passwords told us about the password habits of users. That they were awful. Not that that’s really news, but still, once again we discovered that the most common passwords included in the haul were 123456, 111111, and perhaps worst of all, password.
However, we noticed something else, something that other security experts seemed to miss completely. The initial suspect in the heist was a keylogger, a tiny piece of malware that will infect computers, steal things like logins and passwords, and pass them back to the hackers.
On the very same day the media frenzy started, we noticed that a security firm OPSWAT revealed some very scary test results. When they planted a basic keylogger on one of their test computers, and ran scans with more than 40 of the most popular consumer and business antivirus products over two weeks, only one product caught the keylogger. Which probably means most consumers and even small businesses probably won’t be able to detect it either.
While the better antivirus brands are generally good at catching the most common malware, a study by the University of Alabama found that those same products only catch around 25% of the more advanced malware. And that’s the stuff that can do the most harm.
Keyloggers are typically in search of logins and passwords, but they don’t just log what you type. They can also capture screenshots of what’s on your computer, screenshots of the websites you visit and the folders you open, and even what you search for. And software isn’t the only variety. There’s a growing trend towards hardware keyloggers – keyloggers designed to look identical to a plug or connector you’d expect to find at the back of a computer or even a cash register. One such hardware keylogger was recently found plugged into the back of a cash register at a Nordstrom store in Florida.
If keyloggers make their way on to computers in your business, the hackers may be able to steal logins and passwords to your website or bank account. They might also be able to steal payroll and customer information. They might even be able to hop from your computers to your website, and from there infect visitors to your site. Which could end up with your business being blacklisted by the search engines until you solve the problem.
So what can you do cripple this menace?
- Start by talking to your employees, explain what a keylogger is, how it can threaten your workplace, and how you can all work together to protect against them.
- Require all your employees to use anti-keylogger software, like Key Scrambler (free). They won’t protect your business against every type of keylogging but are a good defense against the more common software based. Some work by instantly encrypting or scrambling all your keystrokes so that they’re unusable to hackers.
- Make sure you and your employees use one of the many safe surfing tools or plugins, like Web of Trust (WoT). As users become more wary of malware hidden in email attachments, hackers are turning to websites instead. Known as watering holes, hackers will find vulnerable websites, load them with keylogging malware, and simply lie in wait for visitors to those sites. SiteLock is finding as many as 5,000 small business web sites every single day already compromised and requiring malware removal. Safe surfing tools will help alert you of suspicious or dangerous websites before you click on them.
- Always have good antivirus software on every computer and device you use in your business and at home. And encourage your employees to do the same. Some of the best is free, including for your smartphone and tablet. And scan often — at least once a week is recommended.
- All employees should change their passwords often and think about passphrases instead.
- Be careful what you allow employees to download and install. Poor security habits and hygiene are a leading contributor to malware infections. Slow down, guard up, verify first, and only download if you’re really sure and you really need to.
For more information on protecting your business from cybersecurity threats call SiteLock at 855.378.6200.
If you’re using WordPress to host your website or your blog, I hope you’re aware of the growing security risks and what you need to do to avoid them. Not only is WordPress one of the most popular website platforms for businesses, it’s also one of the most popular amongst hackers. But for very different reasons.
There’s little doubt that WordPress has become one of the most popular website and blogging platforms of all time, with more than 60 million WordPress sites around the globe. But being the best comes with a price and, in the case of WordPress, that means sustaining attacks by hackers. WordPress has become such a big target for hackers that earlier this year a security firm decided to log the number of hack attacks over a period of a few months. The results were eye-opening.
Many years ago, a bar owner shared with me the tale of how he was losing so much money in one of his bars he had to hire a loss prevention specialist to pose as a customer and watch his staff for any signs of financial impropriety.
The undercover customer spent nearly a month visiting the bar (what a job!) and reported back that he found nothing was amiss. He said he watched all the cash registers for four weeks and didn’t see one suspicious transaction at any one of the four registers.
Seems like every few months another blogger or security maven laments the passing of the password, a security tool that has outlived its usefulness and should now be replaced with something more of the times, more effective, more secure.
And while the password might be on life-support, it’s not quite gone. Which means you still have to take it very seriously, because in most cases it’s the only security you may have.
And you should also learn to accept that if the password is mortally wounded, it might be partly your fault. Because we know, we have hard evidence, that passwords have been weakened by their owners.