Tag: Password strength

10 Simple Steps to Keep Hackers Away

10 tips
“There are two types of companies: those that know they’ve been breached, and those that haven’t figured it out yet.” Those were the words of a highly successful venture capitalist behind some of the most successful cybersecurity companies. And while the chances of being a victim of a security breach are very high, it’s not a forgone conclusion. There are steps every business should take in order to avoid falling victim, or at the very least limit the damage.

  1. Plug Your Holes. So many attacks on businesses are exploits of holes the hackers found before you did. And probably because they were looking for the holes while you weren’t. For most businesses, most of those holes are in their websites, and mainly caused by either poor security configuration or a failure to update programs and third-party plugins.
  2. Monitor Your Website. You can bet that even if you’re not monitoring your website, hackers are. And all the time just waiting for you or an employee to make a single simple mistake. Services like SiteLock monitor your site just like the hackers do, sniffing out vulnerabilities and weaknesses and helping you plug them before they can be used by hackers as a backdoor into your website.
  3. Guard Your Passwords. I know, that message is getting old. But for all the warnings about passwords, many businesses and their employees are still not getting the message. Even bigger companies may not be. The recent massive security breach at eBay that exposed more than 130 million customer accounts may have all started with the exploit of weak employee passwords. So to repeat: strong, random passwords everywhere, changed often, and guarded closely.
  4. Control Access. Hackers are never supposed to be in your networks, website, or data. But neither are some employees. Yet many businesses allow their employees to access all kinds of sensitive resources that they have no reason to access. By restricting access to key assets, like your website, you minimize the risk of a careless employee handing over the keys to a hacker.
  5. Mind Who You Hire. That’s not just a warning about how you screen your employees, but also making sure they’re the kind of people most likely to follow your security rules, understand their role in protecting their workplace, and not engage in behavior that can put your business at risk.
  6. Drill your employees. I’ve said it before but I’ll keep repeating. Your employees can be your best defense or your greatest vulnerability. It all comes down to how security aware and vigilant they are, and that all comes down to how seriously you take their role. Train, remind, test. Train, remind, test. Rinse and repeat.
  7. Be Selective With Plugins. One of the great things about developing a website today is that you don’t have to develop much. There are thousands of developers who offer great tools at affordable prices that can be plugged in and running in a matter of minutes. But that comes with a downside, if those plugins are not free from major vulnerabilities. Like the recent case of the SEO plugin for WordPress that is used by millions of businesses and was recently found to have a major security hole.
  8. Mind Your Mobile. Mobile devices have become the bane of many businesses, particularly as employees use them for both personal and business tasks. The theft of a smartphone or tablet, or an employee who downloads malware to one of those devices, can expose valuable business information or create a backdoor for hackers.
  9. Think like a hacker. Who would want to breach your business and what would they zero in on? Keep asking yourself that question. Look at your website like a hacker would. Look at your employees and their behavior, your email, the way you protect your information and what kind of information it is. The view from beyond the wall is always different than from your side.
  10. Be Paranoid About Malware. New malware is now appearing at the rate of 160,000 different varieties every single day. If that pace continues, by the end of this year there could be more than 50 million varieties of malware. To add to the hundreds of millions already out there. Most malware consists of smart and dangerous Trojans that get smarter every day. If you’re not paranoid about avoiding malware, chances are lots of it will slip past.

If tackling website security sometimes feels overwhelming, we get it. You already have a full-time job. Some things need to be done by you (password policies, hiring practices, etc). But much of the heavy security lifting (malware detection and removal, vulnerability scanning, and threat blocking) can be left to SiteLock. Because protecting your website is our full-time job.

Google Author: Neal O’Farrell

7 Security Assumptions Hackers Are Hoping You’ll Make

assumptions

  1. You’re too small to be of interest to them. Let’s face it, it’s the most common excuse made by business owners. It seems preposterous to them that of the tens of millions of businesses around the world, many of them very lucrative, busy hackers would have time for them. What they don’t realize is that cybercrime has become automated and the hackers have sophisticated tools that will scour the internet looking for unprotected websites and poorly protected or unpatched computers and networks.
  2. You have nothing worth stealing. “I don’t take credit cards,” or “It’s all handled by a third-party processor” are common responses, and based on the belief that hackers are only after credit cards. All data, any data, is of value. That can include names, addresses, phone numbers, email addresses, buying habits, purchasing history, employee records, Social Security Numbers, intellectual property, passwords. And often the hackers don’t want to take, they want to give. Like using your unprotected websites to hide malware that will be spread to visitors to your site.
  3. If there is a breach, it won’t be a big deal. In reality, the smallest security breach can be a really big deal. There have been many cases of smaller firms being wiped out by a single piece of malware accidentally downloaded by an employee. And if the hackers don’t get you, the lawyers might. There is now an army of lawyers whose only focus is to sue businesses on behalf of customers whose data was exposed in data or security breaches. And of course there are all the regulators and the fines they can impose, not to mention the long-lasting damage to your brand and reputation if your customers think they can’t trust you.
  4. Antivirus software and a firewall are all you need to be safe. Don’t get me wrong, they’re essential, but there’s so much more to security. Businesses that have relied on just the basics have found out the hard way that hackers are way too determined to be deterred by the basics.
  5. A website is really just a flashy billboard to advertise your business. Your website is so much more. It’s often the only way customers can find your business, so if it’s compromised, blacklisted, or otherwise not available, your customers are going elsewhere and probably not returning.
  6. Your employees pose no risk. No one would ever accuse Irene in accounts of being a hacker’s best friend, right? But many security and data breaches are as a result of exploitations by hackers of mistakes by employees. If your employees are not trained to be sentries, they’ll be quickly turned into vulnerabilities.
  7. Your password is perfectly fine. How often do you think about your own passwords, let alone those of every other employee in your business? One weak password is all it takes. But in reality, most passwords are weak and exploitable. And if that include FTP access, a complete stranger may end up owning your web site.

Security is as much about avoidance and deterrence as it is about protection. You’re not just trying to keep the bad guys out of your website, you’re doing everything you can to not even come to their attention. Or just persuade them that you have so many layers of security in place, you’re not worth their time. The unlocked car with the purse on the back seat is almost certain to be robbed. The locked car with no visible valuables inside has a much better chance of being ignored. And when it comes to hackers, being ignored is just right.

Google Author: Neal O’Farrell

Santa’s Reply to a Letter from a Security-Concerned Website

Dear Website,

Santa's reply to a security-concerned websiteWell, I’m not really sure where to begin. Not only was it the first time I’ve received a letter asking me for security for Christmas, but also the very first letter I’ve ever received from a website. And trust me, I’ve been doing this for quite a while, long before that internet thingy I started for Al Gore.

I am very sorry to hear how worried you are about security, and especially hackers and malware. Not really for yourself, but for your owner. I know that most business owners are so busy building their dream, they sometimes forget that there are some very bad people out there who can too easily steal it all.

I have to admit, I wasn’t really sure where to start. If you’d asked me for a Kindle or an “i” something-or- other, or even just a toy or a scarf, that would be easy. But I feel a little like most business owners do, not really knowing how to protect you and even where to start.

But when I had some downtime on my sleigh (don’t worry – it has cruise control, so it was perfectly safe), I did some research and I hope you’ll be happy with what I came up with.

So here goes:

You said you wanted someone to watch over you. Well, while I’d love to be able to do that, you understand I have my own full-time job, even in the off-season. So I sent your owner a very nice letter advising her that the best thing she could do for herself (and for you) was to sign up for SiteLock so that you aren’t so vulnerable to all those hackers and malware removal is automatic.

I love giving gifts like that. They’re not extravagant so there’s no need to feel guilty. They’re very simple to use, so your owner doesn’t have to spend her holidays poring over an instruction manual or looking for batteries. And once you switch it on, SiteLock will guard you and your business around the clock, from the most advanced threats and determined hackers.

So what was next? Oh yes, better passwords. I hear that. It’s a nightmare for my toy business. Who knew so many employees, elves especially, are so careless with important passwords? Like FTP. I mean, why have a lock on the front door of your business if you insist on leaving the keys in it?

But I’ve got you covered. I sent every employee a password manager (don’t worry, some of the best are free). Now they can create and protect the most complex of passwords, and store them all in one safe place. So not being able to remember all those big and clumsy passwords is no excuse. And some of these programs will even remind you when it’s time to update your passwords, so forgetting is not an issue either.

Let me see, what else did you ask for? Sorry, my memory isn’t what it used to be. Oh yes, you wanted to get rid of all that outdated content and code on your website because you think it’s slowing you down. Tell me about. Every year about this time, when the rush dies down, we promise to tidy up the place so that we can run more efficiently as we prepare for next year.

And every year that resolution goes out the door as quick as Christmas itself. Not to worry. I created a special note just for your webmaster. In exchange for his list, I gave him a list, too. It’s pretty simple. I told him to go through every page of the site and remove any outdated content and images, and clean up or remove outdated code — we all know how dangerous that can be.

I also told him to get a patching and updating regimen in place so that all critical patches are installed as soon as they’re available, and outdated software and plugins don’t leave you vulnerable.

I think that’s it. Hope I’m not missing anything. When I think about it, I wish every website would send me a letter like this. I can easily find their owners and lean on them a little. I mean, if this is the season of goodwill and joy, why shouldn’t it start with your website, the face of your business?

Google Author: Neal O’Farrell

A Website’s Letter to Santa

Dear Santa,

Letter to SantaThis is my first ever Christmas letter to you. I don’t like to ask for much, but I’m desperate. I’ve been a website for, gosh, going on three years now. Don’t get me wrong, I love my job. My owner’s great, new people visit me every day from all around the world, and my graphics are to die for. There’s never a dull moment, even when my owner is sleeping. Which of course, I never do.

But there’s a problem. My owner is so busy building the business, managing cash flow, and getting orders out the door, that she has little time for things like security. Especially website security. Besides, she has a degree in fine arts with a minor in philosophy and says she has no clue about things like websites and cybersecurity.

And that has left me feeling, well, vulnerable. Even a little naked. Which is not a good thing on the Internet when I’m completely exposed to so many strangers. Sometimes I wish I was invisible, it would be less embarrassing. But my owner really needs the website to showcase her work and generate online orders. And being blacklisted by the search engines would make her very upset. But I worry about what might happen if she doesn’t put everything else aside, just for a moment, and think about security.

With that in mind, here are just a few things that I would absolutely love this year. Not really for me, but for my owner. I’m doing all this for her, which I think is a very unselfish act. So I hope you’ll do your best to get me as many things on my list as you can.

Here goes.

  • First, I’d love someone to watch over me. I know where my weaknesses are but my owner doesn’t, and she doesn’t have the time to guard me every second of the day. So a website security or monitoring service would be just great. Everyone can sleep easier and I’ll feel much less naked and vulnerable.
  • A new password would be great. Would it be asking too much to ask for a new website password say, every three months? Maybe one with a number or two, or heaven forbid a special character!? That could significantly reduce the chances that hackers will guess or crack my password and have access to who knows what. And a strong, random, and well-protected password would be ideal. I mean, what good is a password if it doesn’t do its job very well. Not complaining or criticizing, just saying.
  • This might be asking too much, but any chance you could help me get rid of this stuff I’m not using anymore. I feel so bogged down lately with all this old, outdated code and images that no one even uses. It takes every bit of my energy to just load a simple page. I know I could be so much faster and lighter with just a bit of a clean-up  – I’ll be a whole new website, you’ll see!
  • I don’t want to sound selfish, but could I ask for a little something else for myself? Nothing fancy, but I’ve worked so hard all year I think it would help my spirits and confidence as we get ready for yet another year. Patches. I’d like some patches, or updates. I am up to my gills in all kinds of third-party programs that the web designer thought would be so very cool to burden me with. But he’s easily distracted and he’s forgotten about most of them. Now at least half of them have serious and known vulnerabilities that have never been patched or updated. And probably never will now because his latest “cool” thing is to make me mobile friendly, whatever that means. Another third-party app with a giant security hole, I’m betting. Oy.

Anyway, I hope I didn’t take up too much of your valuable time. And I hope you’ll see that what I’m asking for is not for me. It’s for my owner, her dreams, her employees, and all those customers who visit me. Please help.

Google author: Neal O’Farrell

Locking Down Your Computers

Many years ago, a bar owner shared with me the tale of how he was losing so much money in one of his bars he had to hire a loss prevention specialist to pose as a customer and watch his staff for any signs of financial impropriety.

The undercover customer spent nearly a month visiting the bar (what a job!) and reported back that he found nothing was amiss. He said he watched all the cash registers for four weeks and didn’t see one suspicious transaction at any one of the four registers.

Read More

Overcoming Common Passwords and Mistakes

Seems like every few months another blogger or security maven laments the passing of the password, a security tool that has outlived its usefulness and should now be replaced with something more of the times, more effective, more secure.

And while the password might be on life-support, it’s not quite gone. Which means you still have to take it very seriously, because in most cases it’s the only security you may have.

And you should also learn to accept that if the password is mortally wounded, it might be partly your fault. Because we know, we have hard evidence, that passwords have been weakened by their owners.

Read More

Powered by WordPress & Theme by Anders Norén