Hacking and internet security are frightening subjects. Recently one of our customers had their email hacked and the results were bad, to say the least. So in light of recent events, we decided to make this week’s post about the most common security gaps we see so that you can beef up your defenses.
As we stated earlier, one of our customers had their email service hacked and suffered some severe repercussions as the hackers began emailing their customers a link to a “New Proposal” that looked like a google drive login with an email and password box. Unfortunately, many customers put their information in the box and, of course, nothing happened… except those emails and passwords became no longer secure.
The hackers gained access to the email by guessing the customer’s password. This is how the vast majority of hacks occur, so we’ll go over just how they are able to guess your password. There are instances when a hacker gains root access to your site and can steal your database. These are the hacks that typically make headlines, but if the company that was hacked has any competency then those password and other sensitive data are salted and hashed.
What that means is that the password had a “salt” added to it and then it was encrypted or scrambled to look like gibberish. If the company is very smart they will use a variable salt so that every salt is different. When this type of data is stolen it looks like this:
When done properly, this type of data is nearly impossible to decrypt except by organizations with extreme levels of computing power (other nations… glances at Russia and China).
Enough nerd stuff; let’s go over how most businesses mess up:
1. Weak Passwords
Having a weak password is the biggest security risk your company faces. The reason for this is bots, or software programs, try to access emails with these weak passwords. These bots repeatedly enter in common passwords, words from the dictionary, dates, and names to see if they can easily gain access to your accounts.
Some websites can tell if a bot is trying to access it and will limit the number of login attempts and then lock the account for a time period in order to slow down the bot. This helps but not all websites do it. And if your password is weak enough the login limits will only buy you days or weeks.
A great resource to test password strengths is How Secure Is My Password?. DO NOT PUT IN YOUR ACTUAL PASSWORD TO TEST IT. Instead, use something similar. You can see that “Password” will be guessed instantly, “Wilson74” will be guessed in 2 hours, but “s3$Df29f^Fd4s” will take 3 million years.
Some may say that they could never remember “s3$Df29f^Fd4s”. To combat this we offer two solutions. The first is to create a Google Spreadsheet with login credentials for each site your company uses. This violates #4 on our list and can become a hassle. But it’s free and easy. Be sure to enable 2-factor authentication if you do this. Lastly, you can buy something like Last Pass which will allow you to randomly generate passwords and share them with your team. This is not free but it is VERY secure.
2. Repeated Passwords
The second issue on our list of common hacks is using repeated passwords. This is an issue because not all sites are the same. For instance, Google will limit login attempts and has a variety of safety measures. However, a smaller company might not have the knowledge or money to implement the same safety measures. So if the smaller company is hacked then the hackers will have access to every other site that you use your password on. This is what happened to our customer.
3. Social Engineering
Another issue is Social Engineering. Social Engineering is basically manipulating people to do something you want. In this case, it would be a hacker trying to reset a password by calling a support line. The first time they call in they might have your email and name. But they’ll try to get additional info such as where you were born, your birthday, address, or other Personally Identifiable Information (PII) that they can use somewhere else.
The most common of these types of attacks happens when a site uses security questions, such as “Where were you born?”, in case your lost your password or email. It occurs even more when you can change your password over the phone. This allows the hacker to not need to access your email in order to reset your password.
Permissions is a protection measure that segments information to those who need it. Say that your company has to store extremely sensitive information such as Social Security numbers. Should the receptionist have access to it? The Janitor? Of course not. But, in many cases, companies overlook this step which lets disgruntled employees, or employees who have been hacked, have access to information they shouldn’t.
5. Insecure Internet Connections (Wi-Fi, No SSL)
Lastly, a lot of companies let their employees work at coffee shops, airports, and at home. This means that you’re on a public network where anyone with the right skill set can snoop on what you’re doing. If you enter your password into a site that does not use SSL then you are sending your password as plain text, which anyone watching can see. To counter this, always check to make sure the login page is from the correct URL and that the site begins with https//.
Lastly, we leave you with our password rule that covers all of these issues.
The rule we give our customers is this:
Your password must:
- Be over 13 characters
- Contain capitals, lowercase, and special characters
- Not contain words
- Not be reused
- Not be used on unknown sites
- Not be used on sites without SSL/HTTPS