Top 6 Things We Can Learn From Recent Hacks

According to the Ponemon Institute, 55% of small businesses across the U.S. had some form of data breach and 53% had multiple data breaches.  50%+ is a scary number.  But, data breaches can impact all organizations, big and small.  Just consider the recent examples from some very high profile companies that made front-page news include Skype, LivingSocial, and the Associated Press.

Though these hacks were very different, there are some common best practices that could have lessened the sting from these attacks, including these 5 best practices:

Users should have a random and different password for each site they use. The problem with a stolen password is that frequently the user has leveraged the same password across several accounts. Users are lucky when they find out about a hack because then they can change the password on their compromised account and any other account with the same password. The more insidious and damaging hacks are the ones that are go unnoticed for a period of time. Unless a site provides two-factor authentication, users should assume that any of their accounts could be compromised with a guessed or cracked password. Since users are generally resistant to creating and maintaining multiple passwords, recommend that they store these passwords using a service like LastPass or software like Password Safe.

For password storage, passwords must be hashed and salted, in fact double salting passwords is better. Double salting passwords and storing the second salt somewhere other than in the password database makes hashed passwords nearly impossible to crack. The security folks at LivingSocial did salt their passwords, which makes any attack against the hashed passwords much harder. If the site has salted and hashed their passwords you need to create this big dictionary hash list separately for every single user. That takes a really long time making the problem millions of time more complex if the site had millions of accounts. Salting and hashing protects all of your passwords from getting cracked easily but single accounts are still susceptible.

If two-step verification is set-up, then it wouldn’t matter if passwords were compromised, because the hacker would need to know the password and have physical possession of the authentication devices – in most cases the end users phone.  For example, if all LivingSocial users had used 2FA then it wouldn’t matter if user passwords were known by someone else, the accounts wouldn’t have been able to be compromised unless the attacker had the password (something the user knows) and had the 2FA device (something the user has such as a token or mobile phone). Two-step verification drastically reduces the chances account compromises will work because bad guys would have to not only get a user’s password, but they’d have to get a hold of their phone too.

In the battle between security and convenience, there are perils at both extremes: relying solely on passwords leaves users’ accounts vulnerable, while mandatory two-factor authentication for every login or transaction brings cost, complexity, and inconvenience. Risk-based authentication strikes a balance between the two, by selecting the appropriate authentication requirements for each session based on specific triggers that detect suspicious or unusual activity.

During sign-in, users can establish the device as a trusted device. Each login from that device doesn’t require secondary authentication. However, if the user logs in from a new device or engages in non-typical behavior not or behavior that patterns fraudulent activity, a secondary authentication event will be triggered.

Email is a good method of communication, but SMS is more appropriate for urgent matter such as, “Holy Heck, we were hacked, change your password!” Email communication comes with its own set of challenges because it can also be compromised. Additionally, many users leverage the same credential across all their accounts. That’s why it’s imperative to capture and verify your users’ phone number when new users register for the account.  Not only does this help ensure users are who they say they are, but it can serve as an effective deterrent for keeping out fraudsters and spammers. Attaching a verifiable phone number to an account enables other downstream benefits like streamlining password resets and enabling secure communication to your user base if there is ever a system-wide data breach.

Though I’m no PR wonk, I’ve seen enough of these hacks go down that I’ve picked up a few best practices (at least from the IT perspective).

Companies that have been hacked need to quickly tell users that a breach occurred, how it occurred and what the user needs to do. Be transparent about what data was compromised and what you are doing to remediate any issues found. Be transparent about your security.  If you have salted (or double-salted) your users’ credentials, say that.  Explain what this means in terms of how difficult it is for the bad guys to actually access your passwords.

It’s a best practice to conduct a detailed post mortem. The way the Internet community gets better about security is by understanding what mistakes were made, embarrassing as they may be.

In this technology-driven business environment there is potential for enormous opportunities – as well as significant risks.  Just as companies buy insurance to cover fire or flood loss related to their buildings, organizations have to insure their most valuable asset: their data. And the best way to protect data is following some commonsense best practices and learn from the companies that have been put through the fires.