August 07, 2014

Security on the internet under constant attack

In recent years there have been countless successful hacking attempts on anything connected to the internet. Only in recent years have media outlets given the incidents the urgency of a front page story as it becomes more apparent the dangers of having your personal information exposed such as financial theft, or unwanted corespondance.  What I find scarier is the complacent attitude of users.  Comments such as "I don't use that site/service, so I have nothing to worry about" stick out in my mind.  My response has always been "If your car has never been stolen, do you leave your doors unlocked?"

This week, in an article titled Russian Hackers Amass Over a Billion Internet Passwords on the New York Times, it is estimated that over 1.2 BILLION (yes with a 'B') username and password combinations have been compromised across 420,000 websites.  With these numbers, quick math shows that 17% of the world's population has been compromised...and knowing that not all of the estimated 7 billion people on earth are connected, this number is even higher.  Further, this is only one single breach!

So what can you do to protect yourself?  Obviously we use sites for their convenience to information and/or services, so abstaining is simply not an option.  Some simple tips I often recommend can help strengthen your online security, but being careful to understand that nothing is 100% secure:
  1. Do NOT share your password with others
  2. Do NOT use the same password for more than one site
  3. Secure your password somewhere AWAY from your computer
  4. Change your password several times a year, no matter how inconvenient
  5. Combine capital letters, numbers, and symbols in your password
  6. When providing personal information via a web form, look at the web site address for a secure SSL encrypted connection.  The padlock and address starting with httpS:// prove an encrypted connection.
It should be common practice at every place of employment to provide users with unique credentials, and ZERO generic accounts.  As an employee you may be granted elevated security rights due to your job description/requirements, etc.  Think of what your account gives you access to on a daily basis.  Things like your email account, company financial systems, data on locked down company network drives, the list is endless.  By sharing your password, you are exposing yourself to risk on a multitude of systems...which YOUR ID would be logged as accessing.  In the past, I have been witness to an incident where an employee went on vacation, and gave their password to someone else at work whom they thought they could trust.  The reason was that they approved company procurement requests, and they did not want their absence to become a bottleneck.  The "trusted" employee, quickly realized what additional items they had access to, proceeded to email the entire company from the vacationing employees account their thoughts on the organization...none of which was positive.  Needless to say they were walked out for doing so, and upon further investigation it was discovered that the individual had been disgruntled for some time.  The proper solution would have been to obtain the necessary access for the back-filling employee, prior to the vacation commencing.

There are other forms of securing yourself, however they are only starting to gain momentum now, have a cost associated with them, and therefore are not as common place.  One method such as Multi-factor Authentication to validate identity utilizes technology such as facial/iris recognition, voice identification, and even fingerprint scanning.  Two-factor authentication has become cheaper in recent years and combines user credentials along with another form of identification.  An example is a site sending a security code to a personal mobile device for you to enter.

At the end of the day, if you do not feel good about entering some information online...DON'T.  It is your information.  Data integrity starts with you.

I'm Mike M.