I’m astonished that major data breach stories are still occurring and generating unnerving headlines. How many of these instances do we have to read about before we finally take at least basic action to protect our customer information?
As a result of an attack, adult dating and pornography website company FriendFinder Networks exposed the personal details of more than 412 million customer accounts. The hackers scooped up email addresses, passwords, browser information, IP addresses and membership statuses across multiple related websites.
The number of accounts compromised made this attack one of the most significant data breaches ever recorded.
What basic best practices are we failing to implement to address security vulnerabilities?
Password management
FriendFinder stored customer passwords in plain text format or encrypted using SHA1 hashed. Neither method is considered secure by any stretch of the imagination.
A better practice is to store your account passwords and perhaps all your data using AES-256 bit encryption. At the AES encryption website, you can experiment using the encryption and examine example source code that implements the encryption.
AES encryption is not complicated or expensive to implement, so please take action.
Account management
According to Leaked Source, the leaked FriendFinder database included the details of almost 16 million deleted and active accounts for Penthouse.com that had been sold to another company.
Editor’s Picks |
How to reduce the risk of phishing attacks
|
Step away from the monitor – NOW!
|
Yet more crazy, wacky gadgets at CES 2022
|
Your business processes must include deleting sold, terminated and inactive accounts after a defined period. This trivial and seemingly logical recommendation runs smack dab into our packrat tendencies and paranoia that a future event may occur where someone important asks about how many customers terminated their accounts over some prior period.
Thinking about the avoidable damage to your personal and company reputation that a data breach will cause should help you overcome these packrat tendencies and take action to only keep active data.
Not learning
Shockingly, FriendFinder management took no action after the first data breach. A year later, the personal details of almost four million FriendFinder accounts were leaked by hackers.
The dereliction of duty by the FriendFinder chief information officer (CIO) is astonishing. I hope the CIO was fired over this data breach. Sometimes the issue isn’t a lazy CIO, but that management turned down the CIO’s request for resources to reduce the risk of data breaches.
The lesson is that improving security and reducing risks to the company’s reputation due to a data breach is now everyone’s business. The CIO is likely the best person to lead the effort. The rest of the management team should be supportive.
Server patching
Friend Finder failed to patch or update its servers. This disregard makes any computing environment more susceptible to attack.
Neglecting to patch can become embarrassing if it facilitates a data breach. Best practices for server patching are not complicated and are well understood. Some organizations license patching software that helps manage the process.
Staff effort is required to monitor servers and perform the patching. This work should not be considered discretionary, even if the budget is under pressure.
Losing laptops
Some FriendFinder employees lost their laptops. Unfortunately, that loss or theft can happen to anyone. Laptops contain lots of information about your organization and your credentials. Most browsers include a Password Manager that stores user IDs and passwords for easy login. While this feature makes life simple for the rightful owner, it also makes unauthorized access a breeze for a hacker who has illicitly acquired your laptop.
Companies should issue a security cable for every laptop that may leave the company premises. Using the cable deters laptop theft because such theft becomes much more complicated.
Companies should install software that phones home on every laptop. The software checks if it’s been reported stolen shortly after every login. If so, the software wipes the hard drive. Absolute is one of several software packages that can perform this task.
If you act on these relatively simple points, you’ll significantly reduce the risk of data breaches. Click here for more elaborate and expensive best practices that will reduce the risk of data breaches even more.
Yogi Schulz has over 40 years of information technology experience in various industries. Yogi works extensively in the petroleum industry. He manages projects that arise from changes in business requirements, the need to leverage technology opportunities, and mergers. His specialties include IT strategy, web strategy and project management.
For interview requests, click here.
The opinions expressed by our columnists and contributors are theirs alone and do not inherently or expressly reflect the views of our publication.
© Troy Media
Troy Media is an editorial content provider to media outlets and its own hosted community news outlets across Canada.