by Don Jackson, a Director with Dell SecureWorks’ Counter Threat Unit (CTU) security team
Passwords are used everywhere, and they are important keys in protecting valuable assets. Unfortunately, research based on actual breaches has shown that users, when not physically prohibited from doing so, will generally select weak passwords that are simple and easy to guess. This appears to be the case of the recent breach of 200 point-of-sale terminals located at 150 Subway restaurants and 50 unnamed retailers. According to recent news reports, hackers stole credit card data of more than 80,000 customers. The hackers gained unauthorized access by guessing or “brute forcing” the system passwords, indicating that default or commonly used passwords may have been used.
We see time and time again that hackers will stop at nothing, short of the value of the assets they are after, in order to obtain someone’s password. Tactics include phishing, social engineering to reveal or reset passwords, exploiting systems or system users to install spyware and keylogging programs, and cracking passwords by looking up stolen hashes or guessing them using optimized brute force attacks.
It is critical that organizations of all sizes use best practices when it comes to passwords, not only for their financial accounts but for all of their critical informational assets. Below are nine ways to help protect your organization’s data:
Password Security Tips:Use Passwords with 12 Characters or More. Enforce corporate policies prohibiting short, simple, common, and re-used passwords. Research shows that effective passwords are generally twelve characters or longer, and each additional character vastly increases the work a hacker, or his supercomputer, must do to deduce the password.
Advise Employees to Use a Different Password for Each Site. People often use the same password for multiple sites, including their social networking sites. Computer users should use a different password for each site they interact with. While it’s not possible to stop users from using the same passwords for separate sites, it is possible to educate them about the harm in doing this and to force their passwords to expire every three months. Keeping a password history and forbidding the use of old passwords increases the chances that a password will be unique and unusable by hackers who may have obtained a user’s password to other websites.
- Fortify your web site against attacks like SQL injection and protect password hashes against reverse lookup
- Use anti-virus and other security software to prevent passwords from being stolen by spyware and viruses
- Use Software to Manage Online Passwords. Use software like KeePass (free, open source, multi-platform) or hardware security tools like IronKey to securely remember and manage online passwords. IronKey is portable and automatically logs users into their accounts on any computer to circumvent keyloggers and phishing attacks.
- Do Not Store Passwords in Databases. Databases should never be used to store passwords. Rather they should store the hashes, or hash values, that are created by the characters in a password. That way, if a hacker breaches a database, he won’t find the passwords, only the hashes. Although there are tools that can convert hashes to passwords, not storing passwords in the clear, does add another layer of protection.
- Protecti Corporate Financial Accounts. Employees working with the organization’s financial accounts should use a separate, dedicated computer to manage financial accounts online; don’t use that computer for normal web surfing, emailing, social networking, or anything else that uses the Internet.
- Use Tools to Protect Online Financial Sessions. Check if your financial institution offers a software tool like Trusteer’s Rapport to help protect online sessions with money management services
- Educate Your Employees. Educate your employees regarding computer security and social engineering scams like phishing