It’s not even the end of January and already we’ve seen some pretty big security humdingers. From the Facebook worm through to Zappos, it would appear the hackers are constantly one step ahead. But even though Zappos affected 24 million customers, the biggest security talking point of 2012 to date has to be the Stratfor database.
For hackers, it was simply the Christmas gift that kept on giving. Having hacked the Texan-based database over the festive break, those responsible saw a seemingly never-ending run of headlines dominate the national agenda. For the UK, the game-changer was when The Guardian revealed that 221 British defence staff had been exposed as part of the hack.
There were red faces all around. For whilst it is believed that staff would have different passwords to access more sensitive Whitehall information, it once again showed how easily static passwords can be snaffled, exposed and someone’s identity potentially stolen.
Yet passwords aren’t a new security ‘phenomenon.’ Indeed they’ve been around since the advent of the PC. The problem is that people don’t take them seriously enough. With headlines dominated by cyber crime, companies have invested in protecting their firewall.
Put simply they’ve locked their houses, but left the windows open. It doesn’t matter how sophisticated your antivirus is, if a hacker has passwords then they can assume an authorised identity to wreak untold damage.
You might be reading this, thinking really are passwords all that important? Well, let me ask you a few questions. How do you secure users access to corporate information? How do you secure your IT systems? How do you check who is authorised to access what information? How do remote workers access the network? Yes, you guessed it – passwords.
The reason that passwords are such a vulnerability is because human nature dictates that not only will the password not be selected at random and have a personal connection to the user (something that any hacker can deduce within seconds), but that for ‘ease’ they will use the same password and log-in for every application. Once you have one password, the entire corporate network opens up before you. And who is going to stop you? As far as the system is concerned you’ve been authenticated.
The advent of tablet PCs and smartphones is only exacerbating the situation. Most users store email and company sensitive information on mobile devices without giving it a second’s thought. Access to this data allows them to work on the move and keep pace with their colleagues during the working day.
But what many people don’t realise is that most smartphones will automatically log you on to free Wi-Fi. Brilliant, who doesn’t love free Wi-Fi? You might think it’s easy and convenient, but for hackers free Wi-Fi spots make accessing sensitive information like taking candy from a baby. They can set up a rogue spot and within seconds of you logging on have not only users corporate passwords, but also passwords for their mobile banking and Facebook account, amongst others.
In a world where hackers are scoring big-wins, companies cannot afford to secure access to their systems with static passwords. And neither can they afford to be exposed by third parties they work with that have less than robust security policies in place. At the time of the hack Stratfor defended itself and stated that the passwords had been encrypted but clearly this posed no obstacle for the hackers responsible. The only way to protect against such attacks is to implement one-time passwords and strong user authentication.
In the past many companies have dismissed two-factor authentication as too expensive to implement and manage or that it interferes with the user experience. Yet, that is no longer the case. The barriers of cost, complexity and management have been removed and now companies of any size can use it. For the price of a cup of coffee, businesses can now secure unlimited users, via multiple channels, whether that is through the cloud, smartphone apps or key fobs.
Stratfor once again demonstrates that despite all the hype of cyber security, passwords are a real threat to businesses around the world. How many more incidents must we read about before businesses move away from static passwords and start to better protect themselves and their customers against hackers?