Another year passed, another year’s worth of examples showing why proper security and precautionary measures are so crucial. ZDNet lists no fewer than 25 major hacks in 2017, and plenty of other outlets, from Wired to Entrepreneur, have their own rundowns of the greatest catastrophes to befall cyberspace over the past year. Though unfortunate, these examples can serve as learning experiences looking forward to 2018, and analyzing a few can provide some insights and advice on what to do and what not to do in order to avoid falling prey to hacks, data breaches, and the like heading into the new year. First, though, a look at a few key cases.
Running Down 2017’s Major Hacks
Of the many cyber attacks that occurred in 2017, a good number that resulted in deleterious consequences for consumers could have been mitigated, at least in part, by simple security precautions. One such example is the breach that affected Hyatt, the second such attack within a two year period. The breach compromised customer credit card information:
“The hotel chain said the incident affected payment card information – cardholder name, card number, expiration date and internal verification code – from cards manually entered or swiped at the front desk of certain Hyatt-managed locations.”
Like many such attacks that affect the hospitality industry, this used delicate social engineering to finesse the compromised info from the hands of Hyatt employees, and it’s not the only such breach that took advantage of lax security measures from a company. Perhaps the most infamous story of the year was news that Equifax suffered two data breaches within the span of a few months in 2017.
The first such breach took advantage of Equifax’s reliance on a PIN system for security:
“Equifax says crooks were able to reset the 4-digit PIN given to customer employees as a password and then steal W-2 tax data after successfully answering personal questions about those employees.”
As noted in the report from Krebs On Security, Equifax “should have known better than to rely on a simple PIN for a password,” even if they were coupled with Knowledge-Based Authentication (KBA) questions. More advanced security measures may well have prevented this particular incident.
Then there was the later breach, wherein hackers used a flaw in the company’s web software to expose “personal and financial data on 143 million U.S. consumers.” As both Wired and Forbes reported, the breach would have been wholly preventable had Equifax bothered to patch their web-application software (which they had months to do), with Forbes also noting that Equifax had been serving up vulnerabilities on a silver platter by way of abysmal passwords:
“Smith can expect questions about a fresh vulnerability found by Hold Security: Equifax ran a customer portal in Argentina for which the username and password combination was admin/admin.”
They go on to explain exactly why this shortcoming was so abysmal, but the gist of it is already clear: strong passwords and hard-to-guess usernames are one of the first lines of defense against data intrusion.
The list of hacks in 2017 goes on and on. There was the rather unfortunate incident with Deloitte, the embarrassing Pizza Hut hack, and even the revelation that an earlier hack of Yahoo actually exposed “every single one of its 3 billion accounts” (as opposed the previous estimate of “only” 1 billion accounts) a number greater than “every user on Facebook, Instagram and Twitter combined.”
All of these scenarios go to show that unscrupulous hackers aren’t letting up in their efforts, any business or organization could be a target, and, more importantly, proper security and precautions are necessary to try to prevent such incidents from occurring.
Exercising Better Security In 2018
As mentioned above, proper password security is still critical. In both the Equifax and Deloitte hacks, lax passwords played a role in the hackers’ ability to cause harm. Urging employees to create complex passwords is a strong first step, one that should be coupled with changing said password on a regular basis and keeping that password closely guarded (e.g. not sending passwords through emails or falling victim to phishing scams).
Only using “trusted devices” for private logins is another key step in reducing the likelihood of hacks. Using public computers comes with an array of security concerns, and these are mitigated by keeping logins restricted to work computers, a personal phone, etc.
In examples like the Yahoo and Pizza Hut breaches, while there might not be a great deal consumers could have done to prevent the hackers from accessing some of their details, the use of additional security measures, such as Two-Factor Authentication (2FA) may have helped to keep their accounts from being compromised. As reported by C-Net, the additional step might be the difference between feeling “smug instead of scared the next time there’s a data breach,” and, as Fortune notes, the use of 2FA stood to prevent some major recent incidents:
“The most famous example is John Podesta, Hillary Clinton’s presidential campaign manager, who was tricked by the Russians into supplying his Gmail password. If he had 2FA turned on, the hackers would likely not have broken in.”
Combining these efforts with additional measures such as well-maintained security software and keeping a close eye on who has access to certain accounts is all part and parcel of reducing the chances of potential hacks going into 2018.
Powered by Scripted.com