How to shield a network from damaging hacks

In case you have not already heard about the HBGary hack and email leak, I recommend reading one of the articles or blog posts composed on the topic since the incident in early February. It serves as a powerful cautionary tale about what can transpire in cases where security corporations fail to protect their own networks properly. Even in the event your group does not deal in security issues, there is a whole lot to be learned about the best way to successfully shield a site and a network from similar harmful hacks. Let's walk through the significant points of failure from this instance step by step. Never skimp on website security The initial point of attack for the hacker group was the HBGary Federal site, where they were able to use a common SQL injection to gain access to the website database. This gave them access to usernames, emails and "hashed" passwords (passwords encrypted with a hash function to forestall unauthorized access). This may have been stopped by either utilizing a strong, up-to-date commercial content management system or by testing the custom CMS for SQL injection holes. This sort of exploit is frequently used in the hacker community and involves only minor talent to utilize, so any security professional ought to be aware of it. Create complex passwords Even though the passwords had been encrypted inside the database, there are popular tools around to help hackers attempt to work out the right passwords based on the hashed data. These types of tools pre-compute thousands and thousands of possible passwords and then can be searched for the resulting hash sequence. There are, of course, limitations to what these tools are capable of. For pragmatic reasons they will only store data about a limited subgroup of prospective passwords, for instance just passwords from 1-8 characters that have lower case characters in addition to numbers or just passwords from one to twelve letters in upper case. Two employees at HBGary (the CEO and COO) chose passwords that were only 8 characters long with 6 lower case letters and 2 numbers, making them vulnerable to this specific attack. Using difficult passwords with a combination of upper and lower case letters, numbers, and characters such as # and $ more or less takes away the threat of these types of tools being employed to work out your password. Create different passwords Getting user passwords for access to a site is bad, but not catastrophic for a security firm. Unfortunately for HBGary, both of the uncovered passwords had been reused in lots of places, including social networking websites and email management. It might be awfully tempting to reuse passwords - especially complex ones - however the simple fact is that reusing passwords has turned out to be among the most prevalent security challenges today. In the event you use the same password for your email and a low-profile opinion website, and that website's database is compromised, it might be possible for someone to use this password to get access to your email and quite possibly a lot more. Keep software programs updated A lot of problems with the safety of these sites could have been solved by staying on top of appropriate security updates. Whenever vulnerabilities are found in programs, developers work to shut the loopholes and then send out updates to solve the issue. Users that run these types of patches as they are released are considerably less likely to have their systems broken into, as hopeful attackers have a considerably shorter window of opportunity to act on a new exploit. Odds are relatively good that if you've at any time studied effective security practices, you already know the bulk of this. In cases where even security companies fail to comply with this fundamental advice, though, it's good to double check your own security for potentially embarrassing vulnerabilities.

I work at an IT support company helping small businesses with their IT outsourcing. I love keeping up with the latest news and sharing what I know with my clients to keep their networks safe.