Hacking Epidemic: How to Fight Back
If you're an Evernote user you likely know the note-taking service was hacked and this past weekend the company had to reset the passwords for all of its 50 million users.
The breach seems part of an epidemic--in recent weeks stories companies falling prey to hackers have filled the news. But it's not just big name brands that have to worry; little guys make good targets, too.
Here's what you need to know.
The Back Story
A slew of media outlets have been hacked. Twitter was breached, and attackers made off with the usernames, email addresses, session tokens, and encrypted or salted versions of passwords of about 250,000 users. And Hackers infiltrated customer service SaaS provider Zendesk, which had to announce that three of its prominent customers--Twitter, Pinterest, and Tumblr--were all compromised.
Facebook, Apple, Microsoft and Twitter all also recently fell victim to hackers--Chinese, Eastern European or otherwise--that rely on vulnerabilities in Java so if an employee using an outdated version of the browser plug-in visits a site loaded with malware and is unknowingly infected, hackers can follow them back to their company networks, snoop around, and cause all sorts of trouble.
And then there's always hacked Twitter accounts to consider. Hijackers recently took over Burger King's and Jeep's accounts, along with those of media outlets MTV and BET. Malefactors are able to cause a ruckus by posting on behalf of companies by figuring out the Twitter passwords employees are using. They do this by luring them to what look to be legitimate sites and tricking them to hand over log-in credentials companies may use on more than one site (a no-no in the realm of security).
A CTO Gives Advice
One company, Cinchcast, says it avoids these pitfalls because its platform eschews Java, doesn't rely on any browser plug-ins, uses HTML5 instead of Flash, and employs two-factor authentication when adaptive authentication calls for it.
The large-scale conference call company, which can handle thousands of people on a call at a time, says keeping bad guys out of calls is of the utmost importance, considering some of these meetings involve discussing sensitive and proprietary financial information.
But just what are two-factor and adaptive authentication?
"Two-factor authentication is a type of authentication that consists of two factors--something that you know, like a password and something that you have, which can be an object like a phone or a physical token," says Cinchcast CTO Dr. Aleksandr Yampolskiy. An example would be how Google's two-factor authentication will text a code to your phone that you need to enter along with a password to access your account. Another is the Yubikey, a little thing resembling a USB stick that you plug into your PC to prove your identity when you try to access online accounts.
The problem when it comes to SMBs deploying two-factor authentication on their consumer-facing websites, Yampolskiy says, is they worry doing so will add friction that will alienate users. On e-commerce sites, for example, adding an extra step might reduce conversion rates, or on Twitter it might discourage people from tweeting.
Speaking of Twitter, the micro-blogging site is rumored to be looking at offering two-factor authentication because of all the security snafus it's seen lately. But even if it does, some experts believe nobody will use the added security because any little bit of extra work turns people off.
Not only that, while two-factor authentication would help users keep hijackers out of their accounts, it's not going to prevent Twitter's own servers from getting hacked into unless the company puts its internal servers inside a secure zone, protected by a virtual private network (VPN) with two-factor authentication. Doing so would make break-ins much more difficult, but not impossible, Yampolskiy says.
Nonetheless, Yampolskiy says two-factor authentication doesn't have to wreck a user's experience. The reason: adaptive authentication.
The latter is what banks have been using for years--it's the technology that suspects your bank card might be stolen because suddenly it's being used in Florida when you live in Oregon and don't travel much. Adaptive authentication is responsible for those calls you'll sometimes get from your credit card company asking if it was really you that bought a $5,000 watch when usually you shop at Walmart.
Yampolskiy says two-factor authentication can be called into play only if adaptive authentication tells it to go, and it's not just limited to banks anymore. More and more companies are using adaptive authentication before employing two-factor authentication.
Google is a great example of a company using adaptive authentication. Google's security systems analyze more than 120 different signals to determine if someone logging into one of its products is a legitimate account holder, and if it suspects something is awry, it puts up a roadblock. For example, if those systems see that you've logged in from California and within an hour you're logging in from Russia, you'll probably be given an interstitial page that asks you to verify information you've previously given to Google, such as your phone number.
As for how your business can use adaptive authentication, Yampolskiy says that while online retailers can buy products such as RSA Adaptive Authentication for Ecommerce, many companies just build their own adaptive authentication capabilities themselves.
Does Any of This Matter for Small Businesses?
You might be thinking all of this hacking business doesn't apply to your company, or that the security precautions you have in place are plenty good.
But know this: According to security firm Symantec in the first half of last year 36 percent of all targeted attacks were aimed at companies with less than 250 employees--that figure was up from 18 percent at the end of 2011.
And learn from the cautionary tale of family-owned Solid Oak Inc.
Chinese hackers tormented the eight-person California software company for three years, first stealthily stealing its parental filtering software and later waging an all-out war. After founder Brian Milburn says he discovered the theft, "Hackers broke into the company's system, shut down its email and Web servers, spied on employees using their own webcams, and gained access to sensitive company files, according to court records," reports FoxNews.
According to Yampolskiy, just like in Twitter's case, employing two-factor authentication along with systems and servers in a secure zone using VPN would make such an attack more difficult.
And while some prominent media outlets have recently touted Cyber Insurance--which can reimburse a company for damages resulting from a hack or help pay for help from a PR firm--Yampolskiy says it's not a good investment.
"The only advantage of insurance policies is that they require an assessment of current security conditions for the company, which a company may not have paid attention to before," he says. "But overall, it's wasted money. My best advice for SMB owners would be to focus more on security awareness and training their employees about potential risks of the Internet."
PRINT THIS ARTICLE