Top Hacker Disasters of 2011: Five Critical Lessons for Businesses
This year is already being called “The Year of the Hack,” due to the unprecedented number of damaging attacks against major companies like Sony, RSA Security, Google (NASDAQ:GOOG) and even the U.S. government. It’s hard to remember a time when businesses faced as many online threats as they do today.
From hacktivist groups like Anonymous, corporate and state-sponsored cyber espionage and organized crime and rogue hackers, every business, regardless of its size, is finding itself in the cross hairs of cyber attacks.
Why is so much hacking happening now? The answer is simple: More valuable information is stored online now than ever before, and at the same time, many companies have been lax about IT security.
Most of this year’s high-profile attacks should have been prevented. It’s the job of every business owner to learn valuable lessons about why these companies were hacked and how they could have prevented it.
Here is a recap of 2011’s significant hacks with important tips for businesses:
RSA Security, hacked in March 2011:
RSA, best known for its SecurID tokens, was severely jeopardized by a clever cyber attack earlier this year. The attackers used social engineering (just another term for “con”) to trick RSA employees into opening a spoofed, or fake, email and downloading an infected Excel spreadsheet. This attack gave the hackers access to the computer network and from there, they stole SecurID tokens and used them to hack military contractors.
Key Lesson No.1: Protect Critical Data. RSA should not have had its SecurID token secrets online. What valuable information does your business store in online databases? Many executives don’t know, and classifying business data should be near the top of their chief information security officer’s (CISO) to-do list. Business owners should thoroughly examine the information they store online and store critical data offline or behind strict network segmentation.
Key Lesson No.2: Segment Your Network. The attack on RSA used employees to get inside the company. Employee training isn’t reliable, therefore it’s more important for businesses to safeguard their network by segmenting the network so if one employee’s PC is infected it can’t spread laterally through the entire system.
Sony, hacked April to June 2011
The attack on Sony made news for weeks as the company was attacked by LulzSec and the Playstation network shut down. All told, the damage to Sony from these attacks reportedly more than $170 million.
Key Lesson No.3: Security Leadership. The biggest reason for Sony’s security failure was that it didn’t have a chief information security officer (CISO). Businesses must have an executive who is directly responsible for managing IT security. Customers are entrusting their information to the company, so when that information is lost, they don’t blame the hackers, they blame the company.
Citigroup, hacked in June 2011
A basic and well-known website vulnerability is what hackers used to pry open Citigroup’s (NYSE:C) confidential data and steal the account details for 200,000 customers. This was another example of a basic security lapse resulting in major damage.
Key Lesson No.4: Audit Your Periphery. Any business that maintains sensitive information online should have their website professionally audited. Had Citigroup’s website been tested for basic web application flaws on a regular basis, it could have avoided this attack.
FBI Partner InfraGard Atlanta, hacked in June 2011:
Hackers stole 180 usernames and passwords from InfraGard’s Atlanta chapter, and then used them to hack the personal and corporate email accounts of this organization’s members. Most of these passwords were encrypted, so the hackers could only use the ones that were easy to guess – but password reuse was common.
Key Lesson Np.5: Don’t Share Passwords. Writing a strong password is one of the easiest things a person can do, and yet so many fail to take it seriously. Basic password advice: make it 10 characters long, don’t use a word found in the dictionary, combine letters with numbers and symbols. But none of this will help if you use the same password for multiple accounts. Use two-factor authentication (even Gmail offers it) to further secure an email or Facebook account.
Cyber attacks will only get worse, so companies need to start preparing their systems now. The good news is that many of these attacks can be thwarted with basic security measures. As they say in the industry: “Making it impossible for hackers is just doing it right.”
Dave Aitel, president of Immunity Inc., is a former computer scientist for the National Security Agency and listed as one of the “15 Most Influential People in Security Today” by eWeek. He has co-authored several books, including “The Hacker’s Handbook,” and develops new tools to make companies safe. Dave’s company provides security assessments and penetration testing to companies in a wide range of industries, including financial services, industrial and manufacturing. www.immunityinc.com