You may be aware that hackers recently exposed security weaknesses and false business practices by publishing sensitive personal data of an estimated 36 million accounts from the Ashley Madison website. Email addresses, credit card accounts and transactions and more were leaked on August 18.
Tens of millions of hashed passwords were also exposed and a number of those were easily cracked. Most were easily guessed, as they are considered ‘weak’ passwords like 123456, password, qwerty, ashley, 111111, etc. Even if your password is encrypted, like these were, weak passwords can be easily exposed using the right tools.
With your login ID (oftentimes your email address) and password, all your personally identifiable information is available to be easily accessed, stolen and used without your immediate knowledge. Even worse, company data, to which you’ve been granted access, is also available to the hacker to use for personal gain.
Lessons learned from this particular hack include:
- Require the use of ‘strong’ passwords in all circumstances and change them regularly.
- As a security administrator, establish a ‘need to know’ data access list. Limit data exposure to your company data through ‘security access profiles’.
- Understand that hackers are not just motivated by profit. In the case of the Ashley Madison hack, the hackers had a grievance against the company.
- Question the security posture of all your applications. Ashley Madison’s parent company collected money from subscribers to ‘erase all footprints’ when in reality only some data was deleted from the site.
- Build in multiple levels of security, audit your security practices and consider doing regular penetration testing to find and correct weaknesses in your network.
Don’t wait until you’re hacked. Take information security seriously.
Orion Group Managed Services offers Security Management consulting support and assists our customers in its design and implementation.