I just finished reading a very good article from ABA journal (The Hacktivists) about computer security and the pitfalls that many companies which fall prey to hacking groups. This is probably the hundredth company to be hacked by Anonymous but was a particularly devastating attack because it ruined not only the company but the lives of several employees.
Security holes hackers use
- Outdated servers (Running old service packs, not updating critical updates, etc…)
- Custom-made content management system (If you spent more than 30k on a website you probably have one of these, and they never or rarely get updated security wise.)
- Simplistic Passwords (Secure your employees using Uppercase, lowercase, special character, and numbers. Example: Mumble+7320 or Mumble 7320 or Mumble_7320)
- Phishing Emails (Emails that direct you to a website to enter information. Facebook, Twitter, New York Times, etc… they look like the official website but aren’t)
- Relaxed IT Departments (A hacker sent an email to the company IT department stating he forgot his user ID and password, and they gave it to him in an email…FAIL!)
- Universal Passwords (Using the same password everywhere)
Some of these pitfalls are unavoidable, but acknowledging them and being aware is extremely important. The last thing you want is to give your boss a false sense of security. Here is a detailed overview of each point above to make sure you aren’t a target for these hacking groups.
Make sure you are approving your server updates in WSUS and scheduling time to install updates each week. I always like to do them Saturday night, so if anything goes wrong, I’ll have Sunday to work on the issue. It is very common for businesses to have out of date servers due to a lack of IT support, or lazy IT departments. This is huge because amateur hacking groups can use known vulnerabilities to hack into your company.
Custom Made Content Management System
This is almost unavoidable when in a larger company, and it’s a security risk. The cost savings from having a CMS is big, but try to get a proven CMS platform (Check the list of PHP CMS’s Here). Check the dates on the platform you are using and make sure you are using the most recent version.
Do not use anything that identifies you. Don’t use your children’s names, pet names, wife, or favorite sports teams/players. If someone wants to hack your password and knows you, these will be the first things that are tried. Don’t use an overly simplistic password either ab1234 isn’t good because of sequential letters and numbers. It would take a couple of seconds to minutes on a brute force crack. Check this list for your password as well, if it’s on here you = fail. Worst passwords of 2011.
A good spam filter will block most these, but hackers can easily circumvent those filters. Always check the address bar at the top or the link address before entering any personal information. They can easily design a site to look like the original Facebook and steal your information. As a good rule of thumb, don’t click on any links in emails regardless of who it is from.
Relaxed IT Departments
Ok, we all do this and like to have one password for everything. Its just not safe, and I’d recommend using LastPass to store all those different passwords. If your going to make the same password for various things, make sure your email and work logins are UNIQUE and never reused. As a good rule of thumb I make passwords that are memorable for people, but do not identify with them in any way. They typically are more likely to reuse it when their family, sports team, favorite thing, etc… is used.
There are many ways hacking groups can gain access to your systems, but follow these rules and you will deter them. Most hacking incidents have been out of opportunity and not malicious targeting. Only the most elite and skilled hackers can target specific businesses and if you do get targeted, I’d recommend an external security company to test your systems. No one knows every exploit or trick to access systems, and you need someone that does those things on a daily basis to be secure. As an IT Manager myself, if my company did come into the spotlight, I’d certainly seek outside help to make sure everything is locked down tight as a drum. Even then, you can’t prevent human error from a high level employee giving out information, but you can make it much harder.
Leave any Questions and Comments below and I will get back to you. I regularly publish on YouTube, Steemit, and christitus.com so if you’d like to see more videos and articles click the subscribe button in the top right.