Password security done right by LivingSocial

by | May 1, 2013 | Cyber Security, Multifactor Authentication,, Password Authentication, Password Management

Accept it; cyber-attacks are happening to your company too. 

passwordYou may have seen in the news that LivingSocial recently experienced a cyber-attack where 50 million customers’ name, email address and password were exposed.  While that news typically makes the headlines, what is not being emphasized is everything that LivingSocial did right to safeguard their customer’s personal data.

 

Accept it; cyber-attacks are happening to your company too.  The hacker’s strategy is to prey on the psychology of employees.  Spear phishing, watering hole attacks, social media and poisoned SEO sites s are just some of the weapons of choice.  According to Symantec, businesses in 2012 with 2,500 or fewer employees were the targets of 50 percent of the attacks, and those businesses with fewer than 250 employees accounted for 31 percent of the attacks.  Here are some other 2012 statistics to confirm the statement that, “there are two types of businesses, those that have been hacked and those that don’t know it yet:”

  • Organizations witness, on average, 643 malicious URL events each week.
  • 280 million malicious programs detected in 2012.
  • 80,000+ new malware variants daily.
  • Approx. 30 billion global spam emails sent per day in 2012.
  • Manufacturing won first place for targeted industry attacks in 2012; beating out the financial industry.
  • Healthcare industry is responsible for the largest percentage of disclosed data breaches. Followed by education and government.

 

I often tell a customer when they first ask about network security is to stop thinking of hackers as “evil spies or burglars” but rather as “business competitors” who are trying to get the highest financial reward for the least amount of effort.  I do this because business owners will implement long-term defenses against a competitor, but often view a thief as a short-term, one-off event.  Your job, as the business owner, is to make network security a core business pillar. This not only includes the getting of the data as difficult but also the ability to read the data equally difficult. 

 

Here’s what LivingSocial did right to protect password.

  • Passwords were “hashed” and “salted.”  Meaning that even if numerous people used the exact same password the hashed data would not be identical. 
  • Credit card information was stored in a separate file.
  • Expiring all existing customer passwords and making c come up with new ones.
  • Informing all their customers of the breach with an email explaining what happened, what LivingSocial is doing to protect their customers and what the customers can do to help themselves.

 

No company will ever be 100% secure from a data breach.  Attacks are getting more sophisticated and any defensive or anti-whatever software can only block against the know attacks.  But here are some other valuable tips that companies can also do to protect data:

  • Employee education.  Don’t make it just about save guarding the company data but also about their personal protection from identity theft.
  • Size doesn’t matter. Every business, company, institution and agency no matter the size needs to put up protective barriers.
    • The usual anti-whatever software.
    • Offer password manager solutions to your customers.
    • Web site monitoring (don’t be a cyber mule like I was).
    • Segment the value of data to determine the security procedures to wrap around it.
    • Don’t put confidential or sensitive data on the cloud.
    • Encrypt all data.
    • Have employees use multifactor authentication tokens to access the network.
    • Action Plans:  Accept now that you are going to get hacked.  With that knowledge, start working now on your plan of action then an attack is discovered.  How will the data be made useless if it was stolen?  How are you going to inform customers?  How are you going to inform authorities?

 

Network security starts at the employee’s finger tips and goes all the way back to the data itself.  IT has probably spent a very large amount of money securing the network’s backend, but a hole that is often overlooked is the employee password.  It doesn’t matter if employees manage their own passwords or are assigned a complex password by IT; if they have to remember or type it then you have a chink in the security armor.  Any strong password manager solution must first authenticate the user before access is ever allowed past the firewall, and it should hide the actual logon information so employees don’t have to remember, type or even know it.

 

After reviewing the information about LivingSocial’s hack, I have to commend them for all they did right.  They are great model to emulate.  But, if I were to make a suggestion to LivingSocial’s security it would be to add in a multifactor password manager for employee authentication. 

 

About Access Smart:

Founded in 2005 and headquartered in Ladera Ranch, California, Access Smart, LLC (a certified CA Small Business) offers information security through reliable user authentication prior to network access. Authentication, authorization and non-repudiation do not have to be cumbersome to be effective. That’s why our products are designed using state-of-the-art security technologies while focusing on ease-of-use and low-cost-of-ownership.

Data security begins with cyber access control, and cyber access control begins with Power LogOn