It seems that everywhere you look, there are stories about opportunists hacking into computer networks to steal consumer information, sensitive data, emails or anything else that may seem important. The most notable of late are the accusations against Russian hackers for infiltrating the Democratic National Committee trying to influence the United States presidential elections. We have also seen a relatively innocuous hack on an Amazon page to advertise an anti-Trump book, also blamed on Russian hackers.
Hackers utilize various methods to try and gain access to servers thought to be secure, but one of the most common is a brute force password attack whereby a continuous guessing game is played until the credentials are obtained. Another scenario that has been reported is employees selling their passwords, sometimes for as low as $100, to allow hackers to gain access for any number of reasons. Often, the employee will change the password shortly after the transaction, but the damage may already be done.
Therefore, the question becomes, how can an organization protect itself when attacks are coming from both inside and outside threats? There are many readily available solutions that increase the security around user credentials and reduce the chance of being hacked, regardless of whether it is coming from “Russia” or from an insider threat.
The most common addition to the standard username and password credentials is two-factor authentication (2FA). This can take on many forms from biometrics relying on fingerprint, iris scanning or facial recognition to much easier-to-deploy methodologies, such as authenticator programs that deliver onetime use PINs via SMS, email or smartphone apps. Secure tokens and the use of smart cards or USB sticks are other techniques for 2FA that have been around for quite some time. The theory behind using 2FA, in addition to passwords, is that a user needs to have something physically in their possession to complete the login sequence. Selling a password to a hacker is useless unless they also have the 2FA technique readily in their hands.
Another technique to thwart hacking threats, and one that can be used in conjunction with 2FA, is to establish a secure portal and establish the sole point of entry to all applications via the portal. By using proxy servers to anonymize the URL of the application, end users can no longer directly access the websites, or allow others to do the same. The secure portal can also be utilized to restrict access to applications based on other criteria, such as time of day, IP range, device or browser type and physical location. This would make specific applications, or even the portal itself, unavailable to a Chrome browser running on and Android tablet in Minsk at 2 a.m. Eastern time.
While not directly related to password hacking, but still extremely critical in the realm of data and application protection, is to ensure that users have the correct access – nothing more and nothing less – to perform their jobs. Imagine the havoc that could be wreaked if a disgruntled accounts payable employee was inadvertently given access to the entire finance system and decided to sell his or her password. This also rings true for terminated employees. Ensuring that all of their access to every system and every data share is revoked immediately upon their departure is paramount for the company’s protection.
While the threat from hackers, regardless of their nationality, and discontented employees will continue into the foreseeable future, organizations need to take definitive steps to safeguard their systems before they are in the headlines, or before they’re subject to the “Russian” connection.