A federal judge sentenced the hacker behind the largest compromise of credit and debit card data in U.S. history to a 20-year sentence this week. While the exploits used to swipe data from over 130 million accounts went beyond cracking passwords, there are some basic precautions businesses should take to protect data from similar breaches and minimize the impact if a breach does occur.
Alberto Gonzales, the attacker behind the notorious data breaches at TJ Maxx, and Heartland Systems--among others--caused nearly $200 million in damages for the companies, banks, and insurers impacted by his attacks. That figure doesn't include the money, time, and mental anguish of the individual customers affected by the data breach.
Kevin Haley, Director Symantec Security Response, expressed via e-mail "Organizations and consumer alike can take precautions to lower their security risk. A first step can be effective passwords."
"People choose passwords based on different factors: how easy they are to remember, how strong or complex they are, the sentimental value they have, etc. Symantec developed a survey to see how users are doing today creating and updating their passwords," added Haley.
The Symantec survey yields some interesting results. Here are some of the key findings:
• 44 percent have more than 20 accounts that require passwords
• 45 percent have just a few passwords that are alternated for all accounts
• 10 percent used their pets name when creating a password (a big no-no)
• 63 percent do not change their passwords very often
Sadly, these results are not all that shocking. It is just the most recent in a long line of surveys illustrating why the password is the weakest link in the security chain in most cases. Businesses that implement cutting edge security tools and lock data down tightly, and then "protect" it all with an administrator account with the password "12345" have essentially not protected anything.
• About 30 percent of users chose passwords whose length is equal or below six characters.
• Moreover, almost 60 percent of users chose their passwords from a limited set of alpha-numeric characters.
• Nearly 50 percent of users used names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keyboard keys, and so on).
The bottom line is that passwords are the primary security control standing between your sensitive and confidential data and a breach or compromise of that data. Complex passwords are difficult to remember, and constantly changing passwords makes committing them to memory even harder--but not using complex passwords, and not changing them periodically greatly increases the risk of a breach.
Passwords are only part of the equation, though. Businesses must also follow other security best practices to prevent unauthorized access and protect data from breaches--especially confidential and sensitive data like account numbers, Social Security numbers, credit card numbers, and other information. For most businesses, protecting these types of data is governed by one or more compliance mandates requiring at least a minimum level of security measures be in place.
Businesses should also have logging and monitoring tools in place. Hopefully the security controls in place will be sufficient to prevent any breach or compromise, but in the event that such an attack occurs, the logging and monitoring tools will hopefully alert IT staff that something suspicious is going on. Logging also provides forensic evidence to help identify when and how an attack occurred, and which servers or data may have been impacted.
Businesses won't have to worry about Alberto Gonzalez for another twenty years, but Gonzalez is a dime a dozen and there is no shortage of hackers seeking out businesses with weak security measures and sensitive data to breach.
Make sure your business isn't the next one making headlines for a data breach by taking basic security precautions and ensuring that the password--the key to the front door--is not easily guessed or cracked.