written by Chris Griesemer

Is your company vulnerable to attacks? Do you know what security questions to ask your vendors? How do you keep your computers up to date? Over the next few months, we will answers these questions and more with a series of articles on how to keep your company and yourself safe and secure.

This month we will discuss an overview of the recent breaches on well-known large companies, password management and tips on how to improve security of your information. Next month we will review a case study on the Target breach and also discuss vendor management. Then, in January we will examine The Onion breach and importance of using unique passwords.

A productive year for hackers
The past year has been a very productive year for hackers with Target, Home Depot, JPMorgan Chase, P.F. Chang’s, Dairy Queen and Jimmy John’s being some of the latest victims. According to a USA today article officials warn 500 million financial records were hacked (view full article by Erin Kelly here: http://ow.ly/DAmwX). Consider these sobering facts:

  1. 439 million records have been stolen in the past six months
  2. Almost 519 million records were stolen in the past 12 months
  3. About 110 million Americans have had their personal data exposed in some form in the past year
  4. 80% of hacking victims in the business community didn’t even realize they’d been hacked until they had been notified by the government

While these statistics are bad enough, consider the Russian hacking group who stole roughly 4.5 billion login credentials from 420,000 Web and FTP sites. According to Hold Security, after filtering out duplicate usernames (mostly e-mail addresses) and passwords, the group still had over 500 million unique usernames and passwords. That number is made up of usernames and passwords people may have used at an old job, fake email addresses or email addresses that people don’t use anymore.

Some analysts speculate after all invalid credentials are omitted from the list there is still over 10 million valid usernames and passwords. Compounding this issue further is the fact that many people use the same password for multiple sites. The Twitter account of the satirical website The Onion was hacked in 2013 because an employee’s Gmail username and password was stolen and those credentials were the same credentials used to login to The Onion’s corporate Twitter account.

How hackers determine vulnerabilities
These hackers have multiple ways to determine vulnerabilities with a company. They can use phishing techniques (phishing = stealing information from a user by posing as a legitimate company, usually done through email), they can attack a 3rd party vendor of a specific company or they can try to guess passwords of people they are targeting. Seems like a waste of time right? On September 9, 2014, 5 million Gmail login credentials were leaked. LastPass, a password management company, analyzed the data (http://blog.lastpass.com/2014/09/the-scary-truth-about-your-passwords.html) and exposed just how unsecure many of the Gmail passwords were. Below are two charts that display the top 10 most-used passwords and the top 10 most-used words in passwords.

Top 10 Most-Used Passwords:

  1. 123456
  2. password
  3. 123456789
  4. 12345
  5. qwerty
  6. 12345678
  7. 111111
  8. abc123
  9. 123123
  10. 1234567

Top 10 Most-Used Words in Passwords:

  1. password
  2. qwerty
  3. love
  4. monkey
  5. dragon
  6. hello
  7. iloveyou
  8. abcd
  9. welcome
  10. july

One strategy used by hackers is the Brute Force attack. This attack consists of trying different passwords until the correct password is guessed. It is helpful that Lastpass posted this list but the truth is, hackers have known the most popular passwords for a long time. In fact there are sites you can go to on the web that have password lists you can download for free. Hackers take these lists and import them into their Brute Force software and let the software do all the work.

Tactics to implement
In conclusion, it is important to understand how these breaches are occurring and what you can do to help prevent them. Each tactic will be further explained in future articles:

  1. Know your 3rd party vendors and make sure they do not have unlimited access to your business.
  2. Make sure all passwords are different/unique and make sure all employees follow suite.
  3. Train your employees on what phishing techniques are being used.

For the past 13 years The Whitlock Company has been providing security reviews to community banks. The security review looks for vulnerabilities hackers could use to steal customer information. It covers everything from password complexity to patch management to social engineering. The same review can be performed for any business. If you have any questions about the security of your information technology system, please feel free to email or call Chris Griesemer 417-881-0145.