When you call your business Hacking Team, a few chuckles when you are the victim of a hack are understandable. Unfortunately, so are the pained expressions when people find out why you got breached.
News went from bad to worse in early July for the Italian company Hacking Team after it confirmed that it had indeed been hacked. The company that makes malware and spyware for law enforcement and intelligence agencies around the globe had most of its corporate data stolen after its network was breached. That’s the bad part. The worse? The hackers got in because Hacking Team used some very bad passwords. How bad? Allegedly, “P4SSWORD” was one of them.
The right mindsets should drive security decisions
Network security isn’t easy. It’s an ever-evolving thing. New vulnerabilities are discovered every day. Hackers continue to use more elaborate methods to compromise a network. Still, we have to do everything we can to make it difficult for others to get into our networks.
That’s why we shouldn’t think of security as a bunch of rules to follow. Instead, we need to think of security in terms of mindsets that will then guide decisions. Start thinking in terms of rules and you’ll soon find your list obsolete because the world of data security changes too fast. Mindsets, though, can survive these quick evolutions. The first mindset that we like to use: “I will make it harder to exploit my network through legitimate means.”
Strong passwords are a first line of network protection
Most security breaches don’t occur because someone has discovered a way to take advantage of a network vulnerability. Most unwelcome visitors enter the network through legitimate methods. Typically, they have come across login credentials of some kind and are walking through an open door. Or they have enough information on a specific employee to get in by guessing a password. Or bully their way in with a brute force attack, made easier by bad passwords.
That’s why it’s critical to continually reinforce three things to your employees regarding passwords:
- Preach rock solid login credentials with really good passwords. Passphrases are all the rage these days, in part because of this classic xkcd comic.
- Lock down your application logins as much as possible to prevent brute force attacks
- Reinforce the importance of not being casual with login information. Training is crucial here. Here’s one great resource from SANS on user training.
Yes, it’s worth the time and money to educate your employees on social engineering. Just because they aren’t keeping their passwords posted on the front of their computer doesn’t mean they won’t make it almost as easy for a potential threat to get their login information. Phishing emails, phone calls, whatever social engineering looks like, being able to spot and avoid these scams means fewer unwanted visitors and more time that the security teams can spend on bigger issues.
Download our ebook for more
Making it harder to exploit your network through legitimate means is just one of the security mindsets we think all organizations should adopt. There are six others. To see the rest of the list, download our ebook “7 Security Mindsets to Adopt Today.”