While I was reading a recent article on "Why It Pays to Submit to Hackers”, I was reminded that there have been a lot of cyber break-ins that we simply forget about. Stories that hit the news, live for a few days and then get pushed back to the far depths of our mind. Let’s stroll down memory lane, Gawker Media loses 1.3 Million user names and passwords in December of 2010, Sony PlayStation Network releases 77 million accounts in April 2011, 60 Million users of Epsilon were hit with a phishing attack, in June of this year Linked In had 6 million accounts taken and now Blizzard Entertainment had a security breach on August 4th. Have you noticed that despite the password complexity force on us as a way to protect our accounts, data is still being lost?
I have been part of many security audits and provided my fair share of training, what always drove me crazy is that the complexity and frequency of password changes ended up compromising physical security. Not sure what I mean? Do you have sticky notes with logins at your desk? Do you have a file on your PC with all your logins (probably marked Passwords so you can easily find it) or do you just change the password by adding an additional number (for example changing !Password01 to !Password02) – very common when you have to change the password every 90 days and still remember what you changed it to? And in the end, what is the point if the data is stolen by hackers?
The question we need to ask is how do we enhance security without making it so difficult for the user to actually use the service? I cannot tell you how many sites I have gone on and had to reset my password because I have no idea what the password I set up was. It becomes time consuming and unless I absolutely have to access the site will just abandon my attempt. Some people use password managers, like RoboForm, and they are pretty good, but even that has issues should your files become corrupt or lose your hard drive. Frequent backups are still required to maintain consistency and lets face it, we get lazy when it comes to backing data up on a consistent basis.
Perhaps it is time to demand 2 factor authentication for service providers. The reality is that we become complacent because security breaches only happen occasionally and only the big ones make the news, so we really do not know the full impact of data leakage. Until consumers and Enterprises start demanding better protection, we will continue to read about all of the theft that occurs in cyber space. While 2 factor authentication does not prevent a hacker from stealing data, it pretty much makes the effort pointless since they cannot use the data without the other piece of information, thus making a zero sum game.
No comments:
Post a Comment