You know the old saying…”It takes a thief to catch one.” Well, there’s nowhere in the business world that that applies to more than cybersecurity. As hacking and cybercrime rise in frequency and sophistication, security teams are starting to turn to reformed hackers to give them special insight on how these criminals exploit weaknesses and find loopholes in even the staunchest of firewalls and security measures. It’s important to realize that most cracks in the security armor occur after development and launch of a website…and it’s not always the technology to blame. We here at Koombea take security very seriously on the back end of development, but we know that supporting a website throughout its lifetime involves a different sort of commitment. Let’s take a look at what one of these reformed hackers says about the subject of human error in cybersecurity.
Mitnick on Hacking
Kevin Mitnick had quite a career on the wrong side of the law. He successfully hacked into and copied proprietary software from over 40 of the largest and most well-guarded telecommunications and computer companies in the world, and landed on the FBI’s Most Wanted list as a result. Now, having famously redubbed hacking as “social engineering”, he works as a professional cybersecurity expert, and shares a few tips, as seen in this article.
- Mitnick says in his groundbreaking book, The Art of Deception, “Social engineering uses influence and persuasion to deceive people by convincing them that the social engineer is someone he isn’t, or by manipulation. As a result, the social engineer is able to take advantage of people to obtain information with or without the use of technology.”
- He elaborates on the weakness of the human element here: “All of the firewalls and encryption in the world can’t stop a gifted social engineer from rifling through a corporate database. If an attacker wants to break into a system, the most effective approach is to try to exploit the weakest link—not operating systems, firewalls or encryption algorithms—but people. You can’t go and download a Windows update for stupidity… or gullibility.”
- Mitnick goes on to point out several ways that careless or uninformed employees can compromise a company’s security, including the use of public WiFi networks, opening of unscanned PDF files or other attachments, or failing to warn anyone working with or for your company to do the same.
Mitnick has the right idea. While most hackers have the cutting-edge technology and power to endlessly scour firewalls and break encryptions, many now go after the individual and try to deceive and manipulate their way into an internal system the easy way.
Best Practices to Protect Your Website
Now, as we mentioned, Koombea has long been a leader in the industry by implementing the latest and strongest security measures, as we talk about here. Clearly, writing solid code within the development phase is paramount to its success. Yet, how the website administrators proceed from there is largely based on how you guide and advise them.
While it may seem incredibly simple, passwords are still one of the best ways to protect and secure your website. Any large operating site has multiple points of access, from the domain provider all the way down to the social media assistant. These are all potential entries into administrative controls, and hackers could do immeasurable damage from this point.
Traditionally, passwords were something any given individual could remember. Anniversaries, birthdays, favorite teams or even the classic “1234”…people just wanted to make it something easy and simple. Now, there’s absolutely no reason someone should be creating their own password. There are great tools like 1Password or LastPass that randomly generate super strong passwords, remember them, and let you share them on a secure transmission. A service like this pays for itself in peace of mind, as the alternative is disastrous.
Next, you need to have extensive training and strict guidelines for every single employee or contractor that will have any sort of access to your website. Here’s a few issues to make sure everyone knows about.
- Email: As the sophistication level grows, so does the appearance of malicious phishing emails. One click on a link can bring down a whole network. In addition to having email authentication security software for your company, your employees need to know not to share any personal or company data, and to immediately notify IT or a member of security if they think they have been targeted.
- Firewalls: These are standard for companies, but if you have personnel that may work remotely or log in from home, they’ll need to install firewalls as well.
- Networks: Unsecured networks are a big problem. Even if your WiFi in your office is hidden and secure, your employees need to be very careful outside of the office. One quick check in on a public or shared network can compromise everything. Look into investing in a virtual private network (VPN) for your employees to use remotely.
- Devices: Employees need to know that their personal devices, like phones or smartwatches, are potential leaks as well. Make sure to have firm guidelines, so employees know what’s acceptable or not.
In summary, it’s not enough to have the best possible security installed on your website. Your employees are your greatest asset…but can also be your worst security risk. Proper training and education, clear and enforceable guidelines, and an accessible IT/security team are all essential parts of a comprehensive security strategy. Now, go change those passwords!