To make it more difficult for hackers to deceive computer networks, prudent companies will follow the advice of “start with security” and require strong authentication measures.
We considered FTC settlements, closed investigations, and questions we’ve heard from businesses about implementing good certification “sanitation.” Here are some tips for using effective authentication procedures to help secure your network.
Stick to long, complex, and unique passwords.
The fundamental reason passwords exist is to make them easy for users to remember but difficult for fraudsters to crack. Obvious choices like ABCABC, 121212 or qwerty are the digital equivalents of the “hack me” logo. Additionally, experts have determined that passwords or longer passwords are generally more difficult to crack. A smarter strategy would be for companies to carefully consider their standards, implement minimum requirements, and educate users on how to create stronger passwords. In addition, please change the default password immediately when you install software, applications or hardware on your network, computer or device. If you design a product that requires consumers to use a password, configure the initial settings so that they must change the default password.
example: Staff try to choose Payslip As the password for the database containing employee salary information. The company built its own system to reject such obvious choices.
example: To access corporate networks, companies allow employees to enter their username and a shared password that is shared by everyone who works there. Employees can also use the shared password to access other services on the system, some of which contain sensitive personal information. A more prudent policy would be to require each employee to use a strong, unique password, and insist that they use different passwords to access different applications.
example: During a staff meeting, the company’s IT manager provided advice to employees about good password hygiene. Passwords or longer passwords based on standard dictionary words or well-known information (for example, a child’s name, a pet, a birthday, or a favorite sports team) are better than shorter passwords, she explains. By establishing a more secure corporate password standard and educating employees to implement it, the IT manager is taking steps to help her company reduce the risk of unauthorized access.
Store passwords securely.
A company’s first line of defense against data thieves is a team of employees trained to keep passwords confidential. But even the strongest passwords are ineffective if employees write them on a sticky note on their desk or share them with others. Train your employees not to reveal passwords when responding to phone calls or emails, including passwords that may come from co-workers. Scammers have been known to impersonate company officials by spoofing phone numbers or email addresses.
A compromised password poses a particular risk if it can be used to open the door to more sensitive information (for example, by maintaining a database of other users’ credentials across the network in plain, readable text). By implementing policies and procedures for securely storing credentials, you make it difficult for data thieves to turn a lucky password guess into a catastrophic breach of your company’s most sensitive data.
example: A new employee receives a call from someone claiming to be the company’s system administrator. The caller asked him to verify his network password. Because the new employee learned about impersonation scams during internal security training, he refused to reveal his password and instead reported the incident to appropriate company personnel.
example: One company kept user credentials and other passwords in plain text in word processing files on its network. If hackers were to gain access to the file, they would be able to use the credentials to open other sensitive files on the network, including password-protected databases of customer financial information. If a breach occurs, the company can reduce the impact of the breach by maintaining information about the credentials in a more secure form.
Protect against brute force attacks.
In a brute force attack, hackers use automated programs to systematically guess possible passwords. (In a simple example, they would try aaaa1, aaaa2, aaaa3, etc. until they get something in return.) One defense against brute force attacks is to set up a system that pauses or deactivates after a certain number of failed login attempts. User credentials.
example: One company set up its system to lock out users after a certain number of incorrect login attempts. This policy accommodates employees who enter an incorrect password on the first try but enters it correctly the second time, while preventing malicious brute force attacks.
Use more than just passwords to protect sensitive accounts.
You need strong, unique passwords, store them securely, and log people out after multiple failed login attempts. But to prevent unauthorized access to sensitive information, this may not be enough. Consumers and employees often reuse usernames and passwords across different online accounts, making these credentials extremely valuable to remote attackers. The credentials are sold on the dark web and used to conduct credential stuffing attacks, in which hackers automatically enter stolen usernames and passwords into popular Internet sites at scale to determine whether they are valid. Some attackers will time their login attempts to bypass restrictions on unsuccessful logins. To combat credential stuffing and other online attacks, companies should combine multiple authentication techniques for accounts that access sensitive data.
example: A mortgage company requires customers to use strong passwords to access its online accounts. But given the highly sensitive nature of the information it held, it decided to implement additional layers of security. The company uses a secret verification code generated by an authentication app on customers’ smartphones and requires customers to enter the code and use a strong password to gain access. By implementing this additional protection, mortgage companies enhance the security of their websites.
example: Online email service providers require strong passwords. But it also gives consumers the choice of implementing two-factor authentication in a variety of ways. For example, an email provider can generate a code via text or voice call. It also allows users to insert the security key into the USB port. By providing two-factor authentication, email service providers provide users with an additional layer of security.
example: Debt collection agencies allow debt collectors to work from home. To access the company network that contains spreadsheets of debtors’ financial information, the company requires employees to log into a virtual private network, which is protected by a strong password and a key fob that generates a random number every six seconds. The company has improved its authentication procedures by using multi-factor authentication to protect remote access to its network.
Prevent authentication bypass.
Hackers are a persistent bunch. If they can’t get in through the main entrance, they try other virtual doors and windows to see if another access point is ajar. For example, they might simply skip the login page and go directly to a network or web application that should only be accessible after the user satisfies the network’s other authentication procedures. A smart solution is to protect against authentication bypass vulnerabilities and allow access only through authentication points, allowing your company to keep tabs on who is trying to gain entry.
example: The weight loss clinic has a public web page describing its services. The page also features a login button that allows existing members to enter a username and password to access a special “members only” portal. Once they successfully log into the “Members Only” portal, members can navigate to other so-called restricted pages, including a personalized “Track My Progress” page where they can enter their weight, body fat, pulse, latest Favorite running routes, etc. However, if someone knows the URL to the member’s “Track My Progress” page, that person can skip the login page and simply type the URL into the address bar. This allows that person to view information on the member page without entering a username or password. A safer option for weight loss clinics would be to ensure that people enter their login credentials before accessing any part of the “members only” portal.
Message to businesses: Carefully consider your authentication procedures to help protect sensitive information online.
Next article in the series: Securely store sensitive personal information and protect it during transmission.
