August 26, 2020
For the last week, the internet has been ablaze with stories about an issue with CloudFare, an Internet Service Provider (ISP). At the heart of the issue is an overflow vulnerability that caused authorization information to become publicly available. Here is a handy comic from XKCD.com on how it works:
While there is plenty of advice on what the individuals and affected websites should be doing to protect themselves and their data (Change your passwords, use two-factor authentication methods such as Google Authenticator or Microsoft Authenticator wherever possible, change your username/sign-in information, etc.), there is very little guidance for what small and midsize business should be doing, if anything, in light of this.
Here is the issue that we often ignore or downright forget about – human beings are creatures of habit. That means that the password someone uses to log in to their OKCupid™ account is probably the same or at least very similar to their banking password, their Uber™ password, and their corporate login. Then there is the propensity of small and midsize business to use a username similar to one of the following iteration, for example for someone named Jane Doe: email@example.com, firstname.lastname@example.org, email@example.com. Alternatively, company.com can be company.local.
This means that now the company network, along with its sensitive data, is now vulnerable to external access. The difference between an organization and individual is that while individuals are responsible only for themselves, the organization is responsible for the sensitive information from itself, its owners, its employees, its clients, and sometimes the clients of the clients.
So how does one mitigate the risk? The answer is a phased approach. The initial step should be to force all users to change their passwords immediately. The next step is planning and implementing the following:
Ensure there is a policy forcing password changes at least every 90 days
Change all usernames to something other than outlined above. For example, initials + random 7 digit number
Use a third party tool to force password complexity that protects against usage of common dictionary words. This will safeguard against passwords like Janury2017 or Michelle18
Implement a two-factor authentication scheme on the local network
Implement a Privileged Account Management (PAM) solution to safeguard super-user type accounts
The last step is ensuring that items 1-5 are implemented and are being maintained via including them in your information security policy and your periodic audit policy. And if you do not have an Information Security Policy? Now is probably a very good time to get one created…and you can still pat yourself on the back for being proactive about it
As always, feel free to contact with any questions, comments, or requests
"As a medical data company, compliance and data security are extremely important to our organization. The team at Aegis IT Solutions was instrumental in ensuring that our clients’ data is properly safeguarded while providing strategic advice and helping us navigate through complicated compliance challenges associated with an international enterprise providing and managing access to personal confidential data."
"We do data analytics for many large corporate clients, both in the cloud and on premises. Security was a sore topic for us until we retained services of Aegis IT Solutions. Ilya was very responsive, professional and knowledgeable. With his help and leadership, we improved our processes, properly planning for security-related activities and professionally communicating with clients for the best mutually acceptable security approach."
"Client service is the ethos of Aegis IT Solutions. Ilya and his team never fail to provide the most up-to-date insight on technology and system upgrades. They always take time to meet our law firm’s never ending IT needs. We considered Aegis IT Solutions as one of the most essential assets to the function of our busy practice. I am grateful for having formed this lasting relationship."
© 2021. Aegis IT Solutions. All rights reserved.