It’s no longer a question of “if”, but “when” you will face an online attack
Convinced your data is secure because you’re using a phrase password from your favorite book or movie, something like, “Call me Ishmael?” Think again! Ars Technica’s Dan Goodin reports:
For the first time, the freely available password cracker ocl-Hashcat-plus is able to tackle passcodes with as many as 55 characters. It’s an improvement that comes as more and more people are relying on long passcodes and phrases to protect their website accounts and other online assets.
That’s right, a free program that’s able to crack passwords far more complex than all but the most hardcore among us are using. It’s enough to give any IT department nightmares, and the crisis management implications are massive. Organizations everywhere are still struggling to move employees away from easy to guess passwords like “1234,” birthdays, last names, and yes, “password” (still ranked in the top 10 of most commonly used passwords), and suggesting users make their password an easy-to-remember phrase has become commonplace for many.
Of course, hackers are still miles ahead of the average user, and they’ve quickly learned to adapt, as this quote from the same Ars Technica article explains:
As leaked lists of real-world passwords proliferate, many people have turned to passwords and passphrases dozens of characters long in hopes of staying ahead of the latest cracking techniques. Crackers have responded by expanding the dictionaries they maintain to include phrases and word combinations found in the Bible, common literature, and in online discussions. For instance, independent password researcher Kevin Young recently decoded one particularly stubborn hash as the cryptographic representation of “thereisnofatebutwhatwemake.”
We said the crisis management implications are massive, but what are they exactly? Basically, you must assume that, at some point, your systems WILL be compromised. Whether it’s a CEO allowing a trojan through by clicking a bad link, an intern being duped vua social engineering over the phone or an advanced password cracking program forcing a way in, odds are that if you have data someone wants, you’re going to face a hacking scare at some point within the next few years.
You can, and certainly should, put up strong defenses, but it’s critical that you also design and implement a crisis management plan for hack attacks that includes these three key items:
- Prevention training for employees.
- Messaging to deliver to concerned stakeholders.
- Methods and resources to repel the attackers and resecure your systems.
It’s becoming more and more evident that we simply can not stop every cyber attack, but what we can do is bounce back as quickly as possible. The better you plan, and the more you train, the faster you’ll be able to return to business as usual.
The BCM Blogging Team