The past few weeks or couple of months have seen a shock and awe campaign being launched by a series of hacker organizations such as Anonymous hackers and LulzSec.
And the pattern was started earlier by WikiLeaks. And seems like so long as Assange is a captive this will go on... No, this is not a conspiracy theory, but it seems like that.
The most serious of recent events is the breach of RSA's SecureID. Whew. If the guardians of security cannot protect their own, who else can?
As these hackers are merrily going about defacing websites and downloading personal information of online users, the cybercops seems to be absent from the scene.
They are busy sewing up the carpet or shoving things inside it after something nasty has happened. And in most cases failing in their efforts miserably as is observed with Sony servers getting hacked over and over again.
This prompted me to put a thought on what is this business about and I could see two things. One a Wikileaks connection and another weak security.
Of course so called security experts are trying to blame weak code, weak systems, the Chinese and others among many things to take attention away from their own failings.
So, now what can be done about this. How to demolish the efforts of hackers.
Let us start with defacement. If you have a weak administrator password defacement is like having free beer. And if your host is some cheap run of the mill hosting service provider with little or no backend security, then you are fair game for even rookie hackers.
So, the first thing any serious organization has to do to prevent defacement of their websites is to go for a hosting provider that is serious about security.
And test them before you use them. There are a lot of online tools that do just that....You are not required to hire an expensive white hat.
Next, use strong password to control your administrator account. Use an automated password generator that generates a really long and complex password.
If you have databases powering your websites make sure the database access passwords are also complex. Something that cannot be easily guessed.
If you have an online service, do not present an opportunity for users to define simple passwords or similar passwords. Every password has to be unique if not complex and should have a combination of numbers, special characters and alphabets in upper and lower case. If this is a stumbling block, offer alternative password less authentication solutions.
Encrypt your code on your server. Though there is no way to encrypt all your code, make it difficult for hackers to get to your code and algorithms.
Encrypt your user data before storing on your server. Use a proprietary algorithm that is not commonly available. Make sure the algorithm used to encrypt your data is unique and not available to someone else. Use unique seed keys before encrypting the data. Make sure only the owner / user can decrypt the data. Thus even if the data is downloaded hackers will not be able to decrypt it.
Strengthen your own in-house security at all critical facilities. Protect your corporate email accounts, intranet, have employees sign water tight NDAs etc. Use in-house monitoring (continuous audio/video) to make sure if a breach occurs you know who it is.
If organizations do all of this, then even the most expert hacker can be thwarted from doing what they do all the time..
Implementing these does not cost a whale load of money. It only requires foresight and determination to keep hackers from stealing your data, defacing your websites and making fun of your organization.
