One of the hot topics discussed at HOSTING’s headquarters today was eBay’s recent data breach. According to eBay’s press release:
The database, which was compromised between late February and early March, included eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth. However, the database did not contain financial information or other confidential personal information.
eBay reported there was “no evidence of any unauthorized access to financial or credit card information, which is stored separately in encrypted format.” But still . . . the data stolen is enough for the hackers to go on a serious identity theft spree.
If you are one of eBay’s 145 million customers, change your password ASAP, especially if you have the same password for your eBay and PayPal accounts (you did know that eBay owns PayPal, right?) And if you manage security for your company, now is a good time to check the safeguards you have in place for protecting your critical data assets. Here is a quick check list to get you started.
Have Your Employees Create Dedicated Login Credentials for Their Company-issued Devices
Hackers have many ways in which to steal employee credentials. A common means to access them is when an employee uses the same user name and password on a website that has been compromised. Have your employees establish a dedicated user name and password for their company-issued devices. The key word is “dedicated” – these credentials shouldn’t be used for any personal devices they may own. Require your employees change their passwords at least once per quarter.
Implement a Two-factor Authentication System
Every employee and contractor at HOSTING who uses a company-issued laptop also gets an RSA key fob. This mechanism generates a one-time Personal Identification Number (PIN) that they use in combination with their dedicated password to log in. This is one of these easiest and most effective means of protection. Even if hackers steal an employee’s password, they still need to enter the unique code from the RSA device.
Limit Access to the Company Network
While Bring-Your-Own-Device (BYOD) policies are popular within many organizations, you might as well call them Bring-Your-Own-Data-Breach. One way hackers can steal corporate credentials is by planting malware on an employee’s personal laptop, which is then used to log into the corporate network. While it may be convenient for employees to check their company email on their personal laptop while voting for their favorite American Idol, accessing it via their company-issued device is much safer.
Monitor Your Employees’ Activity on Their Company-Issued Devices
We’re not talking Big Brother here. However, we would be remiss if we didn’t point out that it took eBay approximately two months to notice that their database had been hacked. So set up a system for monitoring your employees’ activity on your network. And keep an eye out for red flags such as an employee’s credentials being used to access areas that they don’t normally visit. For example, as Senior Writer at HOSTING, it would be highly unusual for me to access log files for our Network Operating Center (NOC).
So check these action items off your list, and sleep easier tonight. And if you want to raise your Security IQ in the cloud, check out HOSTING’s latest webinar on 2014 Cloud Security Trends.