Authentication Can Stop Hackers (or 2015 Hacks in Review)

By William Houry, VP of Sales, Versasec

The year 2015 was rather illustrious for cyberattacks, with hacks both famous and even infamous. Among the most notable attacks – some for the sheer numbers of victims, some for who was hacked, and some for both – were the following:

  • Anthem Health. With nearly 33 percent of Americans having some tie to Anthem, this was probably the year's most egregious attack. While the number of records was far fewer, another healthcare group whose patient data was at risk was UCLA Health, which (certainly unbeknownst to its customers) did not encrypt patient records, essentially handing over patient information on a silver platter to would-be hackers. Another example of healthcare records being exposed was via Excellus BlueCross BlueShield, where approximately 10 million records were released.

  • The Internal Revenue Service (IRS). No one likes paying taxes, but at the very least we expect those tax documents to be secure. Not so, this time. The exposure was approximately 100,000 taxpayers. When you think of the information on tax forms, from Social Security numbers to date of birth, address, income and even signatures, the potential for harm from this exposure is tremendous.

  • OPM. This agency conducts background checks for government works. With more than 20 million records exposed in this breach, the scariness factor is very high on this one.

  • FBI portal. We don't know the exact numbers exposed, but apparently what got hacked was arrest records tracked by the FBI.

  • Other notable hacks included credit card breaches that affected millions of cardholders for companies like CVS, Walgreens, Costco and RiteAid; the Experion breach that impacted some 15 million customers of T-Mobile; the 4.6 million Scott Trade customers who had their contact details breached; and the potentially thousands of Trump Hotel chain customers who had their credit card data stolen, including their security codes and card numbers.

In the year's most infamous data breach, hackers stole information on approximately 37 million customers of the cheating web site Ashley Madison and served up the potential for lots of scandalous data leaks to come.

More recent was VTech's late November announcement that hackers had made away with nearly 5 million customers records, which included some personal information on more than 200,000 children, including their date of birth, genders and first names. This was an external attack that came through a customer web portal using SQL injection.

For those who don't know, VTech supplies electronic learning products to kids ranging in age from infancy to preschool. It also makes cordless phones. In fact, the Hong Kong-based company is one of the top 50 electronic manufacturing services providers in the world.

But unlike many large, global enterprises, VTech employs a relatively small number of employees – just hundreds. So when VTech got hacked, it fit into the trend we've observed where more and more cyberattacks are being targeted at small- and medium-sized companies. Why would that be? Well, many of the larger companies, and particularly those larger companies who have already been victims of big hacks, are better protected these days. In contrast, small- and medium-sized companies are easy.

It's important to note that few cyber criminals start off with a list of companies they want to breach. More often, the bad guys employ robots so they can attack massively, everywhere. They can essentially just poke around and see what results look interesting. And guess what? Poorly protected companies look very interesting to hackers.

While it is less relevant to the VTech example, for many of the others cited here, one of the central areas of weaknesses in companies is the user authentication process, particularly easily cracked user passwords.

The thing is, many of these hacks could be avoided. By securing the authentication process – simply ensuring that all employees who have access to any important data on customers or other sensitive information have to use two forms of authentication (two-factor authentication) many hacks could be avoided.

For an SMB – with say 300 employees, implementing two-factor authentication might cost them about $15,000. That's a pretty small price to pay when you consider the damage inflicted both in terms of very real customer exposure as well as the potential damage to the company's brand.

Two-factor authentication solutions that include deployment and management of the security devices and the user identities go a long way to helping customers feel safe again. With Versasec's solutions, for instance, companies that deploy secure PKI devices can then use those devices for any application that supports secure authentication, such as a domain, web site, and Wi-Fi, as well as for main encryption, secure signatures, disk encryption and more. The network is safe.

A solution like vSEC:CMS means the users are protected on any device; they don't have to remember a password, and they don't have to change passwords every other week. It simplifies the user experience while making it infinitely safer.

Tags: cybersecurity, cybercrime, iam, vtech, anthem, fbi, irs, opm, smb.