Beyond the Password: Education, Technology Can Send Hackers Packing

Think profiling. It’s how we catch criminals, right? But what happens when criminals start profiling you?

A few days ago, luxury retailer Neiman Marcus notified some online customers of a security breach that compromised an estimated 5,200 accounts. Hackers were able to obtain customers’ contact information, purchase histories, and the last four digits of credit card numbers. They made fraudulent purchases from 70 of those accounts.

This attack was small. Neiman Marcus will likely only have to overcome short-term financial and harm to their reputation. The incident pales in comparison to a 2013 attack on the company that exposed about 1.1 million payment cards.

But what’s interesting from the perspective of the store’s 5,200 affected users—and every consumer and businessperson who is concerned to ensure his or her security online—is the theory being explored in the investigation: that the hackers stole online users’ login and password combinations in earlier attacks on other, unrelated websites.

By compiling data on users—that is, by profiling them—the hackers were able to mount an automated attack against Neiman Marcus based on the assumption that some customers use the same credentials across multiple sites.

They were right. Neiman Marcus reported that 1% of the fraudulent login attempts were successful. That’s enough to make their guessing game worthwhile.

Living Online: Playing in the Grey Area

This type of online security breach is becoming common. Cyber-criminals are capitalizing on consumers’ propensity to use the same username and password for multiple accounts—and to share personal information on social media, including on unsecured personal devices like mobile phones and home wireless networks.

Such practices make it easier for criminals to compile personally identifiable information (PII) and login credentials, to replicate identities and use them for illicit purposes.

From a business IT perspective, this is more than a story about an online retailer. It’s a strategy by cyber-criminals to exploit the grey area between a secure private life and the far less secure—and dangerously public—life that takes place online. The intersection of e-commerce and social media, where people buying online can simultaneously be logged into multiple social media accounts, means that all of us need to be savvy about the amount of information put online about who we are.

More critical? That grey area can extend to employees handling data that belongs to your enterprise. Meanwhile, the growing use by businesses of third-party providers for digital services is increasing the volume, velocity, and variety of enterprise data at risk. This blurs the line between business IT and consumer IT.

UnPasswording: Your Strategy to Respond

Fortunately, businesses can influence culture and systems to mitigate their risk of a data compromise brought about by employee behavior. Education and technology working hand-in-hand is the most effective way to manage risk. I recommend these steps for creating a complete closed loop of security:

  1. Know your users: Do a complete identity analysis to understand who they are, what systems and information they have access to, and what they are doing with that access.
  2. Identify your most valuable data assets: Give your most sensitive data the highest level of protection by focusing your resources there.
  3. Promote smart rules: Bring structure to control to IT, cloud, and in-house applications through certified entitlements in addition to the standard certified identities.
  4. Trust but verify: Enforce access governance and validate that employees are using digital assets effectively. Give users the least privilege that they need to do their jobs and manage high privileged access.
  5. Automate: Address consistent processes, not individual transactions.
  6. Continuously monitor and learn: Continually monitor and assesyour environment, solutions and strategies. Learn from your mistakes and adapt to change proactively.

Preventing unauthorized access to enterprise data is a journey, not a destination. There will always be bad guys, but you can protect your weakest points of entry and send them looking for vulnerabilities elsewhere.

Like to join the conversation? Connect with me here.

Valmiki Mukherjee

Valmiki Mukherjee

Valmiki is a multi-faceted technology management professional, leading the delivery of information security solutions to the industry. He has been the lead... Read more