Information security is key in nearly any industry, but it becomes crucial when it comes to finance. Sometimes security checkpoints and precautions may not be enough to save your digital privacy. That’s where experts come in to recommend the best strategic approach to fight hackers proactively. In addition to exploring emerging security technology solutions and threat modeling to pinpoint weaknesses, there are several important preventative measures people and organizations can and should take to safeguard their clouds from hackers.
Update Your Password Frequently – Passwords are the weakest link in security because they rely on average people (not security professionals) to come up with something “strong enough,” that they can also easily remember. Password strength is a crucial element of personal information security, and not only should they be strong, they should also be changed frequently. Even if a password strength meter deems your password to be excellent, tools to crack those passwords are getting more sophisticated, and even those strong passwords are often rooted in a personal aspect of your life that could still be guessed, even if it’s unconscious.
Changing them frequently means that even if a hacker could use personal details to figure out your password, they’d also have to be lucky enough to guess the right password during the brief period of time it is being used. Solutions like LastPass can help you generate strong passwords for each site you log into and keep them automated and encrypted without you having to remember them all.
Other password tips:
· Try to avoid using names and numbers related to your life. Kids, family, pets, birthdays, anniversaries, etc. are all easy for a hacker to find out and use against you.
· Always use 2-factor authentication when you can. This typically means an additional question or information you have to enter after logging in with a username and password, or it can be sending an authentication code via SMS text. It adds a layer of security without making you remember yet another login.
· Don’t use the same password between sites. It can be tempting to just create one password that is “strong enough” and use it for everything so you don’t have to remember more. That puts your security at greater risk because if a hacker can accurately guess your password for one site, it will give them access to everything. Create unique passwords for each site you use to make it infinitely harder for them.
Be Mindful of Insecure APIs
Application Programming Interfaces (APIs) have to have a balance of security and accessibility to truly be useful to an organization but, the greater the access, the greater the potential threat to security. Many APIs have to be accessible via the internet in order to serve their function, but there should still be measures in place to control that access.
For instance, you can require pre-authorization for accounts to access the API or send API keys to provide a login, though that in itself poses a secondary security risk.
Ultimately, APIs are built to suit a particular set of parameters or deliverables, and therefore will have different security needs. At the end of the day it comes down to implementing secure practices and protocols for use, which is why threat modeling is essential; it can reveal potential threats before an API goes live and allow the owner to alleviate those concerns and implement solutions beforehand.
Beware of Insider Threats – Inside threats aren’t just employees who are trying to access secure or sensitive information; it’s more that the human element is one of the most difficult factors to predict and secure entirely. It’s essentially impossible to eliminate the insider threat because people are fallible in a way that machines and algorithms are not. It’s almost never malicious; it’s usually simple errors that can have ripple effects across the entire organization’s security.
Some ways to mitigate insider security risks:
- Limit people who have access to accounts – The fewer humans, the lower the risk of human error. Use open source sharing platforms for non-sensitive information and documents that need wide access.
- Training and education – Have security experts come and speak to your entire team. They should explain the importance of security and give them actionable advice to implement in their daily use.
- Have published security protocols and make them easy to find and reference.
Know Your Enemy – There are two main types of hackers: Automated and Targeted. Automated hacking is widespread trolling for any kind of usable information, like phishing emails. It’s casting a broad net and hoping to catch a tidbit of information that can be used to further break into secure accounts.
Targeted hacking is focused on a specific company or organization. It’s harder to prevent than automated threats because it is difficult to pinpoint which organizations are prime targets and then to guard against an attack that is tailored to that organization and whatever specific information or asset might be targeted.
Don’t Underestimate the Threat of the Future – What is the threat of the future? It’s encryption breaking. One of the biggest hindrances for hackers is that it takes a lot of time, but quantum computing is enabling them to drastically reduce the time it takes to break even the most advance encryptions.
So how do we stop these attacks? Right now, there is still no easy answer to that million-dollar question, but there are plenty of security experts and threat modelers working to identify potential weak points and resolve them before the threat becomes real. Until then, organizations need to follow the same model—understand their security architecture and build threat models to determine where they need shoring up and continue to pursue ways to improve their security.
About Archie Agarwal
Archie Agarwal is the founder and CEO of ThreatModeler. With more than 20 years of real-world experience in threat and risk analysis, Archie has been instrumental in successfully implementing secure software development processes at a number of Fortune 1000 companies to minimize their exposure to cyber threats and mitigate risks. Prior to founding ThreatModeler, he was the Director of Education Services at WhiteHat Security.
