For the last week, the internet has been ablaze with stories about an issue with CloudFare, an Internet Service Provider (ISP). At the heart of the issue is an overflow vulnerability that caused authorization information to become publicly available. Here is a handy comic from XKCD.com on how it works:
While there is plenty of advice on what the individuals and affected websites should be doing to protect themselves and their data (Change your passwords, use two-factor authentication methods such as Google Authenticator or Microsoft Authenticator wherever possible, change your username/sign-in information, etc.), there is very little guidance for what small and midsize business should be doing, if anything, in light of this.
Here is the issue that we often ignore or downright forget about – human beings are creatures of habit. That means that the password someone uses to log in to their OKCupid™ account is probably the same or at least very similar to their banking password, their Uber™ password, and their corporate login. Then there is the propensity of small and midsize business to use a username similar to one of the following iteration, for example for someone named Jane Doe: firstname.lastname@example.org, email@example.com, firstname.lastname@example.org. Alternatively, company.com can be company.local.
This means that now the company network, along with its sensitive data, is now vulnerable to external access. The difference between an organization and individual is that while individuals are responsible only for themselves, the organization is responsible for the sensitive information from itself, its owners, its employees, its clients, and sometimes the clients of the clients.
So how does one mitigate the risk? The answer is a phased approach. The initial step should be to force all users to change their passwords immediately. The next step is planning and implementing the following:
- Ensure there is a policy forcing password changes at least every 90 days
- Change all usernames to something other than outlined above. For example, initials + random 7 digit number
- Use a third party tool to force password complexity that protects against usage of common dictionary words. This will safeguard against passwords like Janury2017 or Michelle18
- Implement a two-factor authentication scheme on the local network
- Implement a Privileged Account Management (PAM) solution to safeguard super-user type accounts
The last step is ensuring that items 1-5 are implemented and are being maintained via including them in your information security policy and your periodic audit policy. And if you do not have an Information Security Policy? Now is probably a very good time to get one created…and you can still pat yourself on the back for being proactive about it
As always, feel free to contact with any questions, comments, or requests