William Max & Co. Blog

How Hackers Break In

Max Abramowitz -

Computer and network security is multi-layered: Firewall, email scanners, malware detectors, etc. However, at the end of the chain is a human being. Whether it is a highly trained system administrator or a naive end-user, the first and last line of defense is an infaluable human being.

No defense is 100% perfect. This has long been recognized in physical security. No safe vendor is going to say, "It is impossible to break into my safe." What they will tell you is how long it will take someone to break in and whether or not they will leave evidence of the compromise.

Technological solutions are valuable and they are a key element to a multi-layered defence. However, at the end of the day, it comes down to human beings being knowlegable about data security and being present to their actions.

From the IT World article, Not so startling revelations of how a hacker broke in, of the 10 common ways hackers break in, 7 are directly associated with end-users or are just basic common sense.

  • Substandard passwords
  • Password reuse / sharing
  • Phishing / Client side attacks
  • USB drops
  • Social engineering
  • Unpatched systems
  • Using default credentials

Whether your are a private individual or a business the actions are the same:

  • Use a good password - a good password does not necessarily mean a complex password. A short complex password is not as secure as a long "simple" password. For example, "H0telCA1" is not as mathimatically secure as "mix blue shake characteristic"
  • Use unique password - the simple solution is not to use the same password on more than one website or online account. However, the downside is that trying to remember a dozen or more passwords is difficult. There are several tools and services which solve that issue and provide additional resources for securing your passwords. We use Lastpass internally and recommend Lastpass Enterprise for our business clients.
  • Learn how to identify phishing emails and implement a training program for your employes if you are a company.
  • Implement a 3rd party spam and malware filter on your email server. We recommend EveryCloud.
  • Don't insert an unknown USB drive into your computer.
  • Similar to phishing and client side attacks the best defence against social engineering attacks is education and training. Check out this article from our partner company Webroot for a basic primer on this subject.
  • Check that your computers and network devices are updated with the latest patches on a regular basis. For business look into implementing a patch management solution or managed service solution.
  • When setting up a new computer or device, change the default password.