When Twitter announced on Thursday that every one of its 330 million plus users should update passwords immediately, the company was also quick to acknowledge – unlike Equifax – that the problem was one created by humans. A flaw had allowed the passwords to be stored, in plain text rather than hashed, in logs and, thankfully, at least according to Twitter, there was no breach, no exfiltration, and no master password list for sale on the Dark Web.
For those who don’t remember, the Equifax breach exposed the personal information of some 143 million Americans. The breach occurred because a web application vulnerability was exploited in May 2017, some two months after a patch became available.
While it’s definitely concerning that a bug of this kind presumably passed through multiple layers of checks and balances in Twitter’s software development lifecycle and was present for several months before its discovery, what intrigues me most is that, once again, the security of millions has been compromised by what I and many others like to call “The Human Factor”. Humans are imperfect creatures. We make mistakes. We install major updates on a Friday afternoon and then expect all to run smoothly on Monday morning. We – well, maybe not all of us – click on zip file attachments and launch malware. We – again, maybe not all of us – use sticky notes on our monitors to make it easier to remember our new passwords.
In short, we are our own worst enemies and, on a daily basis, we threaten the security of our systems and data. If that wasn’t the case, we wouldn’t have lists that are updated every year that feature the top 100 most used and insecure passwords. Passwords like “password”, “12345”, “qwerty”, “letmein” and just to add some variation “passw0rd”. We wouldn’t turn off our firewalls, think we don’t need antivirus or Internet security software, or, dare to think using a “free” WiFi hotspot just once won’t have potential, long-term consequences.
The Twitter and Equifax examples illustrate that spending millions to secure data is only part of the solution. We shouldn’t be fooled into thinking that corporations are the only ones affected by “The Human Factor”. While consumers don’t have millions to spend securing their smartphones and laptops, the saying that hackers only have to get it right once still rings true.
Bottom line – we need to remember that sometimes it’s the simple things that leave us most vulnerable. Remember the sticky note example above? Well, I know for a fact that those who are a little more security conscious put the password sticky notes under their keyboards or in the top drawers of filing cabinets, underneath the pen trays.
How can we get better at security? For starters, it’s spring in the northern hemisphere. With warm weather and daffodils comes spring cleaning. To reduce the likelihood that you will be your own worst enemy, you might want to consider not just washing your windows and cleaning out the garage, but also:
1. Making sure that your battery back ups are in good, working order. That doesn’t mean that you just look at the indicator light to check that it is on or that the battery light isn’t blinking. Pull the serial number and go to the manufacturer’s website to check warranty status or manufacture date, or check your purchase date to make sure the unit isn’t too old. Test the UPS to make sure that it will operate under load and that any automatic shutdowns you have configured work as expected. Lastly, if you find something amiss, repair or replace the hardware.
2. Implementing and/or verifying your data backup solutions. If you are still using the same external you’ve been using for the last three years, it’s time to check the backup and verify the drive’s integrity. It’s also time to think about adding a cloud backup. Of course, make sure you do your due diligence and ensure that your data is encrypted in transit and at rest if you want to maintain integrity and safeguard data from prying eyes.
3. Getting rid of data that you don’t need and aren’t obligated to retain. I always tell my clients and students that hard drive space is like closet space. The more you have, the more likely you are to fill it. When everything had to fit on a 3.5″ floppy with a whopping 1.44 MB of available space, we were far better at data management. Maybe we didn’t have all the options we have today, but we had to choose wisely because we didn’t want to have to sort through dozens of floppies to find an important document. With that in mind, clean out your temporary and download folders, clear your cache and downsize your inbox. Make sure you retain any files that you must to be compliant with policy or regulation.
Last, but certainly not least, if you are looking for one more bit of housekeeping you can do to reduce the human factor, do what I’m going to do. I read Twitter recommends it. Change your password before your next tweet.