POSTED: 1:30 a.m. HST, Jul 19, 2011
The recent “hacking” of a Fox News Twitter feed set the world abuzz with its false reports of serious injury to President Barack Obama. The Secret Service continues to investigate the exact methods by which the hacking was conducted. The fact of the matter, however, is that the hacking was probably facilitated by exploiting people as opposed to technology.
Specifically, we believe that the so-called hacking was aided by a compromised password. Typically, large companies that employ social networking have multiple folks responsible for monitoring the various accounts, such as those on Twitter or Facebook. This often leads to sharing of passwords amongst the responsible parties.
Take that shared password, combine it with a disgruntled employee (or more like, ex-employee) and voilà! The account is available to a host of nefarious characters. This is actually much easier and more prevalent than what most folks envision as “traditional” hacking.
So what can businesses and government organizations do to combat such issues? First, develop and publish a password policy. Such a policy defines more than just “eight letters or longer, use special characters, numbers, and both upper- and lower-case letters.”
A good password policy defines how often passwords must be changed in both normal circumstances (for example, monthly or quarterly) and unusual situations (such as termination of an employee). Also included in the policy is whether the same password can be used for multiple accounts and, if so, which type of accounts. Confidentiality rules, of course, need to be defined. This includes sharing of passwords, whether directly or indirectly, or even mentioning a password in conversation.
A password policy also should include penalties for violation of rules. We have seen such penalties run the gamut from fines, suspensions, to terminations. While this might seem harsh — and we are in no way suggesting termination for the more manini violations — it is necessary. It is no different from many other forbidden activities for which penalties are a given.
In addition to a substantive password policy, folks might plan for the worst. What happens if we get hacked? In the case of the Fox News example, rumor has it that it took more than five hours to rectify the problem.
Organizations need to understand how to report problems, whom to report them to and, most important, how long it might take to resolve issues. Make sure your ducks are in a row so that if you do run into a problem, you’re not wasting valuable time doing things that could have been done earlier, such as establishing an authoritative figure in both your organization as well as the provider.