How to avoid an Epsilon style leak
After speaking with quite a few people, and being somewhat experienced in the security of websites, I thought I should throw in on the recent Epsilon hack. Usually a hack of this size is caused by a human, as yes unfortunately, you are the weakest link.
The reason is simple: phishing emails are sent to individuals that if the user clicks, may end up installing a kind of key logger on their machine. Once that user logs in to their Epsilon account the hacker now has a valid username and password to dive into all the PII (Personal Identifiable Information) stored that the user would have access to.
So on top of the OTA’s top ten I’d add the following recommendations:
|1.||Evaluate who has access to PII within your organisation (and your vendor’s)|
-Does Jane Doe need access to the actual email list of your entire 3MM list?
-Does your account handler at xyz vendor need to see actual PII?
|2.||Do not use file transfer – use real time API’s over SSL|
-Don’t use manual methods for transferring data to vendors
–Don’t use FTP for PII data transfer (or anything for that matter!)
|3.||Don’t store unencrypted passwords anywhere|
-Not with your vendor and not in your own systems
-Reset password Vs Forgotten password
|4.||Limit number of actions by user and IP|
-Look for odd behavior, e.g. users unusually downloading all of their data
|5.||Don’t include username and passwords in the same message|
|6.||Rotate passwords (however annoying it is)|
|7.||Frequently validate who has access to your PII (employees, and vendors)|
|8.||Create a PII data map, who has access, who is storing, what is being stored (and by which vendors)|
|9.||Make sure employees aren’t saving PII in external files|
|10.||Make sure you don’t have an open wifi on your network, and look for foreign clients on the network|
As CEO of Sailthru, a service provider storing PII, we take the Epsilon leak as a serious hit to the industry in general. I hope that the above will help both our clients, other esp’s and any company that stores pertinent information about individuals. It’s our responsibility to look after the data entrusted to us by the consumer and our customers.