If you haven't yet heard about the HBGary hack and email leak, I suggest browsing one of the many articles put out on the subject since the incident in early February. It serves as a strong cautionary tale of what can occur in cases where security firms fail to secure their own networks well. Even in the event your company doesn't deal in security issues, there is a great deal to be learned about how to successfully protect a site or network from similar dangerous attacks. Let's walk through the key points of failure in this example step by step.

Don't skimp on website security

The first target of the hacker group was the HBGary Federal site, where they were able to use a simple SQL injection to secure access to the site database. This granted them access to usernames, email addresses and "hashed" passwords (passwords encrypted with a hash function to stop unauthorized access). This would have been stopped by either running a solid, up-to-date commercial CMS or by testing the custom content management system for SQL injection vulnerability. This type of exploit is frequently utilized in the hacker community and involves almost no ability to utilize, consequently each and every security specialist must be aware of it.

Create difficult passwords

Despite the fact that the passwords had been encrypted in the database, there are popular methods out there to help hackers attempt to work out the right passwords based on the hashed data. These kinds of tools pre-compute thousands and thousands of possible passwords and then can be cross referenced for the resulting hash sequence. There are, naturally, limitations to what these tools can do. For pragmatic reasons they will only store information about a limited subset of potential passwords, for example just passwords from 1-8 characters with lower case letters in addition to numbers or just passwords from 1-12 letters in upper case. Two people at HBGary (the CEO and COO) used passwords that were only eight characters long with 6 lower case letters and 2 numbers, meaning that they were vulnerable to this specific attack. Choosing to use complex passwords with a mix of upper and lower case letters, numbers, and characters such as and % effectively removes the danger of these types of tools being utilized to guess at your password.

Create different passwords

Taking user passwords for editing a website is bad, but not life-ending for a security firm. Unfortunately for HBGary, both of those compromised passwords were reused in lots of places, including social networking sites and email administration. It may be awfully tempting to reuse passwords - particularly complicated ones - however the simple fact is that reusing passwords has become among the most prevalent security issues right now. If you choose the exact same password on your email and a small humor site, and that website's database is compromised, it may be possible for someone to use that password to get access to your email account and most likely much more.

Keep software programs up-to-date

Several issues with the security of these websites would have been resolved by using proper security updates. Whenever vulnerabilities are identified in software, developers work to shut the loopholes and then send out patches to correct the issue. Users that install these kinds of patches promptly are far less liable to see their systems compromised, as would-be attackers have a significantly shorter window of opportunity to act on a new exploit.

Chances are fairly good that if you've ever studied appropriate security practices, you already knew most of this. When even security businesses fail to comply with this very elementary advice, though, it is good to take a moment to double check your own security for potentially mistakes mistakes.