Firms need strong security systems

• As hackers become bolder, more creative, and technically savvy, local organisations need to rethink how they secure and authenticate users who access their critical enterprise systems.
• Studies have shown that many employees use the same password to access multiple applications including corporate systems and online service provider accounts like Gmail, LinkedIn or Yahoo.
• Kenyan organisations are increasingly relying on using computer systems and networks for progressively sensitive tasks such as to facilitate e-banking, for improving customer service and satisfaction, and for lowering support and distribution costs.
• There is therefore a need to deploy stronger authentication methods to provide greater assurance that only authorised users are gaining access to these resources.

In the past couple months a number of online service providers including Yahoo, LinkedIn and Dropbox have been breached leading to unauthorised access to critical enterprise systems.

Perpetrators of these breaches exploited weaknesses in the service providers systems and published sensitive user information including usernames and passwords on the internet.

In the case of Dropbox, the hackers used user information published from a previous breach to identify and access an employee’s Dropbox corporate account.

In another case, a reporter with the Wired Magazine had all his computing devices including his mobile phone and iPad remotely erased by hackers.

First his Amazon and Google accounts were taken over, and then deleted. Next his Twitter account was compromised, and finally, his AppleID account was broken into.

The hackers used the AppleID to remotely erase all of the data on his iPhone, iPad, and MacBook.

Locally, a leading broadcaster’s website was compromised exposing over 2,900 email addresses, usernames and passwords belonging to users who had registered with the broadcaster’s online membership service.

The hackers used a common hacking technique known as SQL injection to gain access to the broadcaster’s sensitive information. A SQL injection attack is a relatively common but potentially devastating technique employed by hackers to steal valuable information from corporate databases supporting web applications.

As hackers become bolder, more creative, and technically savvy, local organisations need to rethink how they secure and authenticate users who access their critical enterprise systems.

Studies have shown that many employees use the same password to access multiple applications including corporate systems and online service provider accounts like Gmail, LinkedIn or Yahoo.

As such, if an online service provider is compromised and an employee’s username and password is exposed, a hacker can easily gain access to corporate systems.

This might require the hacker to employ some basic social engineering techniques by collecting information from social networks to identify the victims’ employer and other publicly available information like Request for Proposals (RFPs) to identify the employers’ critical systems.

Kenyan organisations are increasingly relying on using computer systems and networks for progressively sensitive tasks such as to facilitate e-banking, for improving customer service and satisfaction, and for lowering support and distribution costs.

The incidents highlighted above are a clear indication that traditional username/password usage is not adequate in protecting critical applications and information resources.

There is therefore a need to deploy stronger authentication methods to provide greater assurance that only authorised users are gaining access to these resources.