Understanding Security Basics

The story of how Wired Magazine's Mat Honan was hacked (link to his article on Wired.com) has become quite a scary story. There is credit to the notion that security measures in place across various cloud-based services should be better aligned and standardized, but that is not the topic for this post. The underlying issue that everyone needs to be aware of, is that security is not necesarily about stopping an attack from being able to occur, but about mitigating the damage that can occur as the result of an attack.

Using a strong password, and a different password for each system or site you access, is the standard "best practices" approach that should be explained by anyone with an IT background. The part that is often glossed over, though, is that a strong password is only one piece of the puzzle. Most successful attacks are not the result of cracked passwords, but of the ability for a person to socially engineer the information they need to gain access to some piece of information that proves vital. As in the case of Mr. Honan's unfortunate experience, social engineering was successful again.

How could this have been avoided, then? Certainly better security practices would have assisted in this case, but that comes with the reliance on the vendor of the product or service in question. Is there anything an individual could do on their own to help mitigate such a disaster? Yes.

Mr. Honan mentions the key piece of information that IT professionals have been preaching for years: back up your data. While this would not have stopped the attck from occuring, nor would it have alleviated the stress and headache of dealing with such a nightmare, it would have at least provided a way for Mr. Honan to restore everything that was lost during the attack.

This is the one piece of information I want to emphasize: if you feel it is important, back it up.

In the above case, I do feel as though Mr. Honan has a very legitimate point that everyone should also be aware of:

But what happened to me exposes vital security flaws in several customer service systems, most notably Apple’s and Amazon’s. Apple tech support gave the hackers access to my iCloud account. Amazon tech support gave them the ability to see a piece of information — a partial credit card number — that Apple used to release information. In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification. The disconnect exposes flaws in data management policies endemic to the entire technology industry, and points to a looming nightmare as we enter the era of cloud computing and connected devices.