Following the news about the fall out of the Dropbox data breach, IT security experts from KCS Group Europe and Kaspersky Lab commented below.
Tony Sweeney, Cyber Security Director at KCS Group Europe:
“The news of 68 million Dropbox passwords being leaked online is not a shock; after all, the breach occurred in 2012 when LinkedIn and MySpace were also hacked. It is safe to assume any online accounts held since 2012 are at risk and ALL passwords should be changed. Realistically, no accounts are safe from being compromised.
One way to make accounts more secure is by enabling two-factor authentication, such as a code being sent via text to your mobile device in addition to entering your password. However, the secret here is not to wait until you are told your details have been breached but instead be prepared that a beach could happen at any time. It needs to be recognised that normal cyber defences are not enough; it’s about being proactive, rather than simply reactive. Testing the security of the whole business – from the perimeter all the way through to employee awareness training – coupled with the advanced warning provided by constant monitoring, saves crucial time, protects reputation and gives the CISO a better nights sleep.”
David Emm, Principal Security Researcher at Kaspersky Lab:
“In today’s digital world, breaches are becoming an unfortunate common occurrence. In fact, the news of the Drobox security breach is reminiscent of the recent Tumblr hack in that the leak, or the scale of it, weren’t apparent for some time.
Customers that entrust their private information to an online provider should be able to rest safely in the knowledge that it is kept in a secure manner; and all companies that handle private data have a duty to secure it properly. However, it’s also important for consumers to understand that security can’t be taken for granted, as you never know when your details could be at risk, as demonstrated by this breach. In this way, we would advise consumers use complex passwords, supported by a password manager, as well as multifactor authentication to guard against threat.
Organisations should prepare on the basis that hackers will get in, it’s therefore positive that we’re starting to see a shift from organisations using defensive strategies, towards being better prepared. For example, Dropbox hashed and salted passwords, and immediately gave advice to consumers, recommending that they change their passwords as a precaution. We know that many people use the same password across multiple online accounts, so it’s important that those affected take steps to change their password for other online accounts where they have used the same password.
Four years is a long time for personal details to have been exposed. This is a good illustration of the positive impact that is likely to accompany the new EU GDPR (General Data Protection Regulation) in 2018, as it will force the hand of companies and hopefully will result in less breaches identified retrospectively. After all, one might question the value of closing the stable door four years after the horse bolted.
Whilst security solutions significantly mitigate the risk of a successful attack, there are also other measures businesses can take in order to provide thorough protection. These include running fully updated software, performing regular security audits on website code and running penetration tests on corporate infrastructure. It’s also vital that companies implement an education programme, to raise security awareness among employees. Prevention is better than cure and the best way for organisations to combat cyber-attacks is from the beginning; by having an effective cyber-security strategy in place before the company becomes a target.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.