The home improvement site Houzz announced a data breach this week involving third-parties gaining access to a file that contains publicly visible user data as well as private account information. In an email sent to affected users, Houzz stated that an unauthorized third-party gained access to a file containing both publicly available information as well as internal account information such as user IDs, email address, one-way encrypted passwords, IP addresses, city and zip codes derived from IP addresses, and Facebook information.
Experts Comments below:
Eoin Keary, CEO and Co-founder at EdgeScan:
In order to mitigate the effects of the attack, Houzz should require users to reset their password and ask them to enable multi-factor authentication. This way, if the password is known by an attacker, a second factor of authentication is required before access is granted. Multi-factor authentication is becoming more mainstream and should be recognised as an essential security practice. Houzz has rightly informed users of the breach and hopefully will monitor access attempts to account data where applicable.
My best advice to users is: don’t reuse passwords across multiple sites. If you are, reset all your passwords now. Use a password manager and choose complex passwords or a passphrase. And if there is the option to activate multi-factor authentication, enable it!”
Todd Peterson, IAM Evangelist at One Identity:
There are some basic privileged access management practices that can significantly mitigate the risk:
Never share the passwords – set up a system and practice of only issuing privileged credentials on as as-needed basis and only for the duration of time and the specific activities for which they are required. This applies to internal staff as well as third-parties.
Audit and monitor all activities performed with these credentials – ensure that you know what the people (including third parties) are doing with the elevated permissions they are issued
Follow the principle of least-privilege – while natively most systems require the full administrative credential to perform even the most basic task, there are technologies available (for example sudo for Unix/Linux systems) that allow you to delegate just the permissions necessary to do the job. For on-going access where a third-party is consistently required to perform specific IT tasks, try to delegate just those permission, nothing more nothing less
Use analytics – implement technologies that can detect and notify you of permissions that fall outside the norm for what is required of the third-party and that can detect when a third-party’s behaviour deviates from established patterns.
Use multi-factor authentication – perhaps the simplest way to ensure appropriate access is to shore up authentication by requiring a second factor (beyond the administrative password). Modern multifactor authentication solutions are now easy to implement, painless to use, and provide the extra level of assurance necessary when trusting your crown jewels to outsiders.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.