TheMReport — News and strategies for the evolving mortgage marketplace.
Issue link: http://digital.themreport.com/i/895084
14 | TH E M R EP O RT COVER STORY Threat 1: Brute Force Access W ho do you picture when you think of a hacker? If it's a mysterious figure half a world away furiously typing on a keyboard to find weak points in your network you: a) watch too much network TV and b) are thinking of a hacking style that most closely aligns with brute force techniques to gain crucial financial information. While hackers who employ brute force methods utilize a trial- and-error approach to decode en - crypted data (such as logins), they do so using software that can try a variety of combinations light years faster than any human. These ap- proaches are so fast that when PC Magazine tested one brute force code cracker—L0phtcrack, it found the program was able to access 85 percent of an office's passwords within 20 minutes. "With a login credential, thieves can gain access to all the data that is displayed on the website. They may also be able to access additional websites, as many consumers use the same login name (the most common is an email address) and password for multiple sites," said Craig Bechtle, EVP/COO at MortgageFlex. Educating your employees on how to create strong passwords is one way to protect against brute force attacks. A strong password is one that is site specific, lacks identifying info that can be easily guessed, and contains a combina- tion of uppercase and lowercase characters and numerals. Another step to ensuring secure passwords is to require passwords to be changed frequently—though this protocol creates a delicate bal- ance. "A common security mistake that companies make is that they implement rigorous password requirements, but do not guard against the 'yellow sticky' with a password on a user's monitor," said Eric Patrick, CTO at Quandis, Inc. If you require passwords to be changed too often, human nature—and the 'yellow sticky' tendency—soon takes over. In order to help ensure the passwords themselves aren't in plain sight, consider obtaining a company subscription to programs such as LastPass, which not only stores passwords, but also helps auto generate new passwords. To protect passwords on a larger scale, companies that take data security seriously should also en- sure password hashing. Password hashing is a method by which passwords are transformed into another fixed length password or string. Hashing a password ensures that even if unauthorized parties access a company's password data- base, they do not receive plain-text versions of the passwords. Threat 2: Malware "M odern malware is very adept at stealing data," said Jeremy Boyd, IT Director at DocMagic, Inc. Malware is a type of software that damages or disables comput- ers and computer systems and was connected to the recent Equifax* hack after a flaw in the Apache Struts software the company used allowed hackers to install malware on the site that downloaded infor- mation when consumers visited Equifax's website. Though malware is insidious these days, the particular flaw in Equifax's system could have been addressed by installing a patch that Apache Struts released in March. "The Equifax data compromise was due to their failure to install the se- curity updates provided in a timely manner," said the Apache Software Foundation in a statement. "Security vulnerabilities in com- monly used insecure or unpatched operating systems is another way attackers can gain access to sensi- tive data," said Boyd. Patrick agreed, adding that updating browsers is also an important aspect of system secu- rity. "Corporate IT departments that don't keep up with browser updates are essentially ignor- ing the security fixes constantly being put into browser software by Microsoft, Google, Apple, and Mozilla," he noted. A specific type of malware is ransomware—as the name implies, hackers' leverage the data they stole for a ransom against the companies it belongs to. According to Verizon, 27 percent of breaches were discov- ered by third parties in their study, and in part this is because the hacker themselves reached out to the company to brag about the theft or attempt to secure a ransom. Threat 3: Phishing "T he phishing environ- ment is extraordinary," said Chuck Bloodgood, CIO at FirstClose. "Data thieves can copy something as innocuous as a Facebook friend notice where the minute you click on that but- ton they take you to a page that has been completely replicated to look exactly like what you would expect. However, as soon as you enter any data, they follow every single click you make." In addition to the type of phishing that Bloodgood de- scribes—mocking reputable web- sites—phishing may also include creating emails that look like they are from a known sender so the receiver reveals personal informa- tion such as passwords, credit card numbers, and Social Security numbers. "As more and more of the origi- nation process is digitized, borrow- ers and originators are becoming bigger targets of email phishing scams as a means for gaining access to sensitive data," added Boyd. "The additional problem with sending sensitive data via email is that you won't lose that mes- sage right away—it gets copied to many different devices and places that will live on forever," said Jon Debonis, Head of Information Security at Blend. "I think education to borrowers is a big key—it doesn't just take Brute Force/Brute Force Code Cracking: Trial-and-error method application programs used to decode encrypted data, such as passwords or Data Encryption Standard keys. Cryptography: Cryptography ensures secure VPNs by providing both encryption and authentication. In symmetric cryptography, a key must be shared. In asymmetric cryptography, a pubic key is used. Denial of Service (DoS/DDoS): This hacking technique floods a site or server with so much traffic the site or server crashes. Fake WAP: A fake wireless access point designed by outside parties to gain sensitive information. Keylogger: Software that records keyboard strokes made on your computer to a log file. Designed to capture logins, passwords, and other sensitive information. Malware: Shorthand for malicious software, malware damages or disables computers and computer systems. Password Hashing: A method in which passwords are transformed into a cryptic, fixed-length password. Hashing a password ensures that even if unauthorized parties access a company's password database, they do not receive the plain-text versions of the passwords. Phishing: The practice of creating emails or web links that look like they are from a reputable source, so the receiver reveals personal information such as passwords, credit card numbers, Social Security numbers, and more. Ransomware: A type of malware that specifically blocks access to a computer system until a ransom is paid. Trojan: Malicious software programs that once installed provide the victim's data to the hacker.