Eight Things to Learn from the Gawker Fiasco

1
2
3
4
5
6
7
8
9
1 of 9

Eight Things to Learn from the Gawker Fiasco

by P. J. Connolly

2 of 9

Understand the Threat

Some organizations have more to fear from inside attacks than from the outside ones. Others can trust users implicitly, but have a public profile—whether deserved or not—which makes them targets with a very high value.

3 of 9

Dont Think Youre All That

If you're calling yourself a technology company, you have to protect your core technology; in the case of Gawker and its founder Nick Denton, this was the Ganja framework, which Gnosis captured from poorly secured servers and made available as a torrent.

4 of 9

Assume You Are a Target

If you dare people to hack into your systems, you'd better have an intrusion detection system in place and security policies that correctly identify the probable attackers and their possible approaches.

5 of 9

Keep Patches Current

Patching public-facing systems is not only necessary, it's vital. It's one thing to be a week or two behind to allow for testing before a general rollout, but some Gawker systems were reported to be up to a year behind on kernel patches.

6 of 9

Dont Use Obsolete Crypto

Gawker's authentication database, which linked user IDs, e-mail addresses and passwords, was encrypted using the obsolete DES algorithm; it can be assumed that every account's password would be decrypted before the end of December.

7 of 9

Clarify and Enforce Password Policies

Gawker's IT policy for employee accounts broke rules that were commonplace by the mid-1990s: no dictionary words, no repeated numeric strings, change passwords on a regular basis.

8 of 9

Dont Reuse Passwords on Critical Systems

Using the same password on multiple mission-critical systems isn't a valid approach to single sign-on; key Gawker employees it seems have used the same credentials for everything they touched, making the break-in that much easier.

9 of 9

Dont Reinvent the Wheel

If your site already has a relationship with an OAuth provider such as Facebook or Twitter, you might want to take advantage of the provider's authentication architecture, instead of trying to duplicate it.

Top White Papers and Webcasts