I read with some fascination about how researchers from the University of California gained access to the command-and-control network of the Torpig botnet. The researchers monitored the botnet over a period of 10 days, and saw how the hackers in control of it plundered some 70 GB of personal and financial data from the 180,000 bots - or infected computers.
The Torpig malware packs some chilling capabilities. According to the article:
[Torpig] can pilfer user names and passwords from e-mail clients such as Outlook, Thunderbird and Eudora while also collecting e-mail addresses in those programs for use by spammers. It can also collect passwords from Web browsers.
Torpig/Sinowal is customized to grab data when a person visits certain online banking and other Web sites. It is coded to respond to more than 300 Web sites, with the top targeted ones being PayPal, Poste Italiane, Capital One, E-Trade and Chase bank
I'll refrain from going into the details and leave the security-centric stuff to Ralph DeFrangesco over at his wonderful security blog. The reason I brought this story up is because I think that small and medium-sized businesses can glean a couple of lessons from how Torpig works, especially pertaining to the topic of passwords.
Here are three simple recommendations for better password management for the SMB.
Enforce regular changing of passwords
The reason for this is pretty straightforward. Enforcing the changing of passwords on a regular basis can help protect system passwords that might have been unknowingly compromised. No matter how you see it, having the same password ad infinitum can only increase the risk of passwords being cracked or compromised.
It is typically easy to enforce the regular changing of passwords as many applications or operating systems, such as Microsoft's Windows Server, already have such capabilities built in. You can also use the Sample Password Policy in the Knowledge Network.
Discourage staff from using the same password everywhere
Most people simply memorize one or two passwords, and then use them anywhere and everywhere. As such, all it takes is a stolen password and some data mining or guesswork in order to exploit that stolen Gmail password to crack into your CMS or ERP system. This vulnerability will cease to exist if staff are educated on the importance of using unique passwords for different systems. For more help, see Protecting Your Passwords in the Knowledge Network.
The fact is, this tip is the hardest to enforce, yet the cheapest to implement - it costs nothing.
Where possible, implement dual-factor authentication
Dual-factor authentication relies on the physical possession of a key that is needed on top of the usual password for authentication. This typically comes in the form of a hardware token that will generate the constantly updated secondary password. While this can certainly defeat the password sniffing shenanigans of the Torpig malware, such a solution can also be expensive or beyond the expertise of some SMBs.
Absolute security is but an ideal. Obviously, I am certainly not saying that being infected with malware is even remotely acceptable. However, observing the simple password tips above would certainly help to minimize the impact of security breaches for the SMB.