Today's young people are becoming tomorrow's hackers
by Andy Kemshall
19 July 2012
Online security is woefully inadequate and the young generation have hacking skills way beyond the skill sets of most adults
Some 42 per cent of information technology professionals believe that the average young person could crack most end-user's passwords, using social networking tools. That is just one of the findings of a survey, conducted by SecurEnvoy, of 300 IT professionals. It found evidence that the average young person can now use social networking tools so proficiently that adults simply do not stand a chance. Perhaps an even greater concern is that, with social networking sites, a virtual Aladdin's cave of personal information is now available. The security industry concurs that just relying on a security question such as a mother's maiden name, first school or pet is woefully inadequate to fend off hackers.
You just have to look at the various status updates and veritable goldmine of information on social networking sites, such as LinkedIn and Facebook, to see how freely personal information is given away. And, in fact, is actively encouraged. For example, on Facebook by labelling relatives it would not take a genius to work out that Mrs Jane Brooks' daughter Susan, whose uncle is Peter Jones, probably has a maiden name of Jones. Susan's LinkedIn account will then tell us where she works, and probably include her email address. While many will not be able to do any more with this information - someone wanting to attack Susan's employer could log in, answer the 'secret' question and reset her password to potentially get control of her credentials.
The study found that only 16 per cent of security professionals believe using just a 'secret question' for securing passwords was enough protection. Given this figure, then, what is concerning is that 21 per cent confessed this was the practice within their organisation to reset passwords. That translates to 5 per cent who know it is a risk but do it anyway, and the other 16 per cent are just naively playing with fire.
The IT professionals spoken to obviously have very real security concerns. But if we have got a problem today, then what's going to happen tomorrow when our technology-proficient children also join in the games and enter the workforce? We need to start getting serious about security today. To do that, there are two things that need to happen. First, we need to educate everyone to make sure they realise exactly how much their online social habits are exposing.
Second, organisations need to wake up to very real threat of inadequate security protection - such as password resets. Just like 'chip and pin' has helped prevent credit card fraud, apps and soft tokens as part of a two-factor authentication process are a very effective security measure. If we do not wake up to the risks and start taking security seriously, rather than being shocked that some organisation or other has been breached - it will become the norm and accepted as part of everyday life. I do not think I am happy for that to happen and certainly do not think the rest of the population should be either.
Andy Kemshall is co-founder of IT firm SecurEnvoy
Some 42 per cent of information technology professionals believe that the average young person could crack most end-user's passwords, using social networking tools. That is just one of the findings of a survey, conducted by SecurEnvoy, of 300 IT professionals. It found evidence that the average young person can now use social networking tools so proficiently that adults simply do not stand a chance. Perhaps an even greater concern is that, with social networking sites, a virtual Aladdin's cave of personal information is now available. The security industry concurs that just relying on a security question such as a mother's maiden name, first school or pet is woefully inadequate to fend off hackers.
You just have to look at the various status updates and veritable goldmine of information on social networking sites, such as LinkedIn and Facebook, to see how freely personal information is given away. And, in fact, is actively encouraged. For example, on Facebook by labelling relatives it would not take a genius to work out that Mrs Jane Brooks' daughter Susan, whose uncle is Peter Jones, probably has a maiden name of Jones. Susan's LinkedIn account will then tell us where she works, and probably include her email address. While many will not be able to do any more with this information - someone wanting to attack Susan's employer could log in, answer the 'secret' question and reset her password to potentially get control of her credentials.
The study found that only 16 per cent of security professionals believe using just a 'secret question' for securing passwords was enough protection. Given this figure, then, what is concerning is that 21 per cent confessed this was the practice within their organisation to reset passwords. That translates to 5 per cent who know it is a risk but do it anyway, and the other 16 per cent are just naively playing with fire.
The IT professionals spoken to obviously have very real security concerns. But if we have got a problem today, then what's going to happen tomorrow when our technology-proficient children also join in the games and enter the workforce? We need to start getting serious about security today. To do that, there are two things that need to happen. First, we need to educate everyone to make sure they realise exactly how much their online social habits are exposing.
Second, organisations need to wake up to very real threat of inadequate security protection - such as password resets. Just like 'chip and pin' has helped prevent credit card fraud, apps and soft tokens as part of a two-factor authentication process are a very effective security measure. If we do not wake up to the risks and start taking security seriously, rather than being shocked that some organisation or other has been breached - it will become the norm and accepted as part of everyday life. I do not think I am happy for that to happen and certainly do not think the rest of the population should be either.
Andy Kemshall is co-founder of IT firm SecurEnvoy
COMMENTS
