A security expert has warned that people need to improve their ‘password hygiene’, following revelations that the Syrian Electronic Army hacked CNN’s social media accounts yesterday.
Along with a number of the news agency’s social media accounts, blogs were also said to have been compromised.
Thomas Pedersen, CEO of identity management firm OneLogin, said that password security for public-facing apps such as these is an issue that is often overlooked.
It is only when high-profile accounts get hit that the bigger problem around management and control of cloud applications gets looked at, he added.
"The recent attack on CNN’s Twitter Account and Blogs by the Syrian Electronic Army is another high-profile reminder that bad password hygiene coupled with a lack of access control can create weak points in any company’s ability to securely manage their marketing applications," Pedersen explained.
"Marketing and social media apps have proliferated, and it’s critical that any organisation – especially larger organisations with distributed internal and external users – lock down access to any and all applications."
"Hacks that you hear about, like this one on CNN, can often be avoided with proper Password Vaulting or cloud-based Identity and Access Management solutions. Cloud-based IAM makes cloud apps less vulnerable because end users never log directly into the application. Rather, they go through the IAM system first, which can include a second factor of authentication."
Content from our partners
Password Vaulting is often combined with an IAM system and is a way of adding an additional layer of protection to web apps like Twitter or in- house content management systems. By storing the passwords securely server-side and injecting them into an application’s login page during sign-on, there is no reason why a communications staff should ever know his or her password for an app or be able to share it with colleagues, according to Pedersen.
"Since users log into the IAM system, they are much less like to be susceptible to phishing attacks for three reasons," he added. "Firstly, they’re not in the habit of logging in directly so a hacker’s email asking them to do so doesn’t match the normal work process. Second, even if they do click through, they can’t enter their details into a phishing page as they don’t know them. Third, companies can add a second factor of authentication to the IAM system like a mobile one time password app."
