Key Lessons from the Avast Hack

May 29, 2014
Kevin Lam

Last week eBay reported they were hacked in February, and this week Avast the anti-virus company also reported that they were hacked. Yes, even security companies themselves are exposed to malicious attack.

While everyone is busy laughing at Avast, I think this is a great opportunity to point out key lessons that might just save you from getting hacked yourself. If that sounds interesting to you, here they are …

Lessons #1: Patch Third-Party Software

The Avast hack was possible because of a security vulnerability in third-party software they were using to support their user forums.

The key lesson: Inventory and patch all the software your organization relies on. Just remember, you have to defend all possible ways into your network and systems, hackers just have to find the one you forgot.

Lesson #2: Always Use Unique Passwords

The Avast attack lead to 400,000 user account credentials being stolen. Yes, they were hashed (a way of minimally protecting passwords), but they can and will be cracked. It’s really just a matter of time before hackers can break the hashing protection and retrieve user passwords.

The key lesson: Re-using passwords is a bad idea. If you’re using the same password across multiple sites, all it takes for one site to get hacked and then you’re hosed on the other site. Use different passwords, it’s probably the easiest thing you can do to protect yourself today.

Lesson #3: Keep Your Systems Separated

One really good thing that Avast did, which I think got lost in the report below, is that they kept their systems separated from one another.  That is the forum software that hacked was kept separate from all the other systems in Avast’s more critical networks.

They key lesson: Instead of keeping everything together on a single server or network, split them up by importance or business criticality.  That way you make the job of hackers significantly harder: instead of hacking into just a single system and getting the keys to the kingdom, they need to hack into 2 or more systems. That greatly decreases their chances of success, and increases their chances of getting caught.

Whenever security companies get hacked, reporters love to jump all over those companies. Sure, it’s embarrassing, but also a great opportunity to learn from mistakes so that you don’t get hacked either. Happy Friday and thanks for reading.


Kevin Lam signature