Is your password putting you at risk?

One major cause of data breaches is the stolen password. Once hackers have an email address and password, a world of possibilities are open to them. The dangers are not just limited to the account they have access to. Their hacker’s next steps usually include not only selling the details to other criminals but also “credential stuffing”; taking the login details for one account and trying it on others. Imagine if your ISP account was hacked – your work email, online shopping and other accounts most people possess would be targeted.

Companies would do well to introduce Two Factor or Multi-Factor Authentication to protect their employee and customer digital identities. Put simply, this requires another authentication criteria to be satisfied before granting access to a site or account. Many large corporates are turning to 2FA to help derisk their customer’s exposure to a data theft. Sony Playstation, Apple, Instagram, and Gmail all offer this additional security measure.

Simply put Two Factor Authentication, requires two out of three regulatory-approved authentication variables such as:

  • Something you know (such an email password).
  • Something you have (the physical bank card or an authenticator token, which can be hardware or digital).
  • Something you are (biometrics like your finger print or iris pattern).

The majority of attacks come from remote connections and 2FA can make distance attacks much less of a threat because accessing passwords is not sufficient for access and it is unlikely that the attacker would also possess the physical device associated with the user account. Take the Dropbox account holder hack for example. Hackers are unlikely to take your credentials and use them successfully on a second website if they are asked to provide a unique one-off code. It’s just too much work for them unless the gains are incredibly high. Each additional authentication factor makes a system more secure. Because the factors are independent, compromise of one account should not lead to the breach of others.

If your employer has a significant online presence, I would urge them to explore the potentials gains of 2FA. Of course KeyIdentity offers multiple solutions here, but irrespective of vendor the key principle is passwords alone are insufficient to provide adequate safeguards in the face of threats are expanding in scope and volume. Authentication should be able to perform whether you are online or offline, and in way that minimises user disruption. One of my favorite examples is Blizzard, the company who create games such as World of War Craft and Diablo, have a free authenticator, and it seems to work very effectively.

To sum up, if you want to avoid data about yourself, your company or organization and your customers being accessed:

  • Make your password non predictable and use unique passwords for each and every application
  • Check the privacy settings on any social media accounts, and turn them on if you haven’t already
  • Don’t use real birthdays and other identifiable data unless you really need to. Receiving a “Happy Birthday” email from a loyalty card provider a few days early or late is preferable to sharing a major personal identifier.
  • Do not enter easy answers to password forgetten questions. Best case choose something as answer that has nothing to do with the question at all. An example: What is the name of your dog? Answer:”I love companies that makes it so easy to attackers to steal my identity”.
  • Explore the benefits for 2FA or MFA inside your organization and look for it when you sign up for a new online service or similar.

Lastly, stay alert to any news of data breaches and immediately change your password or create a new account if you believe you have been affected. Don’t forget to also consider where else you may have used the same password and personal details. Hackers are constantly trying to get the better of us, so don’t give them any extra chances to succeed.

 

Five typical enterprise security fails

At FOXMOLE, we have met with many large organisations and whilst they are all different in terms of their particular security challenges, there have been a number of commonalities observed:

Lack of mitigations

One example of this is the absence of a patch process, which is surprisingly frequent. Once a vulnerability with an internal or external application has been identified, how is a patch issued, and how quickly is the fix implemented? The issue is that the processes are not reoccurring as frequently as they should, leaving a window of opportunity for an attacker to compromise the system with known vulnerabilities. FOXMOLE has also observed that the patch process does not address all layers, for example only the server patches are applied, but not the service-layer, the used frameworks or the applications are part of it.

Too often we see either a piecemeal approach that only addresses part of the network, or a reinvention of the wheel each time – as if a patch has never occurred before. With attacks more than likely to succeed at some point (however small), it is time to factor in how these would be remediated so minimize the chance of reoccurrence.

Insider threat often underestimated

In modern company culture that often stress (rightly) collaboration, assumption of best intent and HR/privacy guideline adherence, it can be hard to stress the need to factor in actions by a disgruntled employee. A Forrester Research report, “Understand the State of Data Security and Privacy,” showed that 25% of survey respondents the most common breach occurred in the past year at their company derived from abuse by a malicious insider. If that insider has privileged account access, the risk is particularly significant.

One failure FOXMOLE sees in this respect is a focus on policies and the main solution. Companies tend to protect against external threats;  they patch every external server-system (available from the internet) and do not do that for internal systems (same applies to hardening…). In the end, the important systems (which often are not available from the internet such as SAP, HR-Systems, Customer Analytics,…) are in a weak security state (default passwords on the databases, old patch levels…). This means that anyone with access to the local network (an insider, subcontractor) has a very soft target which enables them to steal the data. In addition, if employees can bring their own devices (subcontractors with own laptops) they normaly have administrative rights with them and can bring their own attack tools and have all the time to exploit systems and extricate data – since no corporate compliance tool will typically check these BYOD devices.

Poor password practices

This seems like an old “classic”, but these present issues in multiple ways. A recent study in Luxembourg revealed that over 40% of respondents would share their passwords in return for chocolate. The significance of handing over a password still seems not resonate. Sharing password for admin accounts may be convenient and time-saving but presents major risks. Another challenge is laziness in creating passwords themselves, with “123456” or “welcome” remaining popular and of course easily hackable choices. Whilst it is hard to remember a wealth of complex passwords in work and personal life, using “password” for example, is not the smartest idea.

Linked to this is the fact that few companies seem to enforce strong passwords, or do not store the passwords in a secure manner (bcypt, scrypt with salts). It is essential to combine strong password policies with frequent password change requirements that will decrease the selected passwords to avoid predictability! Recent research showed that 63% of confirmed data breaches involved weak, default or stolen passwords.

General awareness of security

This may seem like a catch-all topic, but it’s really just a simple mindset issue. It’s about taking care of the basics such as locking the desktop, vetting sub-contractors, challenging non-familiar faces, not allowing visitors to walk around the building unescorted and not leaving valuables in the office. One service FOXMOLE offers is the “evil cleaner”; which involves consultants spending five minutes in an employee’s office to see how much could be taken by regular office presence with bad intentions.

Adherence to manual approaches

In a app-driven world, it is still a shock to witness the lack of automating of security and the modeling of this all into all processes. Addressing human weaknesses such as errors, laziness, absence of a repeated and consistent approach through automation is essential as the type, volume and complexity of security threats increase. FOXMOLE has observed on multiple occasions an absence of a defined, transparent and robust security framework.

There are no doubt many other common failings – look out for some more observations in a future blog!