Is your password putting you at risk?

One major cause of data breaches is the stolen password. Once hackers have an email address and password, a world of possibilities are open to them. The dangers are not just limited to the account they have access to. Their hacker’s next steps usually include not only selling the details to other criminals but also “credential stuffing”; taking the login details for one account and trying it on others. Imagine if your ISP account was hacked – your work email, online shopping and other accounts most people possess would be targeted.

Companies would do well to introduce Two Factor or Multi-Factor Authentication to protect their employee and customer digital identities. Put simply, this requires another authentication criteria to be satisfied before granting access to a site or account. Many large corporates are turning to 2FA to help derisk their customer’s exposure to a data theft. Sony Playstation, Apple, Instagram, and Gmail all offer this additional security measure.

Simply put Two Factor Authentication, requires two out of three regulatory-approved authentication variables such as:

  • Something you know (such an email password).
  • Something you have (the physical bank card or an authenticator token, which can be hardware or digital).
  • Something you are (biometrics like your finger print or iris pattern).

The majority of attacks come from remote connections and 2FA can make distance attacks much less of a threat because accessing passwords is not sufficient for access and it is unlikely that the attacker would also possess the physical device associated with the user account. Take the Dropbox account holder hack for example. Hackers are unlikely to take your credentials and use them successfully on a second website if they are asked to provide a unique one-off code. It’s just too much work for them unless the gains are incredibly high. Each additional authentication factor makes a system more secure. Because the factors are independent, compromise of one account should not lead to the breach of others.

If your employer has a significant online presence, I would urge them to explore the potentials gains of 2FA. Of course KeyIdentity offers multiple solutions here, but irrespective of vendor the key principle is passwords alone are insufficient to provide adequate safeguards in the face of threats are expanding in scope and volume. Authentication should be able to perform whether you are online or offline, and in way that minimises user disruption. One of my favorite examples is Blizzard, the company who create games such as World of War Craft and Diablo, have a free authenticator, and it seems to work very effectively.

To sum up, if you want to avoid data about yourself, your company or organization and your customers being accessed:

  • Make your password non predictable and use unique passwords for each and every application
  • Check the privacy settings on any social media accounts, and turn them on if you haven’t already
  • Don’t use real birthdays and other identifiable data unless you really need to. Receiving a “Happy Birthday” email from a loyalty card provider a few days early or late is preferable to sharing a major personal identifier.
  • Do not enter easy answers to password forgetten questions. Best case choose something as answer that has nothing to do with the question at all. An example: What is the name of your dog? Answer:”I love companies that makes it so easy to attackers to steal my identity”.
  • Explore the benefits for 2FA or MFA inside your organization and look for it when you sign up for a new online service or similar.

Lastly, stay alert to any news of data breaches and immediately change your password or create a new account if you believe you have been affected. Don’t forget to also consider where else you may have used the same password and personal details. Hackers are constantly trying to get the better of us, so don’t give them any extra chances to succeed.

 

Why it’s time to revisit your red and blue team approach

Anyone who has read the recent news of Yahoo’s data breach which affected around 500 million accounts will probably have questioned their own organization’s ability to defend itself against external attacks of all sorts.

The task of maintaining defences in the face of constant threats is often partly owned by two IT security groups, the “red”and “blue” team.:

Red: focused on testing the effectiveness of the organization by acting as hackers, using penetration testing techniques to identify and expose vulnerabilities. They will use offensive tools and use SQL injection, scan the network and be familiar with firewall and router commands.

Blue: take the role of defending the organisation, being constantly vigilant and ready to respond to any attacks. They will be expected to recognize unusual patterns, behaviours or outliers, and establish how and where attacks are about to take place. The blue team monitors the systems such as the central log file management system and  scans this for signs of attempted entry.

Whilst this role playing is a familiar exercise, there are potentially dangers if the approach is not regularly reviewed:

  • The mindset and culture developed in an organisation over time can inhibit fresh thinking both in terms of where and how to typically attack, and equally defend against these attacks. It does not prepare teams for a concerted attack by strangers who have no respect for the system.
  • Teams can become stuck in their ways and “go through the motions”, repeating similar attacks to the last role play.
  • As Einstein once said, “We can’t solve problems by using the same kind of thinking we used when we created them”. Unless exceptional, over time, many employees become conditioned by their surroundings and view situations based on their perception of established norms, and the prevailing culture. This can restrict fresh thinking and lead to a narrow testing focus.

    There a number of activities which can help keep the red/blue team sharp and effective:

  • Regular rotation: it is recommened to switch parts of each group g. 50% change sides on a frequent basis. This improves cross-team skills and also creates a view on how „the other half think“.
  • Full debriefs: after each game play has taken place, each team should explain and document how they were successful (either in attacking or defending), so learnings are formalised and captured.
  • Continuous learning: funds and time permitting, create an education budget for each team member where they can choose to attend a conference, external course or online learning and increase their knowledge base. It demonstrates investment in talent and also assists team morale.
  • Incentivise: introduce a trophy that is passed between teams (e.g. for not being hacked this quarter/half year etc), with the red and blue team exchanging ownership based on which was successful in the last role play.
  • Review the team composition: typically in a team of 10 people, three would be responsible for IT Sec Engineering, 5-7 would take a SecOps/Incident response (usually outsourced) role, and two would act as pen testers. How does your team’s make-up look?
  • Explore 3rd party participation: a real attacker doesn’t play by the rules or follow established thinking, and is going to overlook any rule, etiquette, company guidelines and ethical issues. Sometimes a genuine outsider approach is needed that does the unexpected, not permitted, daring or simply blindsides the blue team.

FOXMOLE’s penetration testing team has extensive experience in responsibly attacking client sites to identify weaknesses, whether based on an open brief or a speciifc area of concern.

The greatest opportunity offered by commissioning an external group is the discovery of pervasive, underlying vulnerabilities that have not been addressed as these were simply not on the radar. Remedial action plans can be developed in conjunction with clients, with scheduled progress review points.