In the recent news, ransomware attacks struck Pitney Bowes, a huge mailroom and shipping technology company with more than 1.5 million customers.
Just before that, the FBI issued an alert on Oct. 2, 2019 to warn that, while broad-scale, untargeted ransomware attacks are decreasing, losses from ransomware continue to increase significantly.
Some people may see the big names of recent victims (Pitney Bowes, Arizona Beverages, Norsk Hydro, etc.), and relax their security posture, thinking that the hackers are only going after big corporations.
However, Silviu Stahie of SecurityBoulevard.com noted that this is one of the 10 Cybersecurity Myths That Criminals Love:
- This can’t happen to me
- I have a strong password; I’m safe
- I never browse online in unsafe locations, so I can’t get infected
- Security costs too much
- My data is not all that important; it doesn’t matter if I’m hacked
- I have an antivirus; I don’t need anything else.
- I would know if my computer or phone is infected
- Securing the networks and computers is enough
- Phishing is not dangerous, and I can spot it from a mile away
- I don’t even have a computer; I can’t be hacked.
This list is the IT equivalent of hiding under the bed… it’s time for a more mature stance for security.
Last week, we covered some basic phishing issues. This week, let’s return to an even more fundamental topic, which happens to be number-2 on the cybersecurity myths list: Passwords.
The 2019 Verizon Data Breach Investigations Report revealed that 29% of all breaches, and 80% of hacking-related breaches, involve compromised, weak and reused passwords. This shocking statistic has only dropped by 1% since the 2017 Verizon DBIR report, which shows that we have a long way to go for improvement.
Losing & Reusing Passwords
LastPass, a password management company, naturally cited the portion of the report that says “static credentials are the keys … password managers and two-factor authentication are the spool pins in the lock.”
However, it’s alarming to note that, a recent survey showed that 91% of users understand it is risky to reuse passwords, and yet 61% of them do it anyway!
Why? Because passwords are hard to remember.
In fact, only 29% of respondents change their password for security reasons. Instead, the most common reason to change a password is because the user forgot it.
Hundreds of millions of users have had their passwords and usernames stolen in attacks on Yahoo, LinkedIn, and countless smaller data breaches.
HaveIBeenPwned.com provides an easy-to-use web-based software, for both individuals and companies, to check and see if passwords, email addresses, or usernames have been breached. Effective IT managers and conscientious users will periodically check to see if their organization’s domain or individual usernames or passwords were compromised.
So, why should an organization care if MarySmith@companyabc.com had her email and password exposed in the LinkedIn breach? Because, very often, people use the same passwords for multiple accounts.
In fact, at least 27% of Americans use the same password for most or all of their accounts. That percentage increases to 40% for Americans between the ages of 18 and 34.
If MarySmith@companyabc.com reused her company password on LinkedIn, then hackers now have her username and password for CompanyABC.
Best Practices For Password Protection
While a typical employee will complain that he/she does not have access to enough important data for their weak or exposed password to matter, IT professionals know better.
Recently, we illustrated how email phishing becomes far more effective when sent from an internal address, and how just one compromised user account provides an opening for hackers to attack an organization.
So, what can you do to improve user passwords?
1) Upgrade your password requirements
The traditional password standard requires a minimum of 8 characters mixed between lower case, upper case, numbers and special characters. Also, the policy typically recommended changing the passwords every 90 days.
However, Lorrie Cranor, chief technologist of the FTC, recommend changes to these classic rules. She cites researchers at UNC Chapel Hill who found that for 17% of the student accounts, knowing the previous password allowed for a hacker to guess subsequent passwords in less than 5 guesses.
When people have to change their passwords regularly, they rely upon patterns to help them remember their passwords. This reliance, in turn, leads to a proliferation of easy-to-break passwords such as sPr!ng2020.
Cranor believes infrequent changing of passwords. Changes should primarily be made if one has reason to believe their password may be stolen.
Additionally, by using passphrases instead of passwords, users can increase the quality of their passwords, and improve their ability to memorize the passwords without relying upon patterns.
While a long stream of random numbers and letters remains more secure than a pass phrase, it only makes sense to use them in conjunction with a password manager. If memorizing the password is required, then a pass phrase of four or five words may be a more practical solution.
However, it’s recommended that users avoid quotations, personal information, and incorporating common words into the passphrase.
While it may be difficult to enforce unique passwords in the organization through policy alone, it is possible to run a password cracker on employee passwords to check them for obvious issues. This can either be done as a specific project, or incorporated as part of a larger Red Teaming exercise that tests the organization’s full security program.
2) Improve your security to protect passwords
Users must be reminded not to reuse, share, write down their passwords, or enter their passwords around other people.
Furthermore, using a reliable password management tool makes managing passwords easier and more reliable. Password managers allow users to store complex and lengthy passwords without committing them to memory.
You can then require frequent password changes without worrying that users will reuse passwords or rely on patterns.
Another related technology is single-sign-on, or SSO.
SSO tools allow users to cut down on the number of passwords they need to create because it shares authentication information (i.e.e when a user ‘signs-in’ using Google or Facebook IDs to access other websites).
While SSO tools do not improve password strength directly, they limit the number of passwords required, thus simplifying the log-in process for supported websites and applications.
3) Use multi-factor authentication
Many major breaches could have been prevented by using multi-factor authentication.
In fact, no matter how robust your organization’s policy, bad things happen.
Perhaps someone uses “password1PASSWORD!passwordpassword” as his passphrase. Or, maybe someone steals an executive’s laptop while she’s traveling, and her password file was open in Microsoft Word.
Multi-factor authentication mitigates the impact of the nearly inevitable leak. It requires the use of security tokens, text messages, or biometrics, in addition to the user’s ID and password in order to provide access.
Without these additional factors, the leaked password won’t provide a hacker with much value.
The Right Support
No matter which methods you use to support your network’s protection, you should always have a great support team by your side.
The Ideal Integrations team provides network design options to fit a wide spectrum of needs and budgets. We work with your team to identify your needs and adjust the functionality & performance of your network.
Also, our cybersecurity division, Blue Bastion, provides Red Teaming which gives your external validation of your security program – including password strength tests, vulnerability assessments, and breach simulation.
Be confident in your network, and in your cybersecurity.
For a risk-free consultation, contact us today by completing the form below, or by calling us at (412) 349-6680.
Building Networks & Partnerships. We are on Your Side.