To hack or not to hack?

Asking companies for their password policy on a regular basis, I find that many organizations have no strict policy on passwords, which results in an immediate risk to the organization. Microsoft’s security best practice advice is to: let the password expire every 30 to 90 days, to enforce password history between 12-24, require a minimum length of 7 characters, and apply the five password complexity categories. However, users often have upwards of 7 sets of credentials, which leads them to write down these complex paswords in order to remember them. Research by PwC shows that employees and business partners are responsible for 60% of data breaches. Other studies indicate that this percentage is much higher. The password is still the weakest link and, therefore, passwords are the greatest risk of data leaks.

Robert S. Mueller (Director Federal Bureau of Investigation) recognizes the threats companies in this era are facing. – “We must continue to build our collective capabilities to fight the cyber threat…we must share information…we must work together to safeguard our property, our privacy, our ideas, and our innovation.”

Most users have multiple accounts on the Internet where each account is protected with a password. To avoid the headache of remembering a long list of different passwords, often users simply use the same password for multiple accounts. The predominant HTTP basic authentication protocol makes this common practice dangerous. An attacker can easily steal users passwords and gain access to personal and business data as well as gain access to high-security servers as seen with the Sony hack in 2014.

The methods most used to steal passwords are:

– Man in the middle, stealing the password during an HTTP post, (which could also include fake websites or fishing emails)
– Physically “watching over the shoulder”, which can also be done via smartphones or other recording devices; and abuse after lending out a password.
– Cracking databases (incidence such as NASA, Citibank, New York Times, US Military, Sony),
– keyloggers (often on public computers),
– Most common, guessing the password or utlizing the default password, (this includes voicemail systems, ICS, Voicemail, such as an incident with the British Royal Family.

The reason for the lack of attention to password issues is that the design and implementation of these policies are often in the hands of system administrators. This group is capable, however lacks the time to map out a complete overview of passwords and policies. A strict password policy is key for a robust information security policy. Therefore, password policies have the CIOs attention.

Helping CIOs and IT-Manager to resolve these issues on several levels:

– The first level: Stop using (one) default passwords
o The worst thing a company can do is use a default password that includes the company’s name. Secondly, not changing the password at first logon is lethal.

– Second level: Increasing the network’s password complexity
o At minimum adopt Microsoft Servers 2012 default password policy
o Use a password complexity tool to manage the complexity rules in all systems.

– Third level: Password unity
o Having one password for different systems is not the best solution, however, synchronizing them avoids stealing the password and makes impersonation directly visable. The password synchronization tools synchronize the password between the various systems securely.

– Fourth level: Eliminate impersonation
o Adopt a self-service reset password portal which challenges the end user while changing their password. Most tools offer a two-factor challenge which is one of the most secure methods available these days.

– Fifth level: Single Sign-On
o There are many tools available for Single Sign On: Enterprise Single Sign-On (E-SSOM), Authentication Management (Two-factor authentication), Automated Logon (a password vault for the different systems), and IDaaS (Identity as a Service). These solutions increase the security and ensure a safe way to access and distribute identity in the local (on premise) network as well as in the cloud.