IT governance recently reported a total of 1.34 billion personal records being breached in November 2019 alone, across 87 separate security incidents. Throughout the year, some of the biggest and most well-known brands, including Facebook, Adidas, British Airways and Ticketmaster have been subjected to cyber-attacks. More recently, the UK Labour Party experienced a “sophisticated and large-scale” cyber-attack, as labelled by a spokesperson for the political party. Whether it’s an airline, political party or university, no organisation is immune to the nefarious charms of the hacker and should consider itself fair game for the cybercriminals who have perpetrated the relentless stream of security incidents that flood our media outlets globally. But is there method in the breach madness? What can we learn from recent breaches that will allow organisations to be more proactive and comprehensive in their approach to defending against attack? Authentication is a good place to start.
As the number of data breaches rises and incidents are more frequently reported, we should be looking at who is being targeted. Although the high-profile breaches are the ones we hear about regularly, smaller organisations shouldn’t rest on their laurels, as SMEs are also being targeted by cybercriminals. Certain organisations, including governments and healthcare organisations, seem to be experiencing it more than others. And although it would be almost impossible to predict a cyber-attack, arguably most businesses are not doing enough to prepare themselves. For example, according to the FireEye M-Trends annual report, 56% of organisations that experienced a significant cyber-attack in the last year and a half were targeted a second time in that period. This figure is significant from the 38% reported in 2013 and suggests that businesses aren’t taking action even after they’ve been targeted. But what are they currently doing?
At SecureData, we recently undertook an audit of significant data breaches that occurred in 2018. It led to us noticing some interesting trends in the cause of the breaches. One of the most surprising figures was that 20% of the breaches were accidental. This includes incidents in which IT staff accidentally disclosed sensitive or confidential information to unauthorised parties.
The audit illustrated that the top two factors leading to these significant breaches were weak authentication, and securing in-house applications. Weak authentication accounted for 42% of the breaches and was the root of attacks experienced by a number of well-known companies including FedEx, Tesla and Swisscom.
With this in mind, the SensePost team conducted a security assessment report; pen-testing our own networks with a variety of attack scenarios. The team imitated the moves of a hacker, beginning the process using tools such as LinkedIn to find a list of potential employees using the company system. Following this, a horizontal brute force attack was conducted to identify a user whose password could be easily guessed or predicted. It’s worth noting that the user in question, whose account was able to be hacked, had followed the appropriate parameters, so the password was compliant in both length and complexity.
However, the team found that password length seemed to have a negligible impact on security, as 88% of passwords cracked were 8-12 characters long. So why were so many passwords able to be so easily cracked? For one thing, it’s not just the user mentioned above, whose password could be easily guessed. Of the nearly 650,000 passwords cracked in the audit, over 60,000 of them used some variation of the word ‘password’. Similarly, over 40,000 of the passwords used a month of the year, and perhaps most shockingly, 52% of all the passwords ended with 1, 2, or 3 digits on the end.
So why do we continually create passwords that are so easy to crack? The most obvious answer is that they are both quicker and easier to create, and simpler for the user to remember. The alternative is that, since we are forced to adhere to a number of password parameters, for example using numbers, special characters, upper-case and lower-case letters, we automatically create structured passwords which are easier to hack. Essentially, password parameters may open to the door to hackers. Therefore, organisations and businesses need to re-think their password requirements, in a way that both satisfies the ease and convenience of the user and the cybersecurity requirements of the company. Obviously, authentication is just one small piece of an ever-growing security puzzle, but by starting with the basics – and things that you absolutely can control – organisations can avoid ending up in the headlines for the simplest of security mistakes.
For more information on corporate passwords and how to fortify your authentication defences, check out our blog here. And don’t hesitate to get in touch if you’d like to chat about how we can help your organisation to shut out the hackers before they get the foot in the door, as part of a more comprehensive offensive and defensive security strategy for 2020.