As a sector that is constantly evolving, cybersecurity has all too often been characterised as a complex and technical subject that requires mystical tools and magical potions to solve businesses security issues. As a result, infosecurity vendors have generated a lot of white noise, as they all convincingly promising to solve these issues with a slightly different approach, albeit with the same convincing tone. However, most of the time these security experts are forgetting that today’s breaches are usually caused by the simplest of things. There is a clear demand from businesses for straight forward, no-nonsense guidance on how best to protect their users, customers and clients.
With this in mind, let’s explore the real issues that organisations really need to focus on in order to make a difference to their cybersecurity practices.
Capital One’s recent data breach was disclosed in late July. Customers of the bank were hit by one of the largest data breaches in banking history, with an estimated 100 million individuals affected in America alone. This is one of many data privacy violations that have cropped up in recent months.
We decided to do some research on what the main contributing factors were to hacks on the enterprise in 2018. To summarise, about 30% of the breaches we examined could be categorised as accidental. Insecure endpoints played a major role within these breaches, but what failed to feature were typical exploit kits, phishing and social engineering. Vendors are telling businesses to assess endpoint security problems; however, they don’t have a solution to offer. Systems are fundamentally vulnerable at the endpoint, so organisations need to implement tools and approaches to strengthen security here, and address the threats targeting them. Endpoint monitoring is one such avenue, but it may be different for your enterprise – there is no one-size-fits-all in cybersecurity.
Cracking the password
At SecureData, we also conducted an investigation into password complexity and policy effectiveness across our customer base. We explored which passwords were used most frequently by users within an organisation as well as password uniqueness, length, and how company policies (or lack thereof) are compromising password security. From our data of 1,642,697 unique passwords, about 80% could be cracked. This is despite the majority of users choosing alphanumeric passwords typically between 8-12 characters long.
Why were they still crackable? Although passwords were longer, we found many were still following predictable formats. A portion of passwords contained months, for example. The reason for this is users are often forced to change passwords on a monthly basis, and so simply keep part of a password the same, and tag on the name of the month in which they’ve updated it. Additionally, almost half of all passwords contained digits at the end: ‘123’ ‘789’ were the most common.
Businesses clearly need better enforcement practices, such as password complexity. However, employee education surrounding security threats and best practices for online behaviour and privacy is key in reducing the likelihood of a breach caused by poor password hygiene.
As passwords overall can be a relatively weak means of protection, password policy should be complemented by other controls such as MFA. Rather than just asking for a username and password, MFA requires multiple credentials to verify a user’s identity. Nowadays you cannot responsibly secure data, protect your business or your employees on the internet without using some form of MFA.
Hacking the basics – typo squatting
Along with cracking passwords, typosquatting is big business for hackers. It targets internet users who incorrectly type a web address into their browser e.g., ‘Googlle.com’ instead of ‘Google.com’. When users mistype domains, they may be led to an alternative website owned by a hacker. All the hacker needs to do is buy a DNS domain associated with a brand and use an algorithm to predict how humans mistype things i.e. typos, missing dots. From this, they can predict what those mistakes will be and then register appropriate DNS domains. UK domains can be bought for less than a pound, meaning it is possible for anyone to become a hacker with the right knowledge.
As an example, SecureData set up an experiment with a number of enterprise customers to see how effective typosquatting actually is, and was able to extract important data ranging from banking information, copies of HR contracts, transaction details from buyer to seller etc. This illustrates typosquatting as a cheap and simple hack to implement.
Add to this workstation hacking, and attacks incorporating offensive AI and machine learning (on which we’ve also conducted independent research), and it seems no organisation is immune to cyberattacks.
Fail to prepare, prepare to fail
Although these issues may not be as well-known as the zero-day exploits we read about in the papers, the potential of these basic attacks is vast. Gartner estimates that worldwide cyber defence spending could hit $114 billion (about €102 billion) in 2019, as organisations try to combat cybercrime alongside the compliance requirements of GDPR. However, before companies open the chequebook, it is clear the basics of cybersecurity need to be understood.
At SecureData we understand the fundamentals of infosecurity. We know that getting those essentials right could spell the difference between safety and catastrophe. We know which ‘essentials’ work for different companies, and how best they can implement policies and approaches into their organisation. We also know that showing the effectiveness of simple cyberattacks through original, proprietary research is often the best way to demonstrate the potential for damage should these basics not be addressed.
However, organisations need to recognise that cybersecurity doesn’t have to be as complex and difficult to implement or manage as some vendors have had businesses believe. For more information on how SecureData can help protect your business, why not contact us today?