If I were a betting man, I’d place a wager that some of you reading this article re-use the same password for multiple online services: online banking, enterprise email, your personal Gmail account, Twitter, Facebook, Google+, and Skype (to name but a few).
Don’t worry, you’re not alone: you share an affliction with many millions of people around the world – and even as a security professional, I’ll admit that until a few years ago, I was guilty of the same. Why do we do it? Well, that’s simple: it makes it easy to remember. Unfortunately, it also makes the job of the hacker much easier than if we had different passwords for each account.
And while many online services recommend (and many enterprise authentication policies mandate) that users establish passwords that are not “dictionary based” – using a combination of seemingly-random letters, numbers, and special characters – I’m also going to have a guess that many of you utilize either text fragments or entire passwords that are readily available in a dictionary. Again, you’re not alone, and probably did this to make it easy to remember when either online services or your enterprise IT team kept increasing the minimum size of your passwords.
You’re probably wondering what the point of all this is – other than to make you very nervous about your choice of password. Some of you might already be changing them as you read the rest of this post, which is good. The point I’m making is that many high-profile cyber attacks are successful due to hacking weak passwords and taking advantage of insecure (but unintentional) user behavior. All too often, user credentials – coupled with poor enforced authentication – become the weak link in the chain of cyber attack.
One of the most recent glaring examples of this is the voicemail hacking a number of News Corporation journalists as well as private detectives in the UK are alleged to have carried out. Why were the voicemail boxes of celebrities and politicians so easy to access? While some of these voicemail systems were exploited through a call routing vulnerability within carriers’ phone systems, in many cases, it was because voicemail PINs had not been changed from their default (and publicly known) value.
Of course, the fact is that good authentication and complex passwords are not going to stop every attack; as I’ve long said, there is no such thing as 100% security, and those that claim there is should be treated with caution. It’s also not realistic to expect that these life-long habits will change overnight. There is, however, a good case to be made for better user education and security awareness. Encouraging users to be vigilant when choosing their access passwords – especially those with privileged access to mission critical systems – can dramatically slow down an attack and provide security analysts with telltale signs that an attack is being attempted.
In an environment where more applications are accessed on an increasing number of devices – many of them mobile – improving on-boarding and off-boarding processes such as closing down unused accounts and removing all access privileges associated with them as employees change roles or leave the organization is crucial. Adopting a policy (with enforcement) where dictionary-based passwords are banned, as Hotmail has recently done, can also reduce the risk of unauthorized access. And of course, it goes without saying that providing multifactor authentication and access to multiple systems through a single complex authentication process (such as via SSO) can also reduce the risks considerably.
As I said earlier, there is no such thing as 100% secure; that means credentials will be compromised, and bad things will happen within the context of trusted users. One final suggestion to mitigate this risk: implement continuous monitoring to identify when unusual activity is occurring, especially within the context of highly privileged users.
For example, correlating authentication logs with other, non-event based data – such as system configuration changes, network traffic and performance metrics – can make the difference between identifying when a user has simply “fat-fingered” their password on Tuesday morning after a long holiday weekend, or their credentials have been compromised and are being used to egress critical, confidential data out of your network.