October is National Cyber Security Awareness Month. Cyber Security Awareness is something that should not be limited to just the month of October. But, this month’s “national designation” gives me an excuse to turn the knob to “eleven” and get up on an even taller soapbox!
Today, I’m talking passwords. Specifically, “Age and Re-use.”
IMHO two of the biggest contributors to a systems breach are passwords that don’t change, and those that are re-used between systems. Even though vendors, service providers, and your employee/users know the risks and consequences, they continue to re-use and leave passwords unchanged. Years of experience assessing systems shows that their “convenience” can put us all at risk.
Let’s face it, managing multiple identities and credentials can be hard. People don’t want to remember passwords, so they find something they think is clever (and perceived to be uncrackable) and use it everywhere. What many don’t realize is even the most seemingly complex passwords have probably been harvested somewhere in some breach and published, allowing for password spraying attacks to be more successful.
Default passwords such as, Username = “admin” Password = “password”, are still something that we need to be concerned with. However, many systems no longer approve simple passwords, and/or are forcing the user to change the default at first login. Thus, we now must also be worried about well-known substitutions for the popular defaults, like Username = ”Admin” Password = “@Dm1n!123”
The COVID-19 pandemic has made working remote the norm, which means there is more remote access to systems and data than ever before. Many organizations have simply added remote access without properly segregating their internal systems and data from VPN users. Additionally, the move to cloud-based office apps like Google Suite, or MSOffice365 makes online passwords even more of a brass ring for attackers. More than 90% of all companies using 0365, use the domain credentials to connect to 0365, and something as simple as one set of harvested credentials from a single user who fell for a phishing email can allow attackers to compromise 0365 and enumerate domain memberships quickly. (Domain Enumeration – it’s not a bug, it’s a feature).
So now that I’ve got you thinking about passwords that you’ve re-used, now what?
Two simple words: Change it! I mean literally change it right now!
Now, read-on for more useful tips on how to protect your organization.
- Change Passwords Often
Force users to change their password every 45-60 days – 90 days max if you don’t want to inconvenience your users but still want to improve security. If using Microsoft Active Directory, set a domain policy that forces frequent password changes, password complexity, and limits password re-use by remembering at least 24 previous passwords.
- Implement MFA (Multi Factor Authentication)
There is no such thing as a “silver bullet” when it comes to cyber security. But, if there was one thing that comes close, MFA is it. Even if a user’s credentials are compromised, MFA adds a second layer challenge, and without access to the second layer, the login fails. Microsoft and Google will soon require MFA for all administrative activity in their respective cloud platforms. (Google Cloud Platform (GCP), Microsoft Azure).
- Protect Application and Service Accounts
Application and service accounts usually run with a higher set of privileges, making them a prime target for the bad guys. (Both internal and external threats – a topic for another blog post).- Review your service accounts and make sure you give the accounts only the permission they need (Principle of Least Privilege (POLP)).
- For service accounts that can’t be changed, choose very complex, long passwords and do not re-use across systems.
- Use a password vault to keep track of service account credentials.
- Security Awareness Training for Employees
The goal isn’t simply to raise your employee’s security awareness. Increased employee awareness changes behaviors that could put your organization at risk.- Don’t bore your teams annually with long drawn out trainings
- Awareness and behavioral change best happen through reinforcement of a common theme using quick simple messages, media, and lots of repetition.
- Shake it up!
- Offer prizes for completing tasks – taking a training, performing system updates etc.
- Involve them in your campaign.
- The goal isn’t to scare people into compliance. It’s to educate them of the risks and the critical role they play in protecting systems and data.
For more information about Cyber Awareness and what Netgain can do to assist you in putting these protections in place, contact us today.