If GCHQ says it then it must be right, right?

What happens if GCHQ advice is questionable or goes directly against the direction the majority of industry is heading?

When GCHQ gives advice on cybersecurity everybody sits up to listen. But what happens if that advice is questionable or goes directly against the direction the majority of industry is heading? Many businesses won’t prioritise cybersecurity investment above the other competing demands on their resources, but clearly it is an important issue and one that should be on the radar of every C-Suite executive.  

The GCHQ argument on passwords was that attackers mostly use breached data sooner rather than later, so the benefit of regular passwords changes is limited. So are they right? Well first let’s explore how passwords have developed. Originally, we only had one or two passwords we had to worry about so people would come up with all kinds of things. Eventually, we needed to make them a bit more complex (harder to guess), but that created a culture where people would write down their password and keep it somewhere near their computer. 

How are they getting in?

Realising this was bad (and watching the movie "Ferris Beuller's Day Off" where he used that to log in to the school computer), people started using slightly more complex passwords; but they were still fairly short. The advent of Rainbow Tables (large databases of encrypted passwords that you could compare to a stored encrypted passwords on computers), meant all an attacker needed to do was to get access to the system and get the database. 

No decryption or brute force password guessing required: just compare the password database against the Rainbow Table and voila - you now have everyone's passwords. Finally, we moved to a culture where I think everyone just kind of gave up, as well as being overwhelmed with all the sites and all the passwords you had to remember. People now either have very simple passwords or very complex passwords, but there is a lot of password reuse. 

You tend to find a "good" password that meets all the rules and restrictions that websites put on you and you use it over and over again so you can easily remember it. I have even heard talk of changing policy to allow people, once again, to write down their password so they make it more secure but can remember it: our physical security is more trusted than our ability to generate good passwords for all the various sites that we are members. This brings us to the GCHQ guidance. 

When you look at how attackers are getting in, I think GCHQ's guidance makes sense...for the most part. They *should* have gone into more instruction around password reuse and why it is bad: an attacker gets one set of credentials (recent Yahoo! breach), and they now have access to multiple accounts. They just have to try the most popular websites with your credentials. Additionally, there is the use of password storage software, like LastPass. GCHQ should have recommended and provided more guidance on the use and protection of these systems.   

Cybersecurity under spotlight

It will be interesting to see the effect the guidance has on the security of passwords. I think it will drive the industry to utilise capabilities like LastPass even more, but that, in turn, will drive even more targeting of secure password storage software. 

LastPass and companies like it will become the targets of attackers looking for large databases of user credentials (as LastPass was in mid-2015). The key point for most businesses to take away from all the publicity around cybersecurity hacks is that it is an issue that must be focused on by senior decision makers within every organisation. 

Utilising the best technology and making sure common sense security principles are followed throughout the organisation will ensure that security is maintained. A lack of attention, investment or knowledge can have a devastating impact upon an organisation. Cybersecurity is under the spotlight like never before because of major breaches, make sure your organisation is secure against all the threats out there.  

Jonathan Couch, SVP of Strategy, ThreatQuotient

Image source: Shutterstock/scyther5