The UK’s National Cyber Security Centre recently released a list of the 100,000 most common passwords. To say I cringed would be an understatement. 23.2 million accounts are still using ‘123456’ as a password, with people’s names, favourite football teams and favourite bands also making up the most common.
Perhaps there’s still a perception amongst us that we’re anonymous – there’s no way a hacker (who is otherwise a stranger) could find that information out. Sadly, that’s just not true. And we know this because we put that theory to the test at a cybersecurity event hosted by Probrand, where we saw just how willing people were to give sensitive data away.
The ‘data for donuts’ test
To set the scene, the event was predominantly made up of UK security professionals. To start with, we asked people questions which were conversational on the surface, but which ended with people inadvertently sharing sensitive information.
‘How long have you been in the cybersecurity industry for?’ followed on to, ‘Oh that’s a while, when were you born? What’s your date of birth?’
Or, ‘How are you finding the day? Got any plans afterwards?’ If someone mentioned they had to pick up the kids from school, we’d ask them what their children’s names were and how old they were with one person even showing photos of their children.
We also asked people more direct questions as part of a formal survey, offering them a donut in exchange for answering questions such as ‘what football team do you support?’
Whether asking questions transparently as part of a survey, or trying to adopt more hacker-type methods, it was alarming to see how easy it was to get people’s data. If this is the response we’re getting from IT security professionals, then what chance does the average business or employee have?
Getting past the password
While there was an element of ‘set-up’ at our expo, this is nothing compared to the methods hackers will adopt to access sensitive information. And it’s only getting worse. Part of the reason for this is that we’re now using different types of IT and devices. It’s not just Windows PC, we have Macs, iPads, iPhones, Android devices, Chromebooks…. The way we use these devices means they are permanently online – and that’s also influencing the way we access our software and data.
For example, most businesses now use the cloud to store their data, and this is a fantastic opportunity for cybercriminals to access sensitive files all in one spot. Often, all that’s standing between access is a password.
You might think that guessing passwords is fiddly and time-consuming. But it’s so much easier than trying to get past something like a Microsoft Firewall which has much stronger defences.
The worrying part of course, is what hackers do once they get that password. One tactic we’re seeing more of is the set-up of an ‘email rule’ which sends them a copy of the email at the same time you receive it. This means they’re getting real-time access to things like business processes and invoices. The instantaneous aspect means hackers can replace an invoice with a duplicate that’s identical in look and feel – but which has the hacker’s bank details instead of X business.
Employing a zero-trust policy
Enough of the bad stuff. What can businesses – and employees – do to protect themselves? The first step is to understand that, even if you take the best precautions, you can’t say the same for everyone else. In the past, you were relatively safe in thinking that the inside of your network was safe and lovely and that no-one could touch it. But with our data now stored in different locations, that’s simply no longer the case.
Field workers and sales teams use personal smartphones to log in to the company CRM, while BYOD and flexible working means guests and employees are very likely to bring devices in and out of a business. It could be something as innocent as a USB, but we don’t always know the status of those devices. The ‘safe zone,’ of the company network, as it used to be thought of, no longer applies.
This is where the concept of zero trust starts to creep in – one where we look at it from the perspective of assuming breach. A core aspect here is managing the risk profile and different elements of our IT – including the way users think and behave, as well as the devices they’re using.
Users and applications
When we talk about users, we’re not really talking about people using their phone or tablet. What they’re really using is software. Employees need to log on to that software every morning to do their job and this is where the subject of weak passwords raises its ugly head again.
Single-sign-on solutions are great because they allow users to unlock multiple applications with a single username and password. But putting more of our data into well-known cloud applications like Office 365 also comes with risk because these apps have become established locations for hackers to target (which is where those sneak tactics, like email forwarding, can happen).
One simple way to secure the login process to a higher standard is to deploy two-step authentication which many business tools have built in for free. For example, using a password to log on to Dropbox, followed by a prompt to enter a six-digit security code that’s been sent to your phone.
While weak passwords are certainly attractive to hackers, they’re not the only way in and organisations should also be considering the status of their devices. A good start point is to establish a baseline in which to measure devices against. Are they up to date? Is the antivirus and anti-malware running on that machine? Is the Firewall active? Is encryption enabled?
This base profile can be refined for different devices in different scenarios. Corporate owned devices, BYOD, devices that are on or off the network, overseas, and so on.
If devices don’t measure up to that set of standards, businesses need to ensure they have a way of responding, one that is preferably automated. If, for example the anti-virus software on a machine stops functioning properly, you don’t want a gap where the risk profile of that device is elevated and the device is left sitting there, vulnerable, waiting for an administrator to attend to it, when they can.
Ask yourself if you’re happy to accept that higher level of risk or whether you want to do something to mitigate it – whether that’s introducing a system where the device has a lower level of access to company data during that time, or even cutting off access altogether.
It would be impossible to squeeze everything into one article, but the tactics I’ve talked about here are what every business should be doing as a minimum. The chat about passwords and cybersecurity may not be the sexiest, but the only way we’re going to end it is by taking better measures, sooner.
Mark Lomas, technical architect lead, Probrand