Over the last two months, four businesses have approached me for support in managing their security breaches. In each case, common themes have prevailed:
- Each company had a Chief Information Security Officer (CISO) or other individuals with ownership of information security.
- Each security breach was not spotted until clients reported suspicious activity.
- Lost passwords comprised the base of the security breaches.
- Each business had a limited understanding of the risks associated with inappropriate password controls.
My concern and frustration rose because each breach was easily preventable. This blog post aims to identify each mistake and outline the framework and security processes (https://freshsec.com/security-frameworks) that could have prevented them.
It is common for a business to have a person or group of people responsible for cybersecurity. However, merely having a CISO or Data Protection Officer is not enough to make a company more secure on its own.
In all the recent cases, I asked the business and person responsible for cybersecurity these questions:
- What is your scope for cybersecurity?
- What do you see as your critical assets, and how you are protecting them?
- What are the top security risks your business is facing?
- How do you group and organize cyber risk?
Each business failed to answer these questions and understand how or why they might be targeted. As a result, they did not know what made them vulnerable and how a successful attack might impact them.
Therefore, it is clear that having a person responsible for cybersecurity does not automatically suggest that a business is protected. Nor does it imply they have understood the risks and taken appropriate action to prevent them. Cybersecurity requires a team effort and not just a CISO or Data Protection Officer. To be successful a cybersecurity team must be formed from all levels of business and the ability to reduce risk in all areas.
As a side note, a trend I have seen in the industry is the number of people joining cybersecurity and taking leadership roles with limited knowledge of the field. As a result, they are unable to present and explain the cyber risks associated with the business.
The Security Breach Went Unidentified
The common attack methods used throughout my previous engagements were credential reuse and password spraying - both of which focus on usernames and passwords. During the former, an attacker can obtain valid credentials to access systems and applications owned by a business. Once valid credentials are gathered, they become inaccessible to owners since the attacker appears as a genuine user, rendering the breach invisible for the ensuing period.
A standard method that is used to facilitate such activity is password harvesting. This involves using exposed credentials available for trading on the web.
The second method is password spraying, where small lists are reviewed to attack many accounts. Unfortunately, such practices often succeed since there is a high chance many people use common passwords across their personal and business accounts. The attack, therefore, will generally be quite challenging to trace, primarily where protective monitoring mainly focuses on each account separately.
Despite three out of four businesses enabling password complexity within the Active Directory, this failed to comprehensively protect them from attackers. However, it did make it harder for users to remember them, encouraging password reuse rather than providing a defence against it.
None of the four businesses used multi-factor, two factor, or one time passwords (OTPs) to gain remote access.
Limited Visibility Of Password Risks
Today, it is common for businesses to have several breakout points for data access, applications, and systems. These comprise internal structures or third-party services consumed from the cloud.
I was surprised to observe a failure on behalf of each business to consider the relationship between breakout points and attacks. There was a further lack of suppliers, service providers, partners, cloud services, critical data feeds, staff, and customers. This highlighted an omission to reflect on what data was being stored or consumed within each breakout point and who was accessing what and from where.
Building this understanding, and ensuring its maintenance, is critical to securing appropriate responses.
A simple username and static password were used to protect data access, systems, and applications in each case. Despite changing every 30, 60, or 90 days, these password types create a low barrier for attackers, allowing them to quickly dismantle a business.
What Would A Hacker See About Your Company?
I will be following up with more blogs providing a blueprint for managing cyber risks. In the meantime, I highly recommend that all businesses consider the risks of having weak password controls and the impact of password spraying.
This can seem complicated — that's why Fresh Security like to keep things simple. We offer a security service that will help you see your business and its vulnerabilities through the eyes of a hacker. Then give you real-time insights in a language you can understand. Sound good? Take a deep breath and check out how much you're exposing.