Triple-I Blog | Despite warnings, weak password policies still invite cybercrime

Spread the love


Max Dorfman, Research Writer, Triple-I

This is Cyber ​​Security 101: Multi-factor authentication and hard passwords are table stakes to prevent intrusions.

However, “password,” “12345” and “Qwerty123” are included Very common According to mobile security firm Lookout, the passwords were leaked on the dark web by hackers. And no matter how much attention the issue gets, the situation doesn’t seem to be improving.

This was revealed in a study conducted by EY, a consulting firm from the United Kingdom Only 48 percent Among government and public sector respondents, they said they were “most confident in their ability to use strong passwords at work”. The problem is an example A recent study By the US Office of the Inspector General – Department of the Interior (DOI), the agency responsible for managing federal lands and natural resources.

Hacking DOI is relatively easy.

In less than two hours – and at a cost of only $15,000 – the Office of the Inspector General was able to procure “clear text” (unencrypted) passwords. 16 percent User Accounts. In total, 18,174 of 85,944 — 21 percent of active user passwords — were hacked, including 288 accounts with elevated privileges and 362 accounts of senior US government employees.

Much of this problem, according to the report, stems from the lack of multifactor authentication, as well as password complexity requirements that have allowed unrelated employees to use the same weak passwords. The Office of the Inspector General found that:

  • DOI does not consistently implement multifactor authentication;
  • Password complexity requirements are outdated and ineffective; And
  • The department did not disable inactive accounts in a timely manner or enforce password age limits, leaving more than 6,000 additional active accounts vulnerable to attack.

The most commonly reused password was used on 478 unique active accounts. The investigators found that five of the 10 most used passwords in DOI included a variation of “password” combined with “1234.”

Simple passwords make hacking easier

With the average person Over 100 different online accounts With passwords, it’s understandable to reuse passwords — but simple passwords make it easier for hackers to access personal data and accounts.

“Compromised, weak and reused passwords still account for the majority of hacking-related data breaches and are one of the risk issues for most organizations,” said Gaurav Banga, CEO and founder of cybersecurity firm Ballpix. In 2020, Palpix was discovered 99 percent of enterprise users recycle passwords between work accounts or between work and personal accounts.

A growing risk

“The cost of ransomware attacks has increased as criminals target large enterprises, supply chains and critical infrastructure,” the alliance said in its report. Alliance’s 2023 Risk Barometer. “In April 2022, an attack affected about 30 institutions of the Costa Rican government, paralyzing the territory for two months.”

The global insurer continues, “Double and triple extortion attacks are now the norm…. Sensitive data is increasingly being stolen and used as leverage to extort money from business partners, suppliers or customers.

Part of this growth is due to the rise of “ransomware as a service” — a subscription-based business model — that enables affiliates to use existing ransomware tools to execute attacks. Based on the “software as a service” model, it enables bad actors to attack their targets without knowing how to code or hire unscrupulous programmers.

Changing goals

Michael Menabez, an insurance attorney with Wickin & Dana LLP and a Triple-I Non-Resident Scholar, told the participants At Triple-I’s 2022 Joint Industry Forum, “Ransomware is alive and well as a business model.”

What has changed in recent years, he said, is that “where bad actors would encrypt your computers and extract a ransom to return your data, now they will exfiltrate your data and threaten to make it public.”

The types of targets have also changed, Menapace said, with an increased focus on “soft targets—especially municipalities,” which often don’t have the staff or funds to maintain the same cyber hygiene as large corporations.

Organizations and individuals must take the threat of cyber attacks seriously Do as much as possible To reduce their risk. Improved cyber hygiene policies and practices are a necessary first step.


Source link

Leave a Comment