During the past two months, I have been approached by four different businesses to help and support them through security breaches that have occurred. In each case, there have been common themes:
- Each company had a CISO or a person that had ownership of information security
- Each security breach went unidentified until clients reported suspicious activity
- Password compromise was the root cause of each security breach
- Each business had limited visibility of the risks of not using appropriate password controls
My concern and frustration arise from the fact that each breach could have easily been prevented by doing the basics.
My objective for this blog post is to identify each of the common mistakes, and outline controls and processes that could have been put in place to prevent each breach.
Cybersecurity Ownership
It is now becoming common for a business to have a person(s) responsible for cybersecurity. However, this does not mean a business is more secure because they have a person with a job title of CISO or data protection officer.
In each of the recent cases I asked the business and person responsible for cybersecurity the following questions:
- What is your scope for cybersecurity?
- What are the key assets that you are protecting?
- What are the top 10 security risks in your business?
- How do you categorize risk?
In every case, each business failed to answer any of the above questions and, more importantly, to understand how they might be targeted or why someone would want to target them. Moreover, they did not know what makes them vulnerable, and how a successful attack might impact them.
So, my point is having a person responsible for cybersecurity does not imply the business is secure, or that the risks have been understood and the appropriate actions taken. Cybersecurity requires a team effort across all levels of a business. Having a person who has a title of CISO or data protection officer with limited support and buy-in across the business will have limited to no effect on reducing the cyber-risk across the business.
On a final note, I am also noticing a trend of people moving into cybersecurity and data protection roles with limited knowledge of cybersecurity, and without the ability to clearly present and explain what risk is relative to the business.
During the past two months, I have been approached by four different businesses to help and support them through security breaches that have occurred. In each case, there have been common themes:
- Each company had a CISO or a person that had ownership of information security
- Each security breach went unidentified until clients reported suspicious activity
- Password compromise was the root cause of each security breach
- Each business had limited visibility of the risks of not using appropriate password controls
My concern and frustration arise from the fact that each breach could have easily been prevented by doing the basics.
My objective for this blog post is to identify each of the common mistakes, and outline controls and processes that could have been put in place to prevent each breach.
Cybersecurity Ownership
It is now becoming common for a business to have a person(s) responsible for cybersecurity. However, this does not mean a business is more secure because they have a person with a job title of CISO or data protection officer.
In each of the recent cases I asked the business and person responsible for cybersecurity the following questions:
- What is your scope for cybersecurity?
- What are the key assets that you are protecting?
- What are the top 10 security risks in your business?
- How do you categorize risk?
In every case, each business failed to answer any of the above questions and, more importantly, to understand how they might be targeted or why someone would want to target them. Moreover, they did not know what makes them vulnerable, and how a successful attack might impact them.
So, my point is having a person responsible for cybersecurity does not imply the business is secure, or that the risks have been understood and the appropriate actions taken. Cybersecurity requires a team effort across all levels of a business. Having a person who has a title of CISO or data protection officer with limited support and buy-in across the business will have limited to no effect on reducing the cyber-risk across the business.
On a final note, I am also noticing a trend of people moving into cybersecurity and data protection roles with limited knowledge of cybersecurity, and without the ability to clearly present and explain what risk is relative to the business.
“I would highly recommend that all businesses consider the risks of having weak password controls and the effects of password spraying”
The Breach Went Unidentified
During my engagements, the common attack methods that were used were credential reuse and password spraying – both methods focusing on usernames and passwords. In a credential reuse attack, the attacker is able to obtain valid credentials and then access systems and applications owned by the business. Once an attacker has a valid credential they become invisible to the business – due to them masquerading as a genuine user – and consequently the breach becomes invisible until noticed at a later date.
A common method in which the attacker gains the user’s credentials is via a phishing attack or using exposed credentials that are openly available or trading on the web.
The second method used is a term called password spraying, whereby lists of a small number of common passwords are used to brute force large numbers of accounts. These attacks are successful because, for any given large set of users, there will likely be some who are using very common passwords, and these attacks can slip under the radar of protective monitoring which only looks at each account in isolation.
Three of the four businesses had enabled password complexity within their password policies within Active Directory, however, this did not guarantee that passwords would be more difficult for attackers to break, but did make it harder for users to remember them. In turn, this was driving weaker passwords and password reuse across the business that provide very limited defense against password spraying attacks.
Not one of the four businesses were using multi-factor/two factor/one-time passwords as a method to replace their static passwords to gain remote access to the business.
Limited Visibility of Password Risks
In today’s landscape, it is common practice for a business to have multiple breakout points in order for business users to gain access to data, applications and systems. These breakout points come in the form of systems that are located within the business, hosted by a third party or services and applications that are consumed from the cloud.
I was very surprised to see that in all four breaches, each business had failed to consider and map the relationships between each of the breakout points and had not considered what could make them a target, or what could make them vulnerable by way of suppliers, service providers, partners, cloud services, critical data feeds, staff and customers. It highlighted that at no point had the businesses considered or reflected on what data was being stored, consumed or used within each of the breakout points and who was accessing what, and from where.
Building this understanding, and ensuring it stays current, is critical to ensuring that the response to the risk is adequate.
In each case, the only level of security that was in place protecting access to data, systems and applications was a username and static password (a password that may change every 30, 60 or 90 days, however, it is static for a period of time). This, in turn, creates a low barrier for an attacker to compromise a business.
Actions That Can Be Taken
I will be following up with an additional blog in due course providing a clear and proven blueprint to managing cyber-risks. However, in the meantime, I would highly recommend that all businesses consider the risks of having weak password controls and the effects of password spraying. In order to help and make password auditing a simple task, I recently came across a free password auditing tool from Specops. The tool scans Active Directory and collects and displays multiple interactive reports containing user and password policy information including vulnerable passwords. The tool can be downloaded for free.