Is Your Password Policy A Security Risk?
With every successful intrusion and theft of data, the images of hackers as criminal masterminds and unstoppable forces of technology gone awry grow. In fact, there’s an increasing narrative that hackers are everywhere, just waiting to use their mad ‘skillz’ to steal your credit card information and buy their limited edition dolls, sorry, “action figures.” Worse, they’re just waiting to hold your data hostage and extort ransom from your business.
Yes, cybercriminals can, and often will, do an incredible amount of damage. In fact, according to Forbes, it is estimated that cybercrime will cost the U.S. an average of $6 trillion a year. Yes, trillion with a “T.” Moreover, that’s not in just direct costs, but indirect costs such as the damage in consumer trust, reduction in value of the business brand and ultimately even corporate survival as shareholders lose confidence and begin a sell-off. Any forward thinking organization would be well advised to take cybersecurity seriously and develop a plan.
However, as we have noted several times, security isn’t just the responsibility of the tech department. It’s the responsibility of the team as a whole to develop, share and embrace best practice and ensure the entire team is keeping up and being secure.
Real world example time: we recently worked with an organization who had their website hacked. The result was their website was redirected to an unsavory, predatory site which exposed their visitors to risk. Ultimately their host suspended their account as it started consuming bandwidth and storage resources far beyond what was normal, causing it to be flagged as malicious and shut down.
When they were unable to figure out how it happened, they reached out to us for assistance. We found two examples of poor password security. One, their admin username was, wait for it, admin. The hacker’s job was halfway done for them, all they had to do was acquire the password. It doesn’t take an evil genius to ‘hack’ an account by using the default username/password combo. As we noted back in 2012, a weak password makes it easy for hackers to get access to your critical information.
We’ve all seen people who have their passwords on a post-it stuck to their monitors or under their keyboards/mouse pads. The high-performers, tape theirs to the inside of their desk-drawers, you know, to keep it safe. In cases like this, no security solution will prevent even a child from acquiring access to your system. You don’t have to be a master criminal to rob a museum when the security codes are taped to the wall.
So it is very likely someone left their credentials unguarded, and this hack was merely a crime of opportunity. However, the results of this crime have had far-reaching consequences for the business, which goes beyond regaining access to their website. This is why it is critical that your whole team be invested in understanding what password security is and making it a top priority to embrace best practices.
Secondly, their organization allowed scores of people access to their site, including the critical area which should have been locked down. Moreover, they could not track or verify who logged in, when they logged in or from where they logged in. Now their business model requires them to grant access to a considerable amount of users. However, If you are unable to control who has access to your network, then by definition, you have an unsecured network.
There are best practices available to monitor and control who can access your network. A great way to solve the problems of unsecured/weak passwords and unauthorized access to the networks is by implementing a proper password solution. Features of a well-implemented credential system include:
- Mandatory changing of passwords every 30 days.
- Specific requirements to create strong passwords such as requiring a capital letter, number, symbol, character length and not sharing the same passwords in multiple accounts.
- 2-way verification, requiring a second password generated by their mobile device. This second password, verifies they are allowed to have access. They have their phones with them anyway (BYOD), why not enlist them as part of the security solution?
Need to provide access to a variety of users?
- Segregate access between private and public data
- Randomly generate passwords which expire
- Verify users are people and not ‘bots.’
- Create and maintain a ‘blacklist’ of sites and content which can’t be accessed.
- Create passwords based on the access level of the user.
Finally and whenever we discuss security, we leave this for last, educate your team. Treat them as your partners and not subordinates to only do what they are told to do. They need to understand what strong password, and ultimately effective network security, require and look like in practice.
Without every team member being invested in security, there’s going to be opportunities for a hacker to find and exploit a ‘hole.’ This hole will always be due to human error and one that could have been patched if your team member understood how to achieve the goals of the security best practices.
Have any tips about password security or stories to share? Let us know in the comments.