Attacks/Breaches

4/3/2017
11:00 AM
Dawn Kawamoto
Dawn Kawamoto
News
50%
50%

More than Half of Security Pros Rarely Change their Social Network Passwords

Survey finds IT security professionals don't practice what they preach at work when it comes to their social network passwords.

Some security professionals apparently find it tough to maintain safe password practices outside of work, with 53% percent acknowledging that they either haven't changed their social network passwords in more than a year - or at all, according to a report released today by security firm Thycotic.

According to the survey of nearly 300 security professionals conducted at the RSA Conference in San Francisco in February, 33% of security pros say they have not changed their social network passwords in more than one year, and 20% have never changed their passwords. And on top of that, nearly 30% of survey participants rely on birthdays, addresses, pet names, and children names for their social network passwords, the survey found.

These practices run counter to the industry's often touted mantra of the need to frequently change passwords and make them complex as possible. Needless to say, failure to engage in these practices can potentially lead to cybercriminals not only infiltrating the social networks of security pros but also possibly social-engineering or phishing their way into their work accounts.

Although 45% of survey respondents believe that at least half of company-related cyberattacks involve privileged passwords, Joseph Carson, Thycotic's chief security scientist, tells Dark Reading he personally believes the figure is closer to 63% based on his digital forensics research and ethical hacking.

And of that 63% figure of all breaches involving privileged passwords, Carson estimates 30% come from IT administrators' passwords and 10% from someone with some responsibility in security.

"Although 10% may not seem like a high figure, the biggest cost to a company financially will be from this 10% because of the privileges they hold," Carson says. "The difference between a security breach and a security catastrophe comes down to the level of authorization that the person had."

Do What I Say, Not as I Do

To understand why security professionals don't always practice what they preach when it comes to protecting passwords outside of work requires some insight into the particular challenges they face.

Typically, security pros are aware of the potential dangers of single sign-on passwords and will have a separate password for each account they hold, both work-related and personal. In Carson's case, he has over 400 personal and work-related accounts where he uses a separate password.

In order to help him manage the hundreds of passwords, Carson says he uses password management tools like password vaults. But the vast majority of his fellow IT security professionals do not use such tools. He noted in a benchmark survey taken over a year ago with more than 1,000 security professionals that only 10% to 20% of survey participants indicated they used a password vault or other password management tools.

As a result, in some ways, it may not be so surprising that security professionals find it hard to maintain the same level of vigilance with their personal accounts as they perform with work-related accounts, he says.

"There are many known cases of data breaches from compromised credentials and passwords from security professionals resulting from malware and phishing scams delivered via social networks," Carson says.

Morey Haber, vice president of technology at security firm BeyondTrust, says he is not surprised by the findings in Thycotic's RSA survey.

"Most social media accounts require best practices for password complexity but falter when it comes to other security disciplines. For example, they fail to expire passwords after 90 days, require a reset, and allow browsers to ‘Remember Me’ for cached authentications for an infinite duration," Haber says. "Since these additional security controls are what most people rely on to reset passwords on a periodic basis, I can only assume the transparent approach makes even the best security professionals lax for social media account password changes. I can only hope they follow at least best practices for password reuse, and each social media account has a different password in case one is compromised."

He says while it’s rare for a breach of a security professional's account to be attributed as the primary attack vector, the likelihood of their account being compromised due to Pass-the-Hash or other hacking techniques is higher if they log into a compromised system, access from an unsecured remote location, or have legacy accounts that have never had their passwords changed. "The longer a password goes stale, the more likely it will be compromised," Haber says.

Ironically, 25% of the Thycotic survey respondents say that they will change their password at work only when the system alerts them. Such an attitude may attribute to the more than 3 billion user credentials and passwords that were stolen in 2016, according to the Thycotic and Cybersecurity Ventures' Password report.

Related Content:

 

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
4/7/2017 | 1:23:49 PM
Red Herring
This is a red herring issue, I strongly suspect.

Talk to most die-hard security pros -- the really good ones, and the ones who do nothing OTHER than cybersecurity for a living -- and their use of social networks is minimal (if not non-existent).  Moreover, they put minimal -- if any -- true PII on those social networks.  So their risk is already quite small.

Moreover, it is becoming increasingly the viewpoint of the top InfoSec pros and punditry that changing passwords frequently is NOT a best practice -- and can actually be detrimental.

The study may be headline grabbing, but I am unconcerned.
AndrewfOP
50%
50%
AndrewfOP,
User Rank: Strategist
4/4/2017 | 1:13:36 PM
Problematic Password Practice Advice
Clearly, if security pros can't follow their own advice, it just means the advice itself was problematic.  Secure IT policy should be clear and easy to follow, otherwise IT/Security team is obviously not doing, or not able to do its job.  One account with periodic password change is difficult enough.  Keeping good tracks of multiple accounts as with most of office working environment is practically impossible. 

Single sign-on/ password vaults, or one single password for all accounts, essentially presents the same security weak point.  The only way to maintain the good security should be user behavior tracking and analysis: any excessive access entries outside of users' normal work environment, excessive access outside normal work hours or excessive amount of access entries are potential breaches to look out for.

Continued reliance on difficult to follow password practices would only weaken IT security in the long run regardless of any potential technology that could replace passwords.
lakers85
50%
50%
lakers85,
User Rank: Strategist
4/3/2017 | 12:42:39 PM
Password Vaults
Any recomendations on Password Vaults? What if they are breached? Who watches the watchers?
Breezcar
50%
50%
Breezcar,
User Rank: Apprentice
4/3/2017 | 11:14:58 AM
I agree
I should change more often also
'Hidden Tunnels' Help Hackers Launch Financial Services Attacks
Kelly Sheridan, Staff Editor, Dark Reading,  6/20/2018
Inside a SamSam Ransomware Attack
Ajit Sancheti, CEO and Co-Founder, Preempt,  6/20/2018
Tesla Employee Steals, Sabotages Company Data
Jai Vijayan, Freelance writer,  6/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-12705
PUBLISHED: 2018-06-24
DIGISOL DG-BR4000NG devices have XSS via the SSID (it is validated only on the client side).
CVE-2018-12706
PUBLISHED: 2018-06-24
DIGISOL DG-BR4000NG devices have a Buffer Overflow via a long Authorization HTTP header.
CVE-2018-12714
PUBLISHED: 2018-06-24
An issue was discovered in the Linux kernel through 4.17.2. The filter parsing in kernel/trace/trace_events_filter.c could be called with no filter, which is an N=0 case when it expected at least one line to have been read, thus making the N-1 index invalid. This allows attackers to cause a denial o...
CVE-2018-12713
PUBLISHED: 2018-06-24
GIMP through 2.10.2 makes g_get_tmp_dir calls to establish temporary filenames, which may result in a filename that already exists, as demonstrated by the gimp_write_and_read_file function in app/tests/test-xcf.c. This might be leveraged by attackers to overwrite files or read file content that was ...
CVE-2018-12697
PUBLISHED: 2018-06-23
A NULL pointer dereference (aka SEGV on unknown address 0x000000000000) was discovered in work_stuff_copy_to_from in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30. This can occur during execution of objdump.