Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

4/3/2017
11:00 AM
Dawn Kawamoto
Dawn Kawamoto
News
50%
50%

More than Half of Security Pros Rarely Change their Social Network Passwords

Survey finds IT security professionals don't practice what they preach at work when it comes to their social network passwords.

Some security professionals apparently find it tough to maintain safe password practices outside of work, with 53% percent acknowledging that they either haven't changed their social network passwords in more than a year - or at all, according to a report released today by security firm Thycotic.

According to the survey of nearly 300 security professionals conducted at the RSA Conference in San Francisco in February, 33% of security pros say they have not changed their social network passwords in more than one year, and 20% have never changed their passwords. And on top of that, nearly 30% of survey participants rely on birthdays, addresses, pet names, and children names for their social network passwords, the survey found.

These practices run counter to the industry's often touted mantra of the need to frequently change passwords and make them complex as possible. Needless to say, failure to engage in these practices can potentially lead to cybercriminals not only infiltrating the social networks of security pros but also possibly social-engineering or phishing their way into their work accounts.

Although 45% of survey respondents believe that at least half of company-related cyberattacks involve privileged passwords, Joseph Carson, Thycotic's chief security scientist, tells Dark Reading he personally believes the figure is closer to 63% based on his digital forensics research and ethical hacking.

And of that 63% figure of all breaches involving privileged passwords, Carson estimates 30% come from IT administrators' passwords and 10% from someone with some responsibility in security.

"Although 10% may not seem like a high figure, the biggest cost to a company financially will be from this 10% because of the privileges they hold," Carson says. "The difference between a security breach and a security catastrophe comes down to the level of authorization that the person had."

Do What I Say, Not as I Do

To understand why security professionals don't always practice what they preach when it comes to protecting passwords outside of work requires some insight into the particular challenges they face.

Typically, security pros are aware of the potential dangers of single sign-on passwords and will have a separate password for each account they hold, both work-related and personal. In Carson's case, he has over 400 personal and work-related accounts where he uses a separate password.

In order to help him manage the hundreds of passwords, Carson says he uses password management tools like password vaults. But the vast majority of his fellow IT security professionals do not use such tools. He noted in a benchmark survey taken over a year ago with more than 1,000 security professionals that only 10% to 20% of survey participants indicated they used a password vault or other password management tools.

As a result, in some ways, it may not be so surprising that security professionals find it hard to maintain the same level of vigilance with their personal accounts as they perform with work-related accounts, he says.

"There are many known cases of data breaches from compromised credentials and passwords from security professionals resulting from malware and phishing scams delivered via social networks," Carson says.

Morey Haber, vice president of technology at security firm BeyondTrust, says he is not surprised by the findings in Thycotic's RSA survey.

"Most social media accounts require best practices for password complexity but falter when it comes to other security disciplines. For example, they fail to expire passwords after 90 days, require a reset, and allow browsers to ‘Remember Me’ for cached authentications for an infinite duration," Haber says. "Since these additional security controls are what most people rely on to reset passwords on a periodic basis, I can only assume the transparent approach makes even the best security professionals lax for social media account password changes. I can only hope they follow at least best practices for password reuse, and each social media account has a different password in case one is compromised."

He says while it’s rare for a breach of a security professional's account to be attributed as the primary attack vector, the likelihood of their account being compromised due to Pass-the-Hash or other hacking techniques is higher if they log into a compromised system, access from an unsecured remote location, or have legacy accounts that have never had their passwords changed. "The longer a password goes stale, the more likely it will be compromised," Haber says.

Ironically, 25% of the Thycotic survey respondents say that they will change their password at work only when the system alerts them. Such an attitude may attribute to the more than 3 billion user credentials and passwords that were stolen in 2016, according to the Thycotic and Cybersecurity Ventures' Password report.

Related Content:

 

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
4/7/2017 | 1:23:49 PM
Red Herring
This is a red herring issue, I strongly suspect.

Talk to most die-hard security pros -- the really good ones, and the ones who do nothing OTHER than cybersecurity for a living -- and their use of social networks is minimal (if not non-existent).  Moreover, they put minimal -- if any -- true PII on those social networks.  So their risk is already quite small.

Moreover, it is becoming increasingly the viewpoint of the top InfoSec pros and punditry that changing passwords frequently is NOT a best practice -- and can actually be detrimental.

The study may be headline grabbing, but I am unconcerned.
AndrewfOP
50%
50%
AndrewfOP,
User Rank: Moderator
4/4/2017 | 1:13:36 PM
Problematic Password Practice Advice
Clearly, if security pros can't follow their own advice, it just means the advice itself was problematic.  Secure IT policy should be clear and easy to follow, otherwise IT/Security team is obviously not doing, or not able to do its job.  One account with periodic password change is difficult enough.  Keeping good tracks of multiple accounts as with most of office working environment is practically impossible. 

Single sign-on/ password vaults, or one single password for all accounts, essentially presents the same security weak point.  The only way to maintain the good security should be user behavior tracking and analysis: any excessive access entries outside of users' normal work environment, excessive access outside normal work hours or excessive amount of access entries are potential breaches to look out for.

Continued reliance on difficult to follow password practices would only weaken IT security in the long run regardless of any potential technology that could replace passwords.
lakers85
50%
50%
lakers85,
User Rank: Strategist
4/3/2017 | 12:42:39 PM
Password Vaults
Any recomendations on Password Vaults? What if they are breached? Who watches the watchers?
Breezcar
50%
50%
Breezcar,
User Rank: Apprentice
4/3/2017 | 11:14:58 AM
I agree
I should change more often also
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Look Beyond the 'Big 5' in Cyberattacks
Robert Lemos, Contributing Writer,  11/25/2020
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: We are really excited about our new two tone authentication system!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4126
PUBLISHED: 2020-12-01
HCL iNotes is susceptible to a sensitive cookie exposure vulnerability. This can allow an unauthenticated remote attacker to capture the cookie by intercepting its transmission within an http session. Fixes are available in HCL Domino and iNotes versions 10.0.1 FP6 and 11.0.1 FP2 and later.
CVE-2020-4129
PUBLISHED: 2020-12-01
HCL Domino is susceptible to a lockout policy bypass vulnerability in the LDAP service. An unauthenticated attacker could use this vulnerability to mount a brute force attack against the LDAP service. Fixes are available in HCL Domino versions 9.0.1 FP10 IF6, 10.0.1 FP6 and 11.0.1 FP1 and later.
CVE-2020-9115
PUBLISHED: 2020-12-01
ManageOne versions 6.5.1.1.B010, 6.5.1.1.B020, 6.5.1.1.B030, 6.5.1.1.B040, ,6.5.1.1.B050, 8.0.0 and 8.0.1 have a command injection vulnerability. An attacker with high privileges may exploit this vulnerability through some operations on the plug-in component. Due to insufficient input validation of ...
CVE-2020-9116
PUBLISHED: 2020-12-01
Huawei FusionCompute versions 6.5.1 and 8.0.0 have a command injection vulnerability. An authenticated, remote attacker can craft specific request to exploit this vulnerability. Due to insufficient verification, this could be exploited to cause the attackers to obtain higher privilege.
CVE-2020-14193
PUBLISHED: 2020-11-30
Affected versions of Automation for Jira - Server allowed remote attackers to read and render files as mustache templates in files inside the WEB-INF/classes & <jira-installation>/jira/bin directories via a template injection vulnerability in Jira smart values using mustache partials. The ...