Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

12/24/2019
10:00 AM
Matt Davey
Matt Davey
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

The Night Before 'Breachmas'

What does identity management have to do with Charles Dickens' classic 'A Christmas Carol'? A lot more than you think.

In Charles Dickens' A Christmas Carol, Ebenezer Scrooge — played by Michael Caine in the best version, The Muppet Christmas Carol — is visited by three ghosts who foretell his future based on his past and current actions. Since Scrooge is such a coldhearted person, his future is … grim.

Photo Credit: Buena Vista Pictures
Photo Credit: Buena Vista Pictures

There's an interesting parallel here: An individuals' cybersecurity hygiene can also predict the cybersecurity future of an entire enterprise. Whether that future is grim or great depends on the leadership from security teams to correct earlier, unsafe individual Internet interactions.

The Ghost of Passwords Past
It's almost 2020: Have you deleted your MySpace profile? If not, it's worth a visit, no matter how cringey the experience might be. While obsolete social media pages may be nostalgic for individuals, they're a jackpot for attackers who mine old sites for information that can be used to answer security questions. What was the model of your first car? Check Tumblr. Who was your first crush? Check Friendster. What's a likely password? Check your AOL Instant Messenger name. If that information is there for you, it's also likely there for employees across your entire organization.

A savvy attacker could trigger a "forgot password?" flow and change a team member's password simply by entering security answers discovered by perusing that person's Internet presence. There's also an exceptional amount of information lingering about each of us in old forums, sites, and social media. That's nothing short of chilling.

The Ghost of Passwords Present
There's another component to this digital pillaging: reusing passwords. Enterprises spend untold amounts of money hardening their digital infrastructure, but all that security can be undone with valid credentials. Is the password you're currently using similar to passwords you used in high school? Possibly. Count how many employees are currently using logins across your organization and then consider how many of them are likely reusing the same password from app to app. That number is higher than you may realize. Even the most security-minded of us are guilty of reusing passwords in the interest of saving time and frustration.

Old passwords can be bought for pennies on the Dark Web, but they can also be found by cleverly infiltrating old websites that don't have today's security. It's unlikely LiveJournal, for instance, has the same security as Cisco. That means an employee's old login can be determined fairly easily, and an attacker can try that login and variations of it to attempt logging into an enterprise system. The implications of that are downright haunting. According to a study from the Ponemon Institute, a negligent employee costs the organization $283,281 per incident. Worse, attackers may not even make their presence known, choosing instead to repeatedly log in with legitimate credentials and silently leech information for years at a time.

The Ghost of Passwords Future
When the attackers are finally discovered, the results can be disastrous. Consider the Flipboard breach, for instance, which could have affected over 100 million users (the extent isn't yet known). The breach was blamed on poor cyber hygiene. Users reused their passwords on numerous sites and systems, and an attacker likely obtained a user's password from an account with weaker security. Then, it was simply a matter of using credential stuffing to automate the attack process and enter passwords into a variety of sites until one worked.

That's not the only example. Reusing passwords that have been involved in previous breaches results in still more breaches, like the 44 million account users compromised in the Microsoft and Azure cloud breach earlier this month. It's a practical reality that an employee's old Yahoo login could be the very thing to take down a system guarding millions of customers' sensitive information.

Outsmarting the Ghosts
First, scrub your Internet presence. Delete old social media accounts and omit personal information from LinkedIn and other current social media.

Next, start changing passwords. Make sure they're completely different from any former passwords. In fact, don't tie them to any facet of your life at all. For instance, resist the temptation to use your dog's name.

Finally, get your employees to do the same. Cybersecurity hygiene starts with cybersecurity education: If people understand the reason why they're being asked to be so diligent about making unique, strong passwords, they'll be much more likely to comply. And while you can't expect them to delete their old MySpace account, you can make them aware of the dangers of leaving their personal information in the open.

In A Christmas Carol, Scrooge learns from his past mistakes and mends his ways, resulting in a happy Christmas and a hopeful future. May we all learn from our past Internet selves and herald a brighter, more secure Internet of tomorrow.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "5 Pieces of GDPR Advice for Teams Without Privacy Compliance Staff."

 

Matt Davey is the COO (Chief Operations Optimist) at 1Password, a password manager that secures identities and sensitive data for enterprises and their employees. In a previous life working with agencies and financial companies, Matt has seen first-hand how important security ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
100%
0%
RyanSepe,
User Rank: Ninja
12/30/2019 | 1:12:23 AM
Good Password Hygiene is Imperative
Since passwords are the weakest form of authentication, they need to adhere to a higher scrutiny if they are to be your only keys to the kingdom.

Unfortunately its far too often that we decide not to respect this principle and fall prey to reusing simple passwords that could be cracked in a manner of hours.

MFA needs to be incorporated whenever possible to help remediate the shortcomings of passwords.
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7227
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.