Connect with our team of offensive security, AI security and pen testing experts at Black Hat Europe 2023. Learn More

Connect with our team of offensive security, AI security and pen testing experts at Black Hat Europe 2023. Learn More

Managed Detection & Response

Eradicate cyberthreats with world-class intel and expertise

Managed Security Services

Expand your team’s capabilities and strengthen your security posture

Consulting & Professional Services

Tap into our global team of tenured cybersecurity specialists

Penetration Testing

Subscription- or project-based testing, delivered by global experts

Database Security

Get ahead of database risk, protect data and exceed compliance requirements

Email Security & Management

Catch email threats others miss with layered security & maximum control

Co-Managed SOC (SIEM)

Eliminate alert fatigue, focus your SecOps team, stop threats fast, and reduce cyber risk

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
The Trustwave Approach
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Platform
SpiderLabs Fusion Center
Security Operations Centers
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Strong Passwords and MFA: Two Easy Fixes to Enhance Your Cybersecurity Posture

As 2023 Cybersecurity Awareness Month continues, let's look at a couple of the areas the Cybersecurity and Infrastructure Security Agency (CISA) and National Cybersecurity Alliance (NCSA) are focusing on this year. 


“While passwords might not appear as formidable as some other advanced security measures or tools, a carefully crafted password can truly be the decisive factor in determining whether your data or your organization's remains exposed or protected,” said Trustwave SpiderLabs Director of EMEA Ed Williams.


Passwords and Multifactor Authentication (MFA)


Unfortunately, there is a very well-known example of what can happen with weak password hygiene and no MFA.


On May 6, 2021, an affiliate group associated with the REvil and Darkside ransomware-as-a-service gangs attacked Colonial Pipeline Co., forcing the company to halt operations, effectively blocking the flow of fuel, gasoline, and other petroleum products throughout large portions of the eastern U.S. for several days. The attacker used an exposed password from an unused VPN account that did not require multifactor authentication. 


Once inside the network, the attacker's first move was to steal 100GB of data, including the PII of some employees, and then infect the Colonial Pipeline IT network with ransomware. The gang demanded and was paid a $4.4 million ransom, although a portion of this was recouped with the help of the FBI.


A strong password can be, but is not limited to, long, random, unique, and includes a combination of uppercase letters, lowercase letters, numbers, and symbols. Password managers are a helpful tool that can assist you in generating and storing strong and unique passwords for each of your accounts.


Enhance complexity: Trustwave researchers noted that a password consisting of only eight characters could be easily cracked in just one day using brute-force techniques. However, increasing the password length to ten characters significantly increases the cracking time by hundreds of days. Adding complexity to the password, including symbols, numbers, and a mix of uppercase and lowercase letters, further enhances its strength and makes it even more difficult to crack. 


Embrace passphrases: Unfortunately, highly complex passwords are hard to remember and bug the average person to implement. So, any rules that require their usage will likely be ignored or avoided.

But there is another option. Passphrases.


Tools are also available that will give a general idea if a password is strong or weak. While results differ depending on which is used, one common denominator is passphrases make a difference. 


Phrases like "GoodLuckGuessingThisPassword” or “itstheendoftheworldasiknowitandifeelfine," are extremely difficult to hack and, even better, are easy to remember even if it lacks special characters. 


Frequent password changes: It is crucial to change passwords regularly, typically every 60 to 90 days, depending on the sensitivity of the account. This practice helps prevent unauthorized access, especially if a password has been compromised. It is essential to avoid using the same password across multiple accounts to ensure maximum security. 


Implement salt and hash: IT administrators should utilize unique and random "salts" when hashing stored passwords. These salts, which are random pieces of data combined with each password before the hash is calculated, add an extra layer of security to password storage. 


Strong password policies: Password policies are of utmost importance but are often underutilized. Windows' complex policies, for example, may not consider the context of a password, such as identifiers related to the company, its products, or the local area. Implementing custom password policies can address this issue and enhance overall security, especially in environments like Active Directory. 


Conduct password audits: Companies should regularly perform password audits to identify weak links within their systems. Attackers often target non-tech-savvy users, making them vulnerable points of entry. Companies can enhance their overall security posture by identifying and addressing these weak links. 


Consider two-factor authentication: Two-factor authentication provides an additional layer of defense by requiring a second form of verification alongside passwords. This technology, such as tokens or codes sent to a user's phone, acts as a reliable safeguard even if the password is compromised. Incorporating two-factor authentication significantly enhances security.


Making It Twice as Hard 


Multi-factor authentication, sometimes called two-factor authentication or two-step verification, is a cybersecurity measure for an account that requires anyone logging in to prove their identity multiple ways. Typically, you will enter your username, password, and then verify your identity some other way, like with a fingerprint or by responding to a text message with a PIN code. 


Using MFA adds an extra layer of protection to an online account, making it significantly harder for an attacker to gain access. It is recommended, and generally very easy, to enable MFA, particularly those related to email, social media, and finances. Utilize authentication apps or hardware tokens for additional security.


How Trustwave Can Help


Organizations that lack the in-house ability to handle these tasks required to maintain security should consider partnering with a company with such expertise. A Managed Security Service (MSS) provider like Trustwave, with our Managed Detection and Response (MDR) solution, may provide the answer. 


While technologies like extended detection and response (XDR) and security information and event management (SIEM) can correlate data from various sources, help detect threats, and facilitate investigations, they miss some of the proactive security elements needed to stay secure in today's advanced threat landscape.  


Without the right expertise, organizations won't get the value out of these technologies that they desire. Likewise, a traditionally managed security service provider (MSSP) that focuses on monitoring logs and alerts is missing a large part of the picture and can generate many false positives and low-value work for their customers.


CAM1Click the Consulting and Professional Services image above to get started down the path to great cybersecurity.

Latest Trustwave Blogs

Trustwave’s Observations on the Recent Cyberattack on Aliquippa Water Treatment Plant

The attack last week on the Municipal Water Authority in Aliquippa, Penn., that gave threat actors access to a portion of the facility’s pumping equipment has spurred the Cybersecurity &...

Read More

How Trustwave Can Assist Tribal Governments Applying for $18 Million in DHS Cybersecurity Grants

Tribal governments are among the most underserved organizations in the US when it comes to cybersecurity preparation, with threat actors striking multiple tribes with a variety of cyberattacks.

Read More

Trustwave Backs New CISA, NCSC Artificial Intelligence Development Guidelines

The U.S. Department of Homeland Security's (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom's National Cyber Security Centre (NCSC) today jointly released...

Read More