CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Strong Passwords and MFA: Two Easy Fixes to Enhance Your Cybersecurity Posture

As 2023 Cybersecurity Awareness Month continues, let's look at a couple of the areas the Cybersecurity and Infrastructure Security Agency (CISA) and National Cybersecurity Alliance (NCSA) are focusing on this year. 

 

“While passwords might not appear as formidable as some other advanced security measures or tools, a carefully crafted password can truly be the decisive factor in determining whether your data or your organization's remains exposed or protected,” said Trustwave SpiderLabs Director of EMEA Ed Williams.

 

Passwords and Multifactor Authentication (MFA)

 

Unfortunately, there is a very well-known example of what can happen with weak password hygiene and no MFA.

 

On May 6, 2021, an affiliate group associated with the REvil and Darkside ransomware-as-a-service gangs attacked Colonial Pipeline Co., forcing the company to halt operations, effectively blocking the flow of fuel, gasoline, and other petroleum products throughout large portions of the eastern U.S. for several days. The attacker used an exposed password from an unused VPN account that did not require multifactor authentication. 

 

Once inside the network, the attacker's first move was to steal 100GB of data, including the PII of some employees, and then infect the Colonial Pipeline IT network with ransomware. The gang demanded and was paid a $4.4 million ransom, although a portion of this was recouped with the help of the FBI.

 

A strong password can be, but is not limited to, long, random, unique, and includes a combination of uppercase letters, lowercase letters, numbers, and symbols. Password managers are a helpful tool that can assist you in generating and storing strong and unique passwords for each of your accounts.

 

Enhance complexity: Trustwave researchers noted that a password consisting of only eight characters could be easily cracked in just one day using brute-force techniques. However, increasing the password length to ten characters significantly increases the cracking time by hundreds of days. Adding complexity to the password, including symbols, numbers, and a mix of uppercase and lowercase letters, further enhances its strength and makes it even more difficult to crack. 

 

Embrace passphrases: Unfortunately, highly complex passwords are hard to remember and bug the average person to implement. So, any rules that require their usage will likely be ignored or avoided.

But there is another option. Passphrases.

 

Tools are also available that will give a general idea if a password is strong or weak. While results differ depending on which is used, one common denominator is passphrases make a difference. 

 

Phrases like "GoodLuckGuessingThisPassword” or “itstheendoftheworldasiknowitandifeelfine," are extremely difficult to hack and, even better, are easy to remember even if it lacks special characters. 

 

Frequent password changes: It is crucial to change passwords regularly, typically every 60 to 90 days, depending on the sensitivity of the account. This practice helps prevent unauthorized access, especially if a password has been compromised. It is essential to avoid using the same password across multiple accounts to ensure maximum security. 

 

Implement salt and hash: IT administrators should utilize unique and random "salts" when hashing stored passwords. These salts, which are random pieces of data combined with each password before the hash is calculated, add an extra layer of security to password storage. 

 

Strong password policies: Password policies are of utmost importance but are often underutilized. Windows' complex policies, for example, may not consider the context of a password, such as identifiers related to the company, its products, or the local area. Implementing custom password policies can address this issue and enhance overall security, especially in environments like Active Directory. 

 

Conduct password audits: Companies should regularly perform password audits to identify weak links within their systems. Attackers often target non-tech-savvy users, making them vulnerable points of entry. Companies can enhance their overall security posture by identifying and addressing these weak links. 

 

Consider two-factor authentication: Two-factor authentication provides an additional layer of defense by requiring a second form of verification alongside passwords. This technology, such as tokens or codes sent to a user's phone, acts as a reliable safeguard even if the password is compromised. Incorporating two-factor authentication significantly enhances security.

 

Making It Twice as Hard 

 

Multi-factor authentication, sometimes called two-factor authentication or two-step verification, is a cybersecurity measure for an account that requires anyone logging in to prove their identity multiple ways. Typically, you will enter your username, password, and then verify your identity some other way, like with a fingerprint or by responding to a text message with a PIN code. 

 

Using MFA adds an extra layer of protection to an online account, making it significantly harder for an attacker to gain access. It is recommended, and generally very easy, to enable MFA, particularly those related to email, social media, and finances. Utilize authentication apps or hardware tokens for additional security.

 

How Trustwave Can Help

 

Organizations that lack the in-house ability to handle these tasks required to maintain security should consider partnering with a company with such expertise. A Managed Security Service (MSS) provider like Trustwave, with our Managed Detection and Response (MDR) solution, may provide the answer. 

 

While technologies like extended detection and response (XDR) and security information and event management (SIEM) can correlate data from various sources, help detect threats, and facilitate investigations, they miss some of the proactive security elements needed to stay secure in today's advanced threat landscape.  

 

Without the right expertise, organizations won't get the value out of these technologies that they desire. Likewise, a traditionally managed security service provider (MSSP) that focuses on monitoring logs and alerts is missing a large part of the picture and can generate many false positives and low-value work for their customers.

 

CAM1Click the Consulting and Professional Services image above to get started down the path to great cybersecurity.

Latest Trustwave Blogs

Law Enforcement Must Keep up the Pressure on Cybergangs

The (apparent) takedown of major ransomware players like Blackcat/ALPHV and LockBit and the threat groups’ (apparent) revival is a prime example of the Whack-a-Mole nature of combating ransomware...

Read More

Effective Cybersecurity Incident Response: What to Expect from Your MDR Provider

Companies engage with a managed detection and response (MDR) provider to help ensure they detect cyber threats before they do any damage. The "response" part of the MDR moniker is key to that effort,...

Read More

The Power of Red and Purple Team Drills in Enhancing Offensive Security Programs

Despite investing in costly security solutions, keeping up with patches, and educating employees about suspicious emails, breaches still occur, leaving many organizations to wonder why they are...

Read More