As 2023 Cybersecurity Awareness Month continues, let's look at a couple of the areas the Cybersecurity and Infrastructure Security Agency (CISA) and National Cybersecurity Alliance (NCSA) are focusing on this year.
“While passwords might not appear as formidable as some other advanced security measures or tools, a carefully crafted password can truly be the decisive factor in determining whether your data or your organization's remains exposed or protected,” said Trustwave SpiderLabs Director of EMEA Ed Williams.
Unfortunately, there is a very well-known example of what can happen with weak password hygiene and no MFA.
On May 6, 2021, an affiliate group associated with the REvil and Darkside ransomware-as-a-service gangs attacked Colonial Pipeline Co., forcing the company to halt operations, effectively blocking the flow of fuel, gasoline, and other petroleum products throughout large portions of the eastern U.S. for several days. The attacker used an exposed password from an unused VPN account that did not require multifactor authentication.
Once inside the network, the attacker's first move was to steal 100GB of data, including the PII of some employees, and then infect the Colonial Pipeline IT network with ransomware. The gang demanded and was paid a $4.4 million ransom, although a portion of this was recouped with the help of the FBI.
A strong password can be, but is not limited to, long, random, unique, and includes a combination of uppercase letters, lowercase letters, numbers, and symbols. Password managers are a helpful tool that can assist you in generating and storing strong and unique passwords for each of your accounts.
Enhance complexity: Trustwave researchers noted that a password consisting of only eight characters could be easily cracked in just one day using brute-force techniques. However, increasing the password length to ten characters significantly increases the cracking time by hundreds of days. Adding complexity to the password, including symbols, numbers, and a mix of uppercase and lowercase letters, further enhances its strength and makes it even more difficult to crack.
Embrace passphrases: Unfortunately, highly complex passwords are hard to remember and bug the average person to implement. So, any rules that require their usage will likely be ignored or avoided.
But there is another option. Passphrases.
Tools are also available that will give a general idea if a password is strong or weak. While results differ depending on which is used, one common denominator is passphrases make a difference.
Phrases like "GoodLuckGuessingThisPassword” or “itstheendoftheworldasiknowitandifeelfine," are extremely difficult to hack and, even better, are easy to remember even if it lacks special characters.
Frequent password changes: It is crucial to change passwords regularly, typically every 60 to 90 days, depending on the sensitivity of the account. This practice helps prevent unauthorized access, especially if a password has been compromised. It is essential to avoid using the same password across multiple accounts to ensure maximum security.
Implement salt and hash: IT administrators should utilize unique and random "salts" when hashing stored passwords. These salts, which are random pieces of data combined with each password before the hash is calculated, add an extra layer of security to password storage.
Strong password policies: Password policies are of utmost importance but are often underutilized. Windows' complex policies, for example, may not consider the context of a password, such as identifiers related to the company, its products, or the local area. Implementing custom password policies can address this issue and enhance overall security, especially in environments like Active Directory.
Conduct password audits: Companies should regularly perform password audits to identify weak links within their systems. Attackers often target non-tech-savvy users, making them vulnerable points of entry. Companies can enhance their overall security posture by identifying and addressing these weak links.
Consider two-factor authentication: Two-factor authentication provides an additional layer of defense by requiring a second form of verification alongside passwords. This technology, such as tokens or codes sent to a user's phone, acts as a reliable safeguard even if the password is compromised. Incorporating two-factor authentication significantly enhances security.
Multi-factor authentication, sometimes called two-factor authentication or two-step verification, is a cybersecurity measure for an account that requires anyone logging in to prove their identity multiple ways. Typically, you will enter your username, password, and then verify your identity some other way, like with a fingerprint or by responding to a text message with a PIN code.
Using MFA adds an extra layer of protection to an online account, making it significantly harder for an attacker to gain access. It is recommended, and generally very easy, to enable MFA, particularly those related to email, social media, and finances. Utilize authentication apps or hardware tokens for additional security.
Organizations that lack the in-house ability to handle these tasks required to maintain security should consider partnering with a company with such expertise. A Managed Security Service (MSS) provider like Trustwave, with our Managed Detection and Response (MDR) solution, may provide the answer.
While technologies like extended detection and response (XDR) and security information and event management (SIEM) can correlate data from various sources, help detect threats, and facilitate investigations, they miss some of the proactive security elements needed to stay secure in today's advanced threat landscape.
Without the right expertise, organizations won't get the value out of these technologies that they desire. Likewise, a traditionally managed security service provider (MSSP) that focuses on monitoring logs and alerts is missing a large part of the picture and can generate many false positives and low-value work for their customers.