Stupidity, Carelessness and the Consequences of Password Insecurity

Anthem. OPM. Sony. Target. Sally Beauty Supply. The Houston Astros.

Although these organizations differ greatly in terms of what they sell and who they serve, every one of them has in common the unfortunate fact that they made the news in the last year or so as a result of a data breach. The commonalities don’t end there, however, as each group also suffered their respective cybersecurity breach as a result (at least in part) of compromised credentials; that is, an outside bad actor stole the user name and/or password of an otherwise authorized network user(s).

Houston Astros pwd article
“… the Cardinals investigation [ ] illustrates the risk of reusing passwords and having passwords that are shared among numerous employees.”
In the case of OPM (the United States Government’s Office of Personnel Management), agency director Katherine Archuleta testified in a Senate hearing that “passwords stolen from a contractor led to the [ ] breach.” (Source: TechTarget, Stolen passwords to blame for OPM breach; director may take the fall,” by Michael Heller, June 25, 2015).

With Sally Beauty Supply, “the intruders gained access through a [ ] remote access portal set up for use by employees who needed access to company systems while on the road…The attackers somehow had login credentials of a district manager,” according to Blake Curlovic who was an application support analyst at the company. (Source: Krebs on Security, “Deconstructing the 2014 Sally Beauty Breach,” by Brian Krebs, May 17, 2015).

U.S. investigators have evidence that hackers stole the computer credentials of a system administrator to get access to Sony’s computer system, while hackers were able to somehow obtain the access credentials to an Anthem database, stealing the credentials of five different technical employees during their attack on the insurer. (Sources: CNN, “Investigators think hackers stole Sony passwords,” by By Pamela Brown, Jim Sciutto, Evan Perez, Jim Acosta and Eric Bradner, December 19, 2014; and, the DuoSecurity Blog, “Four Years Later, Anthem Breached Again: Hackers Stole Credentials,” by Thu Pham, February 9, 2015).

Sony passwords article
“Sony execs [ ] hid their most sensitive password data under the label ‘Passwords.'”
 In short, poor password and credentialing practice is one of the biggest drivers of the current data breach epidemic, and it’s been this way for some time now. In 2013, Verizon reported that, “about 76% of network intrusions involved weak credentials.” (Source: InformationWeek DARKReading, “The Eight Most Common Causes Of Data Breaches,” May 22, 2013). And Idan Tendler, head of Fortscale, said, “It’s really no surprise that the OPM breach was traced back to a compromised credential as this is the case in nearly 80% of the breaches we have seen [ ].” (Source: TechTarget; emphasis added).

The reality is that some of these attacks aren’t even that sophisticated, but instead rely on behavior that you’d be hard pressed to characterize as anything other than outright stupidity. In the case of Sony, for example, the company actually maintained thousands of passwords on its servers in a file folder named “passwords.” (Source: Gizmodo, “Sony Kept Thousands of Passwords in a Folder Named “Password”,” by Ashley Feinberg, December 4, 2014).

The Sally Beauty attack? Remember the district manager whose credentials were compromised? Apparently his username and password were taped to the front of his laptop so he could remember them. (Source: Krebs).

As companies begin to realize the true risks associated with data breach and insecure cybernetworks, these examples and many others teach an important lesson: that security and protection often begin (and sometimes end) with the simplest of things, such as having and abiding by good password policy. There are many “secrets,” tips, and other suggestions out there to make this happen, but check out Trustwave’s blog post last month (“7 Pro Tips for Bulking up Password Security”) for some good suggestions and a good place to start. Password security can be a strength of your organization if you let it – like most things it just takes some time and commitment to get it right.

Failure, Weakness & Neglect: 3 Lessons for the Private Sector from the OPM Cybsersecurity Breach

Imagine for the moment that one of your key employees – in charge of customer accounts – has an affair with a staffer at the company. He’s married, but the affair is discovered at the company, his wife doesn’t find out, and the decision is made to discipline the employee but keep him on board. The company’s HR department investigates the matter and documents its files, per company policy. The case is closed and everyone moves on. 

OPM hack 1
“Inertia, a lack of internal expertise, and a decade of neglect at OPM led to breach.”

Now imagine a few months later the company is hacked and its network – HR files included – are exposed. Weeks later your guy gets an anonymous email threatening to expose the affair to his wife – sordid details included – unless he sabotages the company’s response to a $50 million RFP to the benefit of a competitor.

This type of blackmail (or the potential for it)  is but one of the many problems now facing the federal government and more than four million of its current and former employees following what’s been called the “biggest government hack ever,” a cybersecurity breach of the Office of Personnel Management (“OPM”), the federal government’s HR department. (Sources: “Federal Government Suffers Massive Hacking Attack,” Ken Dilanian and Ricardo Alonso-Zaldivar, June 4, 2015;  “Why the ‘biggest government hack ever’ got past the feds,” by Sean Gallagher, June 8, 2015.)

News of the OPM breach discovered in April broke just last month, but already important details have surfaced, which provide valuable lessons for the private sector. To follow are just three of those lessons, which can help companies find higher levels of security in an increasingly less secure world:

Lesson No. 1 – Keep pace with the threats. 

According to Gallagher’s article, the intrusion detection system used by the federal government known as Einstein, “…was originally based on [ ] technology first deployed over a decade ago…the traffic flow analysis and signature detection capabilities of Einstein [ ], appears to be incapable of catching the sort of tactics that have become the modern baseline for state-sponsored network espionage and criminal attacks.” (emphasis added).

Companies must have an ongoing information security program that constantly works to identify and defend against the latest threats that are specific to your company.

Lesson No. 2 – Know your readiness level, act accordingly.

“OPM’s security practices were labelled as a “material weakness” by the OPM Inspector General’s (IG) office as far back as 2007. A November 2014 report upgraded the IG’s evaluation to merely a “significant deficiency,” but that was before a hack of contractor KeyPoint Government Solutions was discovered in 2014.” 

If you know what cyber-threats and risks your company faces and you know what your capabilities are in the face of those threats, only then can you develop and implement a successful defensive posture.

Wired mag OPM breach
“The OPM had no IT security staff until 2013, and it showed. “

Lesson No. 3 – Invest in command level, on-site information security resources.

“Until 2013, [OPM] had no internal IT staff with ‘professional IT security experience and certifications.’ By November of 2014, seven such professionals had been hired and four more were in the pipeline. But only a fraction of the agency’s systems had been brought under the control of a central IT security organization.”

Cybersecurity is not “an IT function.” It must be a command level priority of leadership, that is pervasive within the organization. Companies need to recruit top level information security talent and give them the internal authority to collaborate towards a more secure environment.

In short, the OPM failures, weaknesses and neglect provide a compelling story for those willing to listen. Companies that understand the relevant threats, arm themselves with the right high-powered resources and commit to a cyber-secure mission will be the organizations that succeed and distinguish themselves in the marketplace.