Anthem. OPM. Sony. Target. Sally Beauty Supply. The Houston Astros.
Although these organizations differ greatly in terms of what they sell and who they serve, every one of them has in common the unfortunate fact that they made the news in the last year or so as a result of a data breach. The commonalities don’t end there, however, as each group also suffered their respective cybersecurity breach as a result (at least in part) of compromised credentials; that is, an outside bad actor stole the user name and/or password of an otherwise authorized network user(s).
In the case of OPM (the United States Government’s Office of Personnel Management), agency director Katherine Archuleta testified in a Senate hearing that “passwords stolen from a contractor led to the [ ] breach.” (Source: TechTarget, Stolen passwords to blame for OPM breach; director may take the fall,” by Michael Heller, June 25, 2015).
With Sally Beauty Supply, “the intruders gained access through a [ ] remote access portal set up for use by employees who needed access to company systems while on the road…The attackers somehow had login credentials of a district manager,” according to Blake Curlovic who was an application support analyst at the company. (Source: Krebs on Security, “Deconstructing the 2014 Sally Beauty Breach,” by Brian Krebs, May 17, 2015).
U.S. investigators have evidence that hackers stole the computer credentials of a system administrator to get access to Sony’s computer system, while hackers were able to somehow obtain the access credentials to an Anthem database, stealing the credentials of five different technical employees during their attack on the insurer. (Sources: CNN, “Investigators think hackers stole Sony passwords,” by By Pamela Brown, Jim Sciutto, Evan Perez, Jim Acosta and Eric Bradner, December 19, 2014; and, the DuoSecurity Blog, “Four Years Later, Anthem Breached Again: Hackers Stole Credentials,” by Thu Pham, February 9, 2015).
In short, poor password and credentialing practice is one of the biggest drivers of the current data breach epidemic, and it’s been this way for some time now. In 2013, Verizon reported that, “about 76% of network intrusions involved weak credentials.” (Source: InformationWeek DARKReading, “The Eight Most Common Causes Of Data Breaches,” May 22, 2013). And Idan Tendler, head of Fortscale, said, “It’s really no surprise that the OPM breach was traced back to a compromised credential as this is the case in nearly 80% of the breaches we have seen [ ].” (Source: TechTarget; emphasis added).
The reality is that some of these attacks aren’t even that sophisticated, but instead rely on behavior that you’d be hard pressed to characterize as anything other than outright stupidity. In the case of Sony, for example, the company actually maintained thousands of passwords on its servers in a file folder named “passwords.” (Source: Gizmodo, “Sony Kept Thousands of Passwords in a Folder Named “Password”,” by Ashley Feinberg, December 4, 2014).
The Sally Beauty attack? Remember the district manager whose credentials were compromised? Apparently his username and password were taped to the front of his laptop so he could remember them. (Source: Krebs).
As companies begin to realize the true risks associated with data breach and insecure cybernetworks, these examples and many others teach an important lesson: that security and protection often begin (and sometimes end) with the simplest of things, such as having and abiding by good password policy. There are many “secrets,” tips, and other suggestions out there to make this happen, but check out Trustwave’s blog post last month (“7 Pro Tips for Bulking up Password Security”) for some good suggestions and a good place to start. Password security can be a strength of your organization if you let it – like most things it just takes some time and commitment to get it right.