User credentials of millions of users have been compromised over the years as a result of cyber incidents. Yahoo, LinkedIn, Facebook and eBay are just some of the breaches that are commonly known. There are millions of user names and passwords available on public forums as well as the deep and dark web for criminals to harvest and use, and the malicious attackers are using these credentials to see if they can login to an account and get a hold of customer information.
You can check whether an account has been compromised in some of the high profile breaches by entering an email address in www.haveibeenpwned.com.
Why should you care?
Malicious attackers are using the same approach to attack your organisation’s environment. If your employees have used their work email address and password for one of the large websites that has been compromised, attackers can use these credentials to attack your environment. An attacker could start by logging into the user’s email account, or some other company web portal, that is available to anyone over the Internet. From there, the attacker could try to perpetrate some type of financial fraud (i.e., having the money transferred to an account they control, or pretending to be the employee and changing direct deposit information). The attacker could also use the compromised credentials to remotely access your network and try to steal confidential data (e.g., payment card industry information, health information, personal information or other sensitive information).
Having confidential information compromised could translate into a financial loss for your organisation, potentially leading to privacy notifications causing reputational harm and regulatory investigations and legal proceedings. Alternatively, the attacker could launch a ransomware attack in your environment causing your organisation to cease operations, which could result in lost revenue, unsatisfied customers and potential penalties for not meeting deliverable deadlines.
You are the target
It is important to be aware that cyber events that are focused on users are varied and include attacks such as social engineering and phishing. The Office of the Australian Information Commissioner (OAIC) released a report which stated that 34% of data breaches between 1 April 2019 and 30 June 2019 were as a result of human error. Despite the everyday user generating the greater risk, most companies spend the vast majority of their time and resources on technical defences and not the human risks. The best cybersecurity risk strategies address both technical areas and user awareness and training.
What should you do?
There are several considerations and proactive steps that organisations can take to help prevent a cyber incident. While these proactive actions are a promising start, it is important to remember that attackers continue to develop new techniques to compromise systems and gain access to critical applications that may contain sensitive information.
To improve password policy on a technical level:
- Require a minimum password length of at least 12 characters and enable multifactor authentication for all remote access.
- Administrator passwords should be longer than basic user passwords; a minimum of 15 characters and enable multifactor authentication for all access.
- If possible, check new passwords against a list of compromised passwords and commonly used words to prevent the inclusion of easily guessable terms related to the user, such as the user’s user name, seasons, company name or locality, for example.
- Set a password lockout to lock an account for a period of time or until the IT Helpdesk unlocks it if the wrong password is entered after a set number of times (typically five). This can help slow down attempts to guess the password.
- Use contextual authentication to remove friction from the authentication process whilst also increasing security for higher-risk activities.
Include password security in employee security awareness training:
- Users should be encouraged to use passphrases instead of single-word, dictionary-based passwords.
- Passwords should not include easy-to-guess information, such as the company name, the season or year, or “password.” These weak passwords are easier to guess or crack, whereas long passphrases are much more difficult to compromise yet easier to remember.
- Additionally, users should avoid easily predictable and sequential patterns when they change their passwords. Users should also never reuse passwords, particularly when it comes to sharing a password between a standard user and an administrator account.
- Encourage the use of a password manager. Password managers can provide many benefits, such as generating long and complex passwords while maintaining usability with browser extensions and mobile apps to allow easy access. You only need to remember one strong password and can then have different passwords for each site/service/app.
Despite these proactive steps, attackers continue to develop new techniques to compromise accounts and get a hold of company data. No organisation is completely safe against cyberattacks, regardless of the efforts taken to be proactive in preventing an incident. The key is to stop an attack when it is merely a security incident and before it becomes a full-blown data breach.
Much to the delight of millions of adults and children, Disney+ was launched in Australia in November last year as a competitor to other video streaming entities including Netflix, Stan and Amazon Prime. However, not long after Disney+ launched, a number of user accounts were hijacked by malicious attackers. Newly created account information was changed so that the legitimate users no longer were able to access Disney+. It was not the ideal beginning for Disney when launching its new video streaming service.
For further assistance, please contact Darren Booth.
This article was adapted from an article published on the RSM US website on 3 December 2019.