According to Gary Buck, CIO and author of the 18-page e-book “Safe and Secure: Passwords, Security, Privacy, and all that stuff”, “Vendors keep promising that passwords are a thing of the past. Apple and Samsung allow fingerprint recognition, Microsoft allow facial recognition in Windows 10. But we will need passwords for some time to come.” Unfortunately, Buck is right on this.
The problem is, as IDC UK Research Director Duncan Brown says, “Passwords are inherently insecure, because they are easily guessed or phished, and because they are stored in a file that can be stolen. Take for example, the cases of Sony Pictures and Ashley Madison.”
In fact, compromised passwords are the cause of many breaches that have been reported in the media in the last several years. Payment information on forty million customers was exposed when Target got hacked in 2013; personal emails and social security numbers were taken from Sony Pictures when they were hacked in 2014; and six hundred thousand Dominos Pizza lovers risked having their pizza preferences revealed when Dominos was hacked in 2014.
Granted, these three companies aren’t known for their high-tech prowess. But what’s more alarming is when organisations employing the world’s greatest engineers get hacked. Over six million LinkedIn accounts were compromised by Russian cyber-criminals in 2012; several celebrities were shocked when their Apple iCloud accounts were hacked and embarrassing photos revealed in 2014; and three million Adobe customers had ID, passwords, and credit card information compromised when Adobe was hacked in 2013.
But in the final analysis, it’s not so surprising that even high-tech companies suffer breaches. After all, the problem doesn’t always come down to a technical flaw. According to Kevin Mitnick, word-famous hacker and author of the best-selling book “The Art of Intrusion”, many IT directors spend a lot of time on things like password length and password aging, when they could gain much more by protecting against social engineering, which is the practice of manipulating people to get information from them.
Mitnick says that when he was a hacker he used a combination of about 50% technical tricks and about 50% social engineering to break into enterprise systems. Mitnick says that the scariest thing is that people who work in the IT department are often the weakest link.
Two examples of how hackers use social engineering are
· Getting a hold of the corporate directory with phone numbers and indications of who reports to whom. With this information, a hacker can collect secrets through a series of phone calls and they can apply pressure based on organisational hierarchy.
· Phishing—for example, sending an email message asking the recipient to validate a password—is another common technique for getting people to provide information they wouldn’t otherwise divulge.
Another very simple and low-tech way Mitnick says hackers find passwords is by going into dumpsters to collect bits of paper with passwords scribbled on them. Users who have too many passwords to manage frequently resort to jotting them down on a piece of paper. Whether that paper is left lying around in a bar, or thrown in the trash bin, it still constitutes a vulnerability.
One simple trick to minimise the risk of a security breach is to encourage users to write down text and numbers to which they then apply an algorithm to get the password. For example, write down “AJ” to remind yourself of your friend Andrew Johnson. Follow that with “382920” to remind yourself to add the birthday of your friend Andrew Johnson to 382920 to get the real password.
Passwords will be with us for the next few years. So IT directors wishing to minimise the risk of security breaches might follow these words of advice:
· Establish a policy on user behaviour. Gartner analyst Ant Allan says that users must not disclose passwords to anyone—and users should never write down passwords. However, as mentioned above, you might encourage users to write down something to which they can apply an algorithm to get the password.
· Allow several login attempts—but not too many. Ant Allan says, “If unlimited login attempts are allowed, automated attacks can eventually discover a user’s password. However, if only one attempt is allowed, a legitimate user can be locked out as a result of a simple typo or some other honest error.”
· Use multi-factor authentication and biometrics where you can. IDC’s Duncan Brown recommends the following to UK IT directors: “Deploy multi-factor authentication that supplements—or better, replaces—passwords. One-time passcodes are an example, as is biometrics. Biometrics are becoming mainstream with fingerprint and facial recognition being built in to smartphones and PCs, respectively.”
· Don’t rely too much on password aging. According to Gartner analyst Ant Allan, “Password aging is widely advocated, but rarely worthwhile. It is essentially a stopgap for other missing controls. However, long-period aging may ameliorate residual risks.” Allan says that asking users to change passwords every 90 days or less is counterproductive. But asking them to change passwords every year “can still mitigate residual risks when other controls fail or are poorly implemented.”
· Protect your devices. Duncan Brown says, “Verizon state that 95% of web app incidents involve harvesting credentials stolen from customer devices, then logging in with them.” Make sure you employ device wipe and device lockdown strategies, and encrypt critical data on devices.
· Protect yourself from phishing. Duncan Brown says, “It might come as a surprise that phishing emails are opened by nearly one out of three recipients. CIOs should deploy anti-phishing strategies and training to reduce the effectiveness of this attack vector.”