MS Risk Blog

Password Security In A Corporate Environment

Posted on in Cyber title_rule

Many companies use passwords to allow employees access to sensitive material, yet to many cyber security experts, passwords are a relic of the past, stemming from a time when individuals used passwords to access email and the rare e-commerce site. Today, the internet has caused computers to be hyper-connected: many sites require password authentication, and more information belonging to individuals and corporations is stored in “The Cloud”.  The constant use of passwords is a double-edged sword. First, it causes individuals make critical mistakes in creating passwords, either through over-simplification or through creating over-complex and forgettable passwords which cost company time in retrieval and/or resetting. Second, many corporations have been lulled into a false sense of security by allowing one-factor access to secure information.  To a malicious hacker or a corporate espionage actor, these vulnerabilities make it easy to access critical information. 

How Hackers Hack

Hackers access corporate information in a number of ways. The first, and simplest, is guesswork. Individuals who use passwords to access many sites tend to become lazy in creating passwords. In 2012, the number one password used around the world was “password”, followed by “123456”. Hackers can often guess simpler passwords, or use “password dumps”— web pages dedicated to passwords uncovered by other hackers. In addition, automated password cracking programs simplify the process of cracking common passwords, even incorporating common numeric substitutions (i.e. pa55w0rd). In addition, many people tend to reuse passwords for multiple access points, so it is common that a user will create a password in their personal life, and then use it in their corporate environment as well. If a malicious user gains access to an individual’s private password, the likelihood increases that they can use the same password to gain access into a corporate environment.

Hackers also gain access to passwords through “phishing” by which they create websites or emails which look almost identical to existing companies, such as banks or email sites, and ask users to submit login information. Regardless of how complex a password is, the strength of that password is useless when it is freely given through these methods. If a hacker has access to a personal site, they may “lurk”, that is, look at the emails people receive to identify their banks and banking habits, place of business, social connections, and even “electronic mannerisms” such as how a person “speaks” online. By watching email transactions, a hacker can easily emulate the person to gain access into other parts of their life, such as sending messages to an accountant or a client, asking them to redirect funds or use the “new” email address, so as to go unnoticed.

In addition, hackers can gain passwords using malware: undetected viruses which are stored on one computer and send data to another, such as monitoring key strokes or activating a web camera. A report from 2011 indicated that malware was responsible for almost 70% of data breaches. Malware is particularly vicious because it targets large groups or corporations, gaining access to entire systems rather than single individuals.

Finally, an emerging trend that hackers can take advantage of is called “socialing”. Because most individuals use one or two email accounts to access banking, ecommerce, social networks and other sites, gaining access to one can easily allow a hacker to gain access to the other. For example, if a hacker has an e-mail username and password, they may attempt to use it on an e-commerce site, such as Amazon, which stores credit card information. If the password doesn’t work, they can click “Forgot Password?” and answer a few personal questions, often which are accessible through a Google Search or looking through the hacked email account. The password gets sent, and the hacker deletes the email and immediately logs onto the e-commerce site and changes the email address to direct it to him. Now, the hacker has access to banking information and home address.  The hacker then uses this information to gain access to other data, including tax and benefits numbers, and can infringe upon a person’s work and private life.

Increasing corporate password security

Because passwords are still the most common and critical entry point into most businesses, steps should be taken to increase security wherever possible.

Strong Passwords: First, and most critical, encourage staff to come up with strong passwords, with a minimum of eight characters, and check them through a password strength estimator, which measures the accessibility of the password, and can be found using a simple Google search.  Using the tool, one can see that a password such as “12345678” has a strength of 4%.

To generate a strong password, it is beneficial to think of a favourite saying or line from a book, and use the letters from each word, then to replace certain letters with capital letters or numbers. For example: “It was the best of times, it was the worst of times”

First becomes:                    iwtbotiwtwot (3% strength)

Then becomes:                   Iwtb0t1wtw0t (93% strength)

Another option is to create random phrases with mixed characters where possible, such as “nine-happy_dolphins_ate?” (85% strength).

Most importantly, discourage use of passwords which individuals use in other parts of their lives, and discourage password re-use as passwords expire. Many companies are opting for longer periods between password expiration to prevent people from changing only one portion of their password (For example, from “password1” to “password2”). Stronger passwords and longer user periods can minimize the risk of password apathy.

Malware and Phishing Awareness: Again, a password is meaningless when it is given freely. Corporations are increasingly educating employees on how to identify and authenticate legitimate e-mails and websites, encouraging staff to contact the company in question if the information looks suspicious. Organizations should invest in anti-virus programs which update regularly as new viruses are introduced into the cyber-world, and check digital certificates (the fingerprints of an incoming piece of data) to see if they are associated with existing malware.

Multi-factor IDs: Earlier this week, social media site Twitter announced a new two-factor identification system following a system-wide hack which compromised the information of over 250,000 users. Increasingly, corporations use multi-factor identification to allow employees access to protected information. Users supply their chosen password, and then either receive a SMS message to their phone which provides the secondary password, or enter a password from a physical token (some of which also require a code for authentication—creating a three factor ID). The multi-factor method adds an additional layer of security, and alerts true owners of attempts to intrude upon an account.

Biometrics: Biometrics, such as fingerprint, or voice scans, seem like the best possible protection for corporate integrity. However the technique has not yet been perfected, and is considerably pricey. If biometrics are used as a one-factor system, they are easily replicated: fingerprints can be lifted, or a voices can be recorded, particularly if one is speaking into such a system in a public location, such as a library or coffee-shop. In the future, biometrics may become one component of a multi-factor verification system, but at present, they are not feasible to many organizations.

White-Hat Hackers: In cyber-slang, a white-hat hacker is one of the “good guys”. Often, companies will hire white-hat hackers to expose weaknesses in cyber security systems, and suggest or provide remedies before those weaknesses are exploited by black-hat hackers, who use the weaknesses for malicious purpose.

Monitor Abnormalities: The best protection is vigilance, specifically, identifying access attempts that are outside of normal business processes. For example, Internet Service Providers identify the location from which a user attempts to access a secure sight. Be wary if a user, known to be in London, is logging in from Boston or Singapore. In addition, if a user is given a company phone or computer, identify whether that user is attempting to log in from a non-registered device.

As hackers become increasingly efficient, individuals and corporations struggle to find the balance between convenience and privacy. While multi-factor systems are on the rise, it is important to avoid making them cumbersome or inaccessible. Cyber experts are constantly working to deliver a system that covers the new areas of cyberspace that corporations venture into. Cyber-awareness and education ensures that your company is abreast of the latest technology in online security.

Tagged as: , , , , , ,