Why Passwords Suck- And What You Can Do About It!

ZeroDayLab's Cyber Security Specialist, Stuart Peck, considers the recent LinkedIn breach, passwords & security awareness.

So here I go with another article on how the Password is dead, one of 3,000+ of the same title this week, well not quite.

As with all publication of password dumps, especially high profile ones such as the LinkedIn one that resurfaced this week, (and probably one that LinkedIn wish had stayed firmly in the past), is that every security commentator, journalist or security researcher uses the event as a springboard to comment on how rubbish everyone is creating a strong password.  

And before I make my case I want to admit something, in 2012 my password was not very good, it had 10 characters, an upper-case, and numbers- but was not what I consider to strong by today's standards. But the password was changed on a regular basis, usually every 6 weeks, which is why I was not so worried about the original breach. 

Why Passwords Suck:Passwords can suck for many reasons- but these are my top 4 below. They are usually based upon a word, which can be guessed or extracted through social engineering:

Password123, 123456 (750,000 used this on LinkedIn), qwerty- seriously?!

Stored passwords are usually encrypted- but not salted which means they can be cracked easily by hackers using tools like Hashcat or John The Ripper. With so many accounts, passwords are mostly re-used even though everyone knows they shouldn't! 

In general passwords can be the weakest link in security, with most company security policy for passwords still being 8 characters, upper-case, special characters etc. which doesn't provide much protection from today's threats. 

This is becoming more of an issue with techniques used by attackers to crack or guess passwords, through a combination of social engineering and hash cracking tools. Furthermore, in a recent client project we were able to successfully crack 100% of 6 million hashed (MD5, SHA1, SHA256 etc), passwords 1.95 seconds.

What I am getting at here is not that passwords suck, but users suck at creating them, and have done so since the beginning of time, and companies that have a responsibility to protect users/customers information are still not hashing ANDsalting stored passwords! 

How Not To Suck At Passwords...Every security professional worth their salt will have a tried and tested method for generating a strong password, there are a few techniques that I train attendees in our cyber security awareness programs, with the most effective being:

“The only mistake in life is the lesson not learnt” – Albert Einstein

 1) Don't use a password but a passphraseThe most effective ways of generating a strong password that I use, is to use physical items from different locations in the office or home office, mixed up with special characters and most important multiple spaces generally more than 2-4 between each word.

An example could be: "5M!nt   20P%nce    RedLoung£   24_05.16"

Another good example of a passphrase could be an important date/event- but please not wedding, birth of child, or birthday of anyone you know! 

"B3st   Pr£nt4ti>n   Ev5r   25,,05..16"

2) If passphrase is too difficult then use a password vaultIf the prospect of creating a passphrase for every account fills you with dread then the best option may be one of the many password vaults. The benefit of password vaults is the ability to generate a strong and completely random password/phrase for all of your personal accounts, but make sure the master passphrase adopts the strong principles in point 1.

These tools do provide a good option for securing personal accounts but lack the ability to deal with complex systems within the enterprise, tools such as Lieberman Software will provide the scalability to deal not only with complex privilege account but provide protection from attacks such as pass the hash or exposure from password cracking tools such as Hashcat. 

3) 2FA (2 factor Authentication), everything! And finally use two step verification and 2FA for every account, everywhere, this will make it very difficult (not impossible), for hackers to access your account and also change your password.  

In fact Google is working on removing passwords altogether from Android devices through their Trust API by 2017, using biometric data and such as typing pattern, location and facial recognition. If this works maybe this is the start of, ahem, "the death of the password", until then, follow the above and you'll reduce the exposure of any potential attempted hack, and will make it more difficult for potential threat actors.

Top 10 Considerations for Effective Security Awareness (Part 1)

Security, The Risk of Human Error...& a Tricky Thing Called Motivation…

Top 10 Considerations for Truly Effective Security Awareness Training

Even though 52% of breaches are attributed to human error, security awareness is still quite a new thing for many companies.  Well, not that new, there are plenty of induction packs with sections on data protection responsibilities and if you are lucky, a presentation or webinar.  However, we all know the threat environment is looming ever-larger and darker, worse still, it’s constantly changing; so how do you keep your employees not only knowledgeable about the risks presented each day at their keyboards but also motivated enough to identify them and to take action?

The reality is that every organisation and its requirements are different.  Whilst there are key elements, such as phishing campaigns, that should be included as standard to measure and educate security awareness; an effective strategy needs to tick additional boxes to create a true change in 

security behaviour.

1 Test & Benchmark

Before you commence security awareness training; find out the truth!  I’m afraid you might be shocked, most companies are.  Common click-through rates from phishing programmes we have delivered for clients have seen click-through-rates achieve up to 30+%.  When you consider that it can take less than 30 minutes for a threat to establish itself on your network, just one click could seriously jeopardise your security. 

If the result is the kind of click-through-rates a Marketing Manager would die for, you would be forgiven for thinking, ‘Well, what’s the point in testing if it’s likely the so many staff will fall for it?  I know we have a problem.’  The benefits of a phishing test are not just confined to identifying problems and benchmarking for improvement.  Utilising the results of an actual, live example which the trainees received and many of them clicked on, resonates with staff far more than giving generalised real world examples because they experienced it.  It really could happen to them.  Human behaviour is such that an individual never wants to jeopardise the tribe, nor do they want to be the fool.

2 Elements of Testing – It’s Not Just About Phishing!

There are certain key components to security awareness testing and training which should form part of a successful campaign but it is their mode of delivery that makes the difference.  Successful campaigns will involve personalising that message to your company.  This is not about just raising click-through-rates for your security company to report to you; this is exactly what the cyber criminal will do.  They know, that on the other side of the computer is a person that is ultimately motivated by self-interest.  The most effective spear-phishing campaigns carefully target their prey and learn about them.  They will create fake websites and branded emails and they will learn the name of the manager in the purchasing department that they want to send their malware-laden ‘invoice’ to.  Effective testing and training involves activating your staff’s self-interest button; coffee and gym vouchers, for example, have been popular tactics used to test employee resilience.

On a similar note, cyber criminals will exploit another human trait.  Trust. Consider the wider possibilities for breach, over-and-above email.  Digital social engineering is an obvious culprit but what about physical social engineering?  Security awareness also comes down to what information is given out over the phone but also who is allowed into the building.  How often do you check a staff badge closely, or allow someone to follow you through a secure door? 

3  Timing

Consistency is the key to security awareness.  Companies undertaking security awareness training once at induction will not succeed in raising levels of awareness and staff security. A message delivered once, and in the fog of a lot of other information, will be lost. The biggest brands know it, they repeat their message again and again until people at first recognise their message and then respond.  Involve HR & Training and Internal Communications to enable a consistent programme of messaging and to keep the profile of security awareness high within the business.  This is particularly important where there is high staff turnover and large customer support departments.  The most effective programmes review and re-visit their training programmes on a regular basis.

4  Training Methods

We have already mentioned how ‘real world’ examples drive greater awareness and engagement by using results from phishing resilience tests.  Again, depending on the structure of the company, different methods might be more effective, or quicker, with large numbers of people.  Interactive seminars and/or computer-based training are at their best when followed up by internal marketing programmes and access to further information covering topics such as how to identify phishing, or what information not to give out over the phone. Additionally, security awareness training may need to be adjusted in line with the job role, e.g. customer services or accounts as opposed to shop floor.

5 Who Holds the Keys to the Kingdom? – Why Top-Down Training is Essential

Just who does hold the keys to your kingdom? Spear-phishing is targeted.  Board Members, Senior Managers and their PAs are just as vulnerable as the sales office, in some cases, more so.  Top-down training instils a security-orientated culture benefiting not only the business but also its customers. 

Next week: check back for Considerations 6-10 !

EU GDPR - Now Data Privacy & Protection is More Than an IT Issue

Nick Prescot, Senior Information Security Manager

For many in the Infosec industry, this piece of EU legislation has been relatively warmly met and unlike the farming and the fishing industry, there haven't been large groups of Infosec people walking the streets of Whitehall in protest against EU legislation. There is little doubt that this is a 'game changer' in what it means to keep 3rd party safe. Not only will the data processor have the same obligations as the data controller but there are now fines that warrant the attention of the board.

Before the EU GDPR, the old data protection act meant that you could be fined up to £500k; from 25th Mary 2018 it will be up to 4% of global turnover. Everyone that I have talked to has been receiving this news with some mixed emotion, some see it as more budget others see it 'as yet another piece of EU red tape.' Not only this, but there is the requirement of Data breach notification. Whilst it is not compulsory, it will be questioned by the investigation authority why you didn't disclose the breach in good time. This somewhat reminds me of Rory Bremner's sketch of Michael Howard along the lines of, ' you don't have to tell anyone of a breach, but you'd be very brave to keep that quiet wouldn't you. I would tell people about the breach, but I'm not you am I?'

There is also the integrity issue of knowing where your PII data is because EU citizens will be able to ask where the data is and how it has been processed. This will be an interesting conundrum for Data Managers when they are dealing with structured and unstructured data. This will be another sea change in the way in which personal data is stored. 

The next big question that will be pondered amongst the businesses, is how to be compliant with the EU GDPR; mainly on the premise that if you're PCI DSS compliant then everything must be ok. Unfortunately, the PCI DSS hangover will mean that meeting the requirements of the EU GDPR is not a binary issue in the sense of you cannot be compliant or not compliant; the regulation expects processors of personal data to have a reasonable, proportionate and appropriate set of information security controls along with a regular process of conducting 'privacy impact assessments'. This means that companies will need to have a framework of information security controls in place that are regularly enforced. Naturally, for the cyber geeks amongst us ISO27001 will spring to mind but there are other industry best practice frameworks such as CoBIT and the ISF Standard of Good Practice. Once the framework is in place, it then needs to be monitored, enforced and measured as being in place. With this all being well, you won't have a problem but the $64,000 question is,  when there are breaches and companies negotiate themselves from a 4% fine to a 1% fine because they have all the controls in place, the right data breach notification plans in place and it was just bad luck that they were breached.

Until this is proved, I'm sure that you'll agree with the assumption that data privacy and protection is no longer just an IT issue but a business systems issue that requires focus, attention and a mitigation of risks from all areas of the business.

EU-GDPR Finally Becomes A Reality

EU-GDPR Finally Becomes a Reality - 

But Will We End Up Running in Circles?

Notification within 72 Hours

Fines of up to 4% Global Turnover

Recent research by our solution partners, FireEye, surveying companies in the UK, France and Germany revealed that there is quite a way to go for companies to adequately meet the required measures of EU GDPR and NIST.

Now that the limbo is over, their research shows that only 20% of companies surveyed would have all measures in place to comply with the new standard.  Happily, 44% are reported as having most measures in place but this still means there is some considerable work to do and challenges to be overcome.

Strategy, Planning & Implementation

Out of the key challenges expected by these companies, as identified by the research, those most cited were new hardware and software implementation (23%) and of course the implementation costs associated with this (23%).  However, next on the list was policy complexity (18%) and sourcing sufficient expertise (12%).  It is clear, that with a short timeframe of 2 years for infrastructure and policy implementation, that companies need to start their journey to compliance now.  

72 Hour Notification Requirements: Interestingly, companies surveyed felt that the incident reporting timeframe was the least of their worries, notching up a nominal 5%. With all the frameworks in place, all companies will be on a level playing field regarding this requirement.  This simply needs judicious planning in the event of a breach to reduce its impact on your corporation. 

From our experience of clients already endeavouring to align with NIST and EU-GDPR, this is a complex and often lenghty process, particularly in terms of policy  and procedure alignment across multiple nations - and not just within the EU. For international companies seeking to sell into EU member states, the same policies will still apply.  

What do you think?

What is your greatest concern regarding the introduction of EU GDPR?

Budget

Infrastructure Requirements

Specialist Skillsets

Policy Alignment

Incident Management

Vote Here!

EU GDPR Key Facts  - View the Infographic here