Passwords: It is the Most Basic Part of the Equation. Yet It is the Keys to the Kingdom.
Published February 24, 2022
By: Barry Miller
Passwords can be the weakest link in the chain. This is what hackers use to land and expand, gain access, and explore a network. It only takes one weak password to break the chain. For example, your work email uses your Gmail account for a password recovery. If a hacker gets ahold of your Gmail password, they can see that you have your work email connected to it via previous emails. They can use your Gmail account to reset your work email and then they have access to your work account. Thus, we can see that a weak, non-work/home password can still cause a work account to be compromised. Physical security is also a concern. People are notorious for putting post-it notes under their keyboard or somewhere in a desk drawer with passwords written down. A cleaning crew or someone that has physical access to the office space can get passwords. One’s workspace is not a safe area.
An example of a strong password is: a password that changes every 90 days and contains 12 characters with a capital letter, a number, and a special character. If one is forced to change the password every 90 days, they may have to write it down. If the written password is accessible, (in view), then a password change is not making the environment more secure. If I can get physical access to the site, then it becomes a physical security risk, thus, negating the Cyber Insurance policy.
When Cyber Insurance companies write new policies, they no longer accept a password security without other security methods.
Consider that at least 60% of people reuse passwords across multiple sites. An estimated 81% of data breaches are due to poor password hygiene and although 91% of participants in a recent survey understand the risk of password reuse, 59% admitted to doing it anyway. Most people will choose passwords that can be divided into 24 common combinations and 49% of users will only change one letter or digit in one of their preferred passwords when required to make a new password. Based on an analysis of the data from Dark Web ID, the most categories of information used to generate bad passwords in 2020 were names, sports, food, places, animals, and famous people/characters.
There are Password libraries available on the internet – Free. One can get these libraries with scripts to orchestrate a “Brute- Force” attack. With these tools – it can take minutes to guess a password. The hacker can run a script against a computer. Now a way to slow this down is to lock out the user after – X failed attempts. Or the hacker steals the encrypted password file from a server, then runs the brute force attack against the file, offsite. With no limitation to the numbers of guesses and no Lockouts.
Note: the chart below gives an idea of the time required to crack/brute force a password.
When investigating a loss- chain regarding cyber, an expert will start with the basics. Is there a Password policy? Are the failed log-in attempts recorded and is there the ability to track if the password files have been stolen from a server? Was the path of stolen credentials in compliance with the insurance policy requirements?
We know that passwords alone are not strong enough, so what can be done? As stated, above Underwriters now require 2FA. It is not 100% but is a good start.
WHAT IS TWO FACTOR AUTHENTICATION?
2FA: Two Factor Authentication is something you have and something you know. There’s “something you have” on your cell phone that receives the text message after you’ve entered the “something you know” which would be your password. This combined with a standard password is much more secure. This is now the minimum requirement for a Cyber insurance policy. However, these are not fool proof. An end-user can be tracked by installing some spyware on their phone at a coffee shop or airport where they get free access- the user clicks “accept” in a pop up to gain internet access. This is someone masquerading as the access point and installs a keyboard logger on your phone. At that point they’re able to get/see what is coming in on the screen and grab these authenticated text messages and circumvent the whole password/2 factor authentication security scenario.
Figures suggest users who enabled 2FA ended up blocking about 99.9% of automated attacks. But as with any good cybersecurity solution, attackers can quickly come up with ways to circumvent it. There are other ways to Authenticate, such as Hard/Soft token or even Bio, like a fingerprint. These are a higher cost to implement, but more difficult to circumvent.
When investigating a case of a 2FA solution being bypassed, the expert needs to know what the policies are that govern this business vertical (specific industry or market that focuses on a particular niche). Banking and Human Resources requirements differ greatly compared to a Shipping or Manufacturing environment.
WHAT DOES ALL THIS DATA MEAN TO UNDERWRITING AND THE LEGAL GROUPS?
Most cyber insurance companies will NOT write a new policy unless 2FA is in place. When it comes time to make a claim, the policy should indicate what security products must be in place. From a Cyber Security professionals view, many of the Risk Management documents are very vague in policy requirement language. By not detailing the expected security technologies that are required for coverage, it may result in unexpected consequences.
The lack of policies and security products discovered after the attack/compromise – Can void or pro rate the insurance coverage. Forcon’s experts are familiar with Federal regulations and requirements with each vertical. We have over two decades of experience in computer and network forensics, as well as being experts in the latest technologies that Cyber Security has to offer.
ABOUT THE AUTHOR
Barry Miller is an established cyber and information security technology expert, with over 28 years of experience, including holding top secret clearance in several government agencies. Mr. Miller’s expertise includes but is not limited to the design and architecture of data centers and Cloud security stacks. Additionally, he has advised security teams on compliance and integration with the MITRE ATT&CK framework along with the NIST cybersecurity framework. Over the years Mr. Miller has worked on multi- million-dollar projects for both private and government agencies and was also responsible for the oversight and management of some of those projects. See Barry’s full CV here.