Who out there has been guilty of reusing a password? We’re all guilty of it! Results from a recent Google survey discovered that at least 65% of people reuse passwords on multiple sites, sometimes even all sites. Whilst this may provide convenience and ease of use to access the everyday applications you use; you’re putting yourself and your sensitive data at risk.
Have I Been Compromised?
Crafty attackers utilise tools to find passwords in previous account breaches and can then go on to compromise any number of accounts that you own with that same password. This tactic is known as credential stuffing. This essentially means that if you use the same password for Facebook and your online banking, it may result in a tarnished image and an empty bank account if a threat actor gets ahold of your password. You can check your email accounts against HaveIBeenPwned to verify if your email address(s) have been involved in any known breaches. You can go one step further to see if your password has been used before and even integrate it into your user registration pages via HaveIBeenPwnedPasswords.
This is your safe to all your passwords. It’s much more secure than your sticky notes that contain passwords stuck to your monitor! Best practice would be to take an inventory of all the web applications you log into and change the password on each site. Password managers can generate complicated passwords, and you don’t need to remember them, because that’s the password manager’s job. Bitwarden or 1Password are good options to solve this. At this time of writing, Bitwarden is open source and free for public use.
Alongside a password manager, you’ll also want to enable multifactor authentication (Also known as 2 Factor authentication or 2FA) on all sites and applications that have the capabilities to do so. Enabling 2FA will provide an extra step to prove you are who you say you are. The primary method is something you know (Your password), and the 2nd factor is something you have. This will generally be a mobile device or a physical token.
You’ll need an authenticator app in order to properly use MFA. You can download and install Google Authenticator which is commonly used from your mobile device’s app store. Additionally, some password managers will allow the use of MFA tokens and one time codes so that you can authenticate your web application in one go.
Your users are your biggest asset, but also the weakest link in the chain. It only takes one user that has had their credentials compromised by an attacker to cause severe damage to your businesses reputation. Depending on the security measures in place, once the attacker retrieves those credentials, they may be able to perform anything that that user has access to do. Threat actors are becoming more resourceful than ever before, so think twice before implementing the same password for another web application.
Finally, it’s imperative that all organisations have multifactor authentication enabled for:
· VPN connections
· Remote Desktop connectivity applications
· Outlook desktop
These measures will help further secure your users and business from malicious attackers.
The Cythera security operations team has detected and responded to several security incidents with our clients over the last few weeks and a common theme brought all of them to light : visibility.
So, you’re running firewalls, and IPS, and next-gen anti-virus, and multi-factor authentication. And you’re logging it all. You’re even pumping it all into a SIEM . Fantastic! You’re already doing better than many organisations.
But what are you doing with that data? Is it just a huge log store? Do you just use it to replay the tape if there is an issue? Does it to populate pretty dashboards? Do you have to write custom log queries or correlation rules to try get any meaningful insights out of it?
Let’s look at a breach we detected, responded to and stopped for a client. Like many of these stories, it started with a user getting phished. They received an email from who they thought was a trusted contact, and in the process was prompted for a login to their corporate email, where they entered their credentials.
The organisation had Multi Factor Authentication so the story should wrap up here. But MFA is not a panacea, and for many organisations multi factor is still a complex beast to roll out everywhere; there’s often legacy apps and multiple operating system dependencies to support. In this case, due to one of these dependencies MFA had been disabled for a specific application and the attacker worked that out, and used it to start accessing and downloading data.
Detecting this incident is where visibility goes well beyond logging. User behavioural analytics picked up that the user was accessing services from both unusual and multiple locations. Deception technology meant the attacker hit tripwires we had set in the organisation. What might have been completely missed in many organisations, or just another alert log to others was for us transformed into an investigation our team responded to, and ultimately used to stop the attack mid-flight.
Many of the organisations we work with focus heavily on prevention capabilities, but are often blind to events and incidents when those prevention mechanisms let something through (and they will all miss something at some point).
If you need help with security monitoring, visibility as well as security detection and response our Managed Detection & Response Platform can provide you with real value. Reach out to us if you would like to discuss.
We help a lot of Australian businesses out with security incidents, as well as recovering from hacks and breaches. Many of them can be attributed back to human error or poor security hygiene. I thought I would share some of my top tips to help you avoid a costly hack, or brand damaging breach.
This is an easy one. Operating system vendors don’t just release patches for new features, they’re also patching security vulnerabilities regularly. Keep desktops and laptops up to date and enable automatic updates wherever possible. Apply the same thinking to critical applications such as Microsoft Office (Vulnerabilities in Microsoft Office have risen 121 percent over the last 6 years ), to keep ahead of problems.
Many successful cyber security incidents start with an account being stolen or ‘phished’. One way to help stop these attacks being escalated is to have a second factor of authentication beyond just your username and password. This means that even if an account is stolen, the attacker can have a difficult time accessing the second login which may be a token or application that runs on a users smartphone. Two factor can be enabled selectively such as when a user is outside your corporate network. Some 2fa vendors to consider are Ping Identity https://www.pingidentity.com/ and Azure MFA https://azure.microsoft.com/en-au/services/active-directory/ .
Cyber security is not just about technology and processes, it’s also about your people and the way they go about their day to day business. As a successful cyber attack can shut down your business or irrevocably damage your brand, It’s key that management and executive set a good example as this attitude then flows throughout the organisation. Ongoing cyber awareness training to make staff more conscious of potentially malicious behaviour will improve the cyber-hygiene of your business, with more mature organisations now also including cyber security training into staff onboarding.
Accounts that are stolen or included in breaches often end up being sold on the dark web for use in other attacks. There are resources available for you to check if key staff accounts have been included in previous breaches. https://haveibeenpwned.com/ allows you to search for staff email accounts, and any that are discovered should have passwords reset and even enabling two factor authentication on.
There’s a common theme with many of the companies we assist with security incidents; They didn’t plan for one. They often have a health and safety plan, and even a terrorism plan! This doesn’t need to be war and peace, and can be a single pager on roles and responsibilities, as well as who to contact including any cyber security partners you work with to assist in responding to incidents. If you have any regulatory bodies or government agencies you liaise with make sure to include any reporting structures that may need to take place here. The Australian Office of the Information Commissioner has a good guide on data breach plans . Make sure you’re also familiar with the Notifiable Data Breach Scheme .
There’s lots of talk about the increasing skills shortage in cyber security. And let’s face it, cyber security is probably not part of your core business so you’re constantly going to be playing catch up with a rapidly changing landscape. By partnering with a cyber security specialist you’re also subscribing to the ongoing skills and herd intelligence to help you plan and protect your business and brand from being the next headline. Just make sure they’re a specialist and not someone who’s also trying to sell you phones systems and printers.
Australia’s emerging enterprises are facing the same security risks and suffering the same incidents the big end of town are, but with much less capability to respond and protect themselves from a rapidly changing space. By baking security into your businesses DNA, and partnering with strategic cyber security specialists, you’re setting yourself up for success.