Cybersecurity - what's old is new again
INSIGHT ARTICLE |
Most of us grew up with the magical world of Disney. Whether it was watching Mickey Mouse and his pals on their latest escapade, wishing we were Mouseketeers, watching Simba grow into a leader, or enjoying the adventures of Mary Poppins, Disney has been a part of our lives and culture for nearly a century.
Much to the delight of millions of kids, big and small, Disney recently launched Disney+, their venture into the video streaming market, to take on incumbents like Netflix, Amazon Prime, Hulu and others. Shortly after Disney+ launched, a number of user accounts were hijacked by bad actors who changed newly created account information so the legitimate users no longer had access. Now people are wondering: how could the mouse let this happen to such loyal customers?
Why should you care?
The truth is, the online account credentials of millions of users have been compromised over the years as a result of cyber incidents that have affected Yahoo, LinkedIn, Facebook and eBay, just to name a few. There are millions of user names and passwords available on public forums as well as the deep and dark web for criminals to harvest and use, and the bad actors are using those credentials to try “credential stuffing” where they test the user name and password against a Disney+ account to see if the information still works. If so, the Magic Kingdom is opened before their eyes.
You may be saying to yourself, “My kids are all grown so I don‘t need a Disney+ account, why should I care?” Well, the attackers are using the same approach to attack your business environment. We are all creatures of habit and often use the same credentials across multiple platforms, including email, websites, financial institutions or something equally as important. At any point in time, your employees’ account information may have been compromised. If they used their work email address and password for one of the large websites that has been compromised, crooks can use that information to attack your environment. An attacker could start by logging into the user’s email account, or some other company web portal, completely transparent to anyone. From there, the attacker could try to perpetrate some type of financial fraud (i.e., having money wire transferred to an account they control, or pretending to be the employee and changing direct deposit information). The attacker could use the compromised credentials to remotely access your network and from there try to steal confidential data (e.g., payment card industry information, protected health information, personally identified information, trade secrets or other sensitive information). Having confidential information compromised could translate into a financial loss for your business, which could lead to privacy notifications causing reputational harm, perhaps even leading to regulatory investigations and litigation. Alternatively, the attacker could launch a ransomware attack in your environment causing you to lose your ability to function, which could result in lost revenue, upset customers and potential penalties for not meeting deliverable deadlines.
You are the target
It’s important to note that cyber events based on an attack against the user comprise 48% of insurance claims, while only 39% are related to a technical attack, such as hacking and malware. The attacks that are more focused on us, the everyday users, are more varied, and include attacks such as social engineering, phishing, staff mistakes and lost devices. Despite the everyday user generating the greater risk, most companies spend the vast majority of their time and resources on technical defenses, and discount the human risks. The best risk strategies address both technical areas and user awareness and training.
What should you do?
There are a number of considerations and proactive steps that companies can take to help prevent a cyber incident. While these proactive actions are a good start, remember that attackers continue to develop new techniques to compromise systems and gain access to critical applications that may contain sensitive information.
Improve password policy on a technical level:
- Require a minimum password length of at least 12 characters, with a mixture of lowercase letters, uppercase letters, numbers and special characters. Administrator passwords should be longer than basic user passwords; we recommend a minimum of 15 characters, and also enable multifactor or multistep authentication if possible.
- If possible, check new passwords against a list of words to prevent the inclusion of easily guessable terms related to the user, such as the user’s user name, seasons, company name or locality, for example.
- Set a password lockout to lock an account for a period of time (typically 10–30 minutes) if the wrong password is entered after a set number of times (typically five–10). This can help slow down attempts to guess the password.
Include password security in employee security awareness training:
- Users should be encouraged to use passphrases instead of single-word, dictionary-based passwords.
- Passwords should not include easy-to-guess information, such as the company name, the season or year, or “password.” These weak passwords are easier to guess or crack, whereas long passphrases are much more difficult to compromise yet easier to remember.
- Additionally, users should avoid easily predictable and sequential patterns when they change their passwords. Users should also never reuse passwords, particularly when it comes to sharing a password between a standard user and an administrator account.
- Encourage the use of a password manager. Password managers can provide many benefits, such as generating long and complex passwords while maintaining usability with browser extensions and mobile apps to allow easy access. You only need to remember one strong password and can then have different passwords for each site/service/app.
Even despite these proactive steps, attackers continue to develop new techniques to compromise systems and gain access to critical applications that may contain sensitive information. No organization is completely safe against cyberattacks, regardless of the efforts taken to be proactive in preventing an incident. The key is to stop an attack when it is merely a security incident and before it becomes a full-blown data breach.