Post Mortem on Data Breach Underscores Importance of Password Security
When a data breach is reported in the media the focus is on where the attack originated from and the types of data stolen. And then the story is largely forgotten by the media.
While who attacked and what data they took is important, it only tells one small part of the story. What is both more interesting and more valuable are the mechanisms of how the attack was carried out and how the attack was allowed to penetrate through the target’s network. From this we can learn so much more about how where the weak links are in corporate cyber security and where quick improvements can be made in cyber security planning to improve cyber hygiene.
Given that most media lose the story sometime after the number of records breached is tallied and the likely dollar value of the attack assigned, work by people like Brian Krebs on bringing the rest of the story to light is invaluable. In late September Brian posted a follow-up article on the 2013 Target data breach on his site, Krebs on Security. One of the key findings he highlighted was that:
“while Target has a password policy, the Verizon security consultants discovered that it was not being followed. The Verizon consultants discovered a file containing valid network credentials being stored on several servers. The Verizon consultants also discovered systems and services utilizing either weak or default passwords. Utilizing these weak passwords the consultants were able to instantly gain access to the affected systems.”
The report went on to detail that “[t]hrough these weaknesses, the Verizon consultants were able to gain initial access to the corporate network and to eventually gain domain administrator access.”
It is completely confounding that a leading retailer responsible for millions of credit card transactions and highly sensitive customer information should utterly miss the mark on a basic element of cyber security. But password security is hard simply because it is the most human element of cyber security. We simply can’t remember the amount of data needed to effect robust passwords – from the number of passwords we need in a given day to the complex strings character. So we cheat – we write passwords down, use easy to remember combinations, leave defaults in place, and choose not to require passwords at certain levels of access.
But it’s naïve to think that it has to be that difficult. Without question the cyber security industry could do more to make password security simpler. But whether it’s through password managers or two factor authentication solutions, the resulting setup is far from perfect and far from secure. In order to close one of the most obvious points of entry for even the least determined bad actor we need to up the game on password security via multifactor authentication. While this type of solution certainly sounds more difficult it doesn’t have to be. CIOs, CISOs, and CSOs need to get creative with the solutions they’re using to up the security ante and explore different elements of the authentication ecosystem, like cell phones to simplify system access at a much higher level of security.
But this is a much longer conversation for another day. For now, I recommend popping over to Krebs on Security to read Brian’s complete post mortem of the 2013 Target breach. To that you can click here…