Unfortunately, as a stakeholder in your business, there could be urgency in every breach, even those that occur in companies you have no direct relationship with. You and your employees have accounts on systems across the Internet. Some of these sites may be work-related, such as those run by vendors you purchase from. Others, such as web-based email, social networking, and streaming media, are personal.
A breach in any of these services represents a threat to your business as well, even in services that are for personal use that are never touched at work. The issue I’m talking about here is password reuse. As password policies demand longer and more complex strings of numbers, letters, and symbols, users have a more difficult time committing them to memory. Most individuals will commit one password, maybe two, to memory, and then reuse them across multiple services and systems.
Password reuse is a dangerous practice. Attackers are well-aware of this aspect of human nature, and take advantage of it. If they are able to obtain a user’s password for one service, they will soon try that same password on every other one of the user’s systems and services. Breaches of large companies are often leaked onto the public Internet after the attackers have rinsed all the profit and intelligence they wanted to gather. This covers the attacker’s tracks by making it less suspicious to find the data on their own drives in the event of forensic analysis, and by having other attackers generate a lot of network activity and fraud related to the data.
These attacks will spread to your business’ systems as well. On most of the penetration tests we conduct, we demonstrate to our clients how the database of breach credentials we have collected can be used against them. It’s common to find that employees were victimized in the LinkedIn breach of 2012, and that their corporate email accounts make use of the same password. How many of your employees have been victimized in recent years’ breaches, and how many of those reuse passwords across multiple systems?
This can be a difficult problem to address. Password length and complexity requirements do not prevent people from using the same password on their social media accounts. At a minimum, you should have a stated policy, backed by user education, that employees’ passwords are not to be reused outside of the organization. This can be supported with training in password management tools, such as Keepass, that make juggling multiple passwords a lot easier for the user. Requiring users to change passwords periodically may help matters, but if you do it too frequently, users will tend towards predictable schemes for modifying their reused password each time. Checking employee accounts against collected breach databases should be part of your penetration test.
The next time you read about a new high-profile breach, don’t just ask “what’ll I do when it’s me?” Address the impact that breach will have on you.
Dr. Wesley McGrew is the Director of Cyber Operations at HORNE Cyber. Understanding that businesses are under constant cyberattack, and simultaneously held ultimately responsible for their own victimization, Wes stepped away from academic research in order to develop talent and services that help organizations improve their resilience. He has made a career out of studying attacker techniques and applying them in offense-oriented services such as penetration testing that identify vulnerabilities before they are successfully exploited by real criminals.