Verizon's 2017 Data Breach Investigation Report (DBIR) just came out and it states that last year, "81% of hacking-related breaches leveraged either stolen and/or weak passwords." This is up from the 63% stat the previous year (2016 DBIR). This shows that hacking is easy and everyone is doing it!
What Does this Mean?
In general there are two types of accounts within a company that need passwords.
- Business user accounts: Everyone uses this to log in to do everyday work. This is your PC, VPN or cloud apps (Box, Office 365, ServiceNow, Concur, Salesforce, etc....).
- Privileged accounts: What the IT admins use. This gets them into Linux/Unix Servers, Cisco Routers, Windows Service Accounts and Databases to name a few. These accounts have a unique issue since they often share a username like root, admin, or ec2-user to name a few. The IT Admins commonly share these passwords in an Excel spreadsheet or some other shared file.
All of these accounts wouldn't be a huge issue if everyone used a different, long and complex password for each resource being logged into. One just needs to change all the passwords every 30 days. As YouTube sensation Sweet Brown says, "Ain't nobody got time for that."
Normal people pick a password they can remember, make a few variations and reuse it over and over. This is a terrible policy and super easy to hack. With all the big hacks over the past couple years, most computer users have a stolen password on the dark web -- in the hands of hackers. Hackers use this info to log in to a system. It is like leaving a key under your front door mat.
What Can be Done?
I like simple solutions because they are easy. I have never heard of someone saying they wish they had more moving parts in their machine. Any company that follows these recommendations will greatly limit their risk of attack:
- Use a single username and password for all users to all accounts. Most companies have Microsoft's Active Directory which manages access to all Microsoft products. For non-Microsoft systems like Linux, Unix, Macs, mobile devices, one just has to install a small agent tying back to Active Directory. This will control what level of access users have. For cloud apps, use a portal that can remove the need to type in a username/password providing one-click access to the app.
- Require a strong password policy on the single password your company users will have. Since users have one password and not 50, they can make it very strong.
- Require multi-factor authentication (MFA) when a user logs in -- this can be a push notification to their phone. Implement risk based policies so MFA is needed to log into critical systems or if the user's behavior seems strange. This makes it almost impossible for someone to hack into the system using stolen or weak passwords.
Learn more from Verizon's 2017 DBIR here.