Parliament Cyber Attacks Prove Passwords are No Longer Fit for Purpose
In analysis / By Phil Muncaster / 07 July 2017
In cybersecurity, as with life in general, the temptation to stick with the status quo frequently triumphs over attempts to move on, upgrade and advance. Each time we witness a major data breach, malware outbreak or similar, reports describe it as a “wake-up call” to organisations everywhere. Yet many are still sleepwalking into danger with insecure systems, processes and policies. Well, it’s happened yet again with two incidents in recent days involving potentially thousands of MPs.
Now national security is possibly at risk, can we please start making plans to ditch password-based access systems for good?
MPs under fire
First, it emerged the log-in details of around 1,000 UK MPs and parliamentary staff, 7,000 police employees and over 1,000 Foreign Office staff were being traded on Russian hacking forums. The majority were apparently obtained via the 2012 LinkedIn breach which exposed millions of passwords – many of which hackers are banking are being reused by users of the business networking site to access other accounts.
As if that weren’t enough, a second, possibly related, incident a few days later saw unauthorised access attempts on scores of parliamentary network accounts. Some reports claim the hackers had tried to “brute force”, or crack, the log-ins. However, an official statement had the following:
“Investigations are ongoing, but it has become clear that significantly fewer than 1% of the 9,000 accounts on the parliamentary network have been compromised as a result of the use of weak passwords that did not conform to guidance issued by the Parliamentary Digital Service.
As they are identified, the individuals whose accounts have been compromised have been contacted and investigations to determine whether any data has been lost are under way.”
MPs and their staff were then bombarded a few days later by phone calls from scammers trying to socially engineer their victims into handing over log-ins, by pretending to be “Parliamentary Digital Service” employees.
Not fit for purpose
The three incidents tell us all we need to know about password-based access systems and why they’re simply not designed for our modern digital age. We live in a world where most of us have multiple online accounts – from banking to email, CRM and ERP systems to corporate collaboration and cloud-based platforms. These passwords can be phished, cracked using readily available technology, guessed or even stolen by phone fraudsters. To make matters worse, users make life easier for the bad guys by reusing log-ins across multiple accounts, which means if a firm like LinkedIn is breached, then suddenly their corporate data may also be at risk.
Even if passwords aren’t reused, they’re frequently easy-to-guess. The three most commonly used credentials by police officers whose details were found on Russian forums were “police”, “password” and “police1”. In any case, it’s also pretty easy for hackers to trick users into divulging them online, via phishing attacks. According to Verizon, was present in 21% of cyber attacks in 2016, up from just 8% the previous year. It will also come as no surprise to learn that 81% of hacking-related breaches succeeded in the period because of stolen, weak or easy-to-guess passwords.
You might think your IT teams undertake better password management, but you’d be wrong. In fact, under pressure IT professionals can be some of the worst offenders. This is bad news, because if a hacker gets hold of a privileged account, they could walk straight through the cyber front door into your corporate network and access its most sensitive data.
Time for MFA
Password managers can offer some form of mitigation to these attacks. They securely store the user’s password on the provider’s servers and automatically generate long, complex and unique credentials each time they log in. However, the password management provider then becomes a major target for hackers. OneLogin was breached in May, and it’s certainly not alone in being targeted.
A better solution is multi-factor authentication (MFA), which typically enhances password-based systems with a second “factor” – an SMS code or a biometric such as a fingerprint scan or voice recognition check, which the hackers can’t get hold of. They’re becoming popular in the consumer world, with providers such as Google, Facebook, Twitter and several major high street banks having rolled out such capabilities over the past few years. However, in the enterprise sphere the status quo persists thanks to a combination of corporate inertia, cost control and fears over user friction. It seems crazy that parliamentarians are forced to use passwords to access their accounts, and are even then allowed to create and use insecure passwords which don’t conform to official guidance.
So, another month, another wake-up call. Yet with the EU General Data Protection Regulation (GDPR) set to mandate 72-hour breach notifications and huge fines of up to 4% of global annual turnover, organisations might finally be forced into upgrading their systems.
The GDPR comes into force on 25 May 2018. In the meantime, here are a few things that could help improve access security:
Operate a “least privilege” access policy, whereby each staff member is granted access only to the resources they need to complete their job, minimising risk
Automate provisioning of accounts to ensure users always have appropriate access and no more
Improve user education to spot phishing and phone-based “vishing” attacks
Force users to choose long, complex passwords, possible via a secure password manager
Baseline normal access behaviour and monitor continuously for deviations from the norm
- Switch to multi-factor authentication
People and Technology
At Nasstar we take password protection very seriously. There are two key elements to consider here - people and technology.
Firstly it's crucial to educate staff on a best practice approach. Password protection features prominently in Nasstar's security training and awareness activities from induction and processes are regularly reviewed. The Nasstar team only ever generate long, complex passwords for users during any interaction with the Service Desk and encourage customers to support this initiative.
When it comes to technology, Nasstar offers two factor authentication protection for customer services and all of its internal systems to ensure both our clients and our business is secure.
Next time you create a password, take a minute to think about how easy it might be to crack. If its too simplistic, think again. It only takes a moment but could protect you and your business from the bad guys in the long run.