Weak passwords still the downfall of enterprise security
A pet's name or a favorite movie just isn't enough
Computerworld - A recent data breach that exposed the Social Security numbers of more than 255,000 people in Utah has once again highlighted the longstanding but often underestimated risks posed to organizations by weak and default passwords.
The breach, involving a Medicaid server at the Utah Department of Health, resulted from a configuration error at the authentication layer of the server hosting the compromised data, according to state IT officials.
Many security analysts see that as a somewhat euphemistic admission by the state that the breached server was using a default administrative password or an easily guessable one. By taking advantage of the error, the attackers were able to bypass the perimeter-, network- and application-level security controls that IT administrators had put in place to protect the data on the server.
Such mistakes, though relatively easy to avoid, are surprisingly common.
In March, the inspector general of the U.S. Department of Energy released the results of an information security audit at the Bonneville Power Administration, which provides about 30% of wholesale power to regional utilities in the Pacific Northwest. According to the audit, vulnerability scans of nine applications used to support key financial, HR and security management functions at Bonneville identified 11 servers that had been configured with easily guessable passwords.
An attacker taking advantage of those vulnerabilities would have been able to gain complete access to the system. Four servers were configured to allow any remote user to access and modify shared files. One server hosted an administrator account that was protected only with a default password.
Earlier this month, a data breach at payment processing company Global Payments that exposed credit- and debit-card data belonging to about 1.5 million people was believed by analyst firm Gartner to have resulted from a weak authentication mechanism that allowed attackers to gain access to an administrative account. An attack on the U.S. Chamber of Commerce by Chinese hackers and a compromise of the open-source WineHQ database last year are also believed to have originated with compromised administrator accounts.
An enterprise can have anywhere from hundreds to thousands of account names and passwords. Many of these accounts often have privileged access to applications, databases, networks and operating systems. While not all of them are always critical to the enterprise, there are numerous accounts that, if abused, can cause serious disruptions enterprisewide.
Previous studies have shown that the number of people who require administrative access to a system for maintenance purposes, or for completing tasks such as patching and upgrading, is often far greater than the number that managers know about or track. Nevertheless, many companies allow users and administrators to apply easy passwords or even default passwords to protect access to such accounts.
When multifactor authentication is used, the measures often involve relatively easy-to-crack knowledge-based authentication (KBA) mechanisms where a user is prompted for an answer to a security question, such as a first pet's name or the name of a favorite movie.
- Step Out of the Bull's-Eye Learn about the evolution of targeted attacks, the latest in security intelligence, and strategic steps to keep your business safe.
- Do More With Less: How CARFAX Consolidated Their Security Solutions Through a consolidated F5 solution, CARFAX cut site downtime to zero, secures its data, and deployed a high-performance infrastructure to support its rapid...
- F5 Data Center Firewall Aces Performance Test F5's BIG-IP 10200v with Advanced Firewall Manager (AFM) can handle traffic at 80-Gbps rates while screening and protecting tens of millions of connections...
- Big Data, Big Mess: Sound Risk Intelligence Through Complete Context This paper examines the insecurity of the small businesses in the supply chain and offers tips to close those backdoors into the enterprise.
- Live Webcast Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- Keep Servers Up and Running and Attackers in the Dark An SSL/TLS handshake requires at least 10 times more processing power on a server than on the client. SSL renegotiation attacks can readily...
- Will the Real Endpoint Threat Detection and Response Please Stand Up? This webinar explores new technologies & process for protecting endpoints from advanced attackers as well as the innovations that are pushing the envelope... All Data Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!