Weak passwords still the downfall of enterprise security
A pet's name or a favorite movie just isn't enough
Computerworld - A recent data breach that exposed the Social Security numbers of more than 255,000 people in Utah has once again highlighted the longstanding but often underestimated risks posed to organizations by weak and default passwords.
The breach, involving a Medicaid server at the Utah Department of Health, resulted from a configuration error at the authentication layer of the server hosting the compromised data, according to state IT officials.
Many security analysts see that as a somewhat euphemistic admission by the state that the breached server was using a default administrative password or an easily guessable one. By taking advantage of the error, the attackers were able to bypass the perimeter-, network- and application-level security controls that IT administrators had put in place to protect the data on the server.
Such mistakes, though relatively easy to avoid, are surprisingly common.
In March, the inspector general of the U.S. Department of Energy released the results of an information security audit at the Bonneville Power Administration, which provides about 30% of wholesale power to regional utilities in the Pacific Northwest. According to the audit, vulnerability scans of nine applications used to support key financial, HR and security management functions at Bonneville identified 11 servers that had been configured with easily guessable passwords.
An attacker taking advantage of those vulnerabilities would have been able to gain complete access to the system. Four servers were configured to allow any remote user to access and modify shared files. One server hosted an administrator account that was protected only with a default password.
Earlier this month, a data breach at payment processing company Global Payments that exposed credit- and debit-card data belonging to about 1.5 million people was believed by analyst firm Gartner to have resulted from a weak authentication mechanism that allowed attackers to gain access to an administrative account. An attack on the U.S. Chamber of Commerce by Chinese hackers and a compromise of the open-source WineHQ database last year are also believed to have originated with compromised administrator accounts.
An enterprise can have anywhere from hundreds to thousands of account names and passwords. Many of these accounts often have privileged access to applications, databases, networks and operating systems. While not all of them are always critical to the enterprise, there are numerous accounts that, if abused, can cause serious disruptions enterprisewide.
Previous studies have shown that the number of people who require administrative access to a system for maintenance purposes, or for completing tasks such as patching and upgrading, is often far greater than the number that managers know about or track. Nevertheless, many companies allow users and administrators to apply easy passwords or even default passwords to protect access to such accounts.
When multifactor authentication is used, the measures often involve relatively easy-to-crack knowledge-based authentication (KBA) mechanisms where a user is prompted for an answer to a security question, such as a first pet's name or the name of a favorite movie.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Streamline Data Protection with IBM Tivoli Storage Manager Operations Center IBM Tivoli Storage Manager (TSM) has been an industry-standard data protection solution for two decades. But, where most competitors focus exclusively on Backup...
- Top tips for securing big data environments - Why big data doesn't have to mean big security challenges Organizations don't have to feel overwhelmed when it comes to securing big data environments. The same security fundamentals for securing databases, data warehouses...
- Top 3 Myths about Big Data Security : Debunking common misconceptions about big data security Big data represents massive business possibilities and competitive advantage for organizations that are able to harness and use that information. But how are...
- Three guiding principles for data security and compliance Data security is a moving target-as data grows, more sophisticated threats emerge; the number of regulations increase; and changing economic times make it...
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva.
- How SIEM Addresses the Challenges of Big Security Data This webcast will help you understand today's big data security challenges and how intelligent and scalable SIEM solutions give IT the tools and... All Data Security White Papers | Webcasts