Tag

password security Archives - thinkCSC

Oct 09
0
passwords offer an illusion of security

Usernames and Passwords: An Illusion of Security 

By | Data Security, Email Security

Many organizations, especially small businesses, rely on username and password protocol as their primary cybersecurity protection method. They assume that requiring employees to use strong passwords, and then requiring regular changes them, is an adequate approach to cyberattack prevention. On the contrary: Relying primarily on passwords alone is not as secure as most of us are led to believe.

The Verizon 2023 Data Breach Investigations Report revealed two of the major findings that bear directly on this issue. Of the data breaches that were analyzed:

  • 74% of all breaches include the human element, with people being involved either via Error, Privilege Misuse, Use of stolen credentials or Social Engineering.
  • 83% of breaches involved External actors.
  • Ransomware is present today in more than 62% of all incidents.

People Don’t Use Best Practices with Passwords

Most people don’t want to remember numerous usernames and passwords for multiple accounts and programs, and many don’t feel confident in their ability to accurately recall that information. More so, they dislike having to regularly change their password for individual accounts, and being forced to forget previous a password in exchange for new ones. To deal with this frustration, they tend to do one of two things (or both):

  • Re-use the same usernames and passwords across multiple accounts
  • Write down their usernames and passwords, and store them in their workspace (usually in a place that is easy to find, often on their desk or in a top drawer)

Recent stats  reveal that 75% of people globally don’t adhere to widely-accepted password best practices with 64% either using weak passwords or repeat variations of passwords to protect their online accounts.

  • Remember, 80 percent of all hacking-related breaches leveraged weak or stolen passwords
  • Repeated passwords used on multiple sites increase the risk of successful breaches on internal company sites. If passwords on personal accounts (online shopping, banking, personal email, social media, etc.) match passwords on company sites (employee login, company email, etc.), hackers can apply those identical passwords to other accounts with the same or similar usernames – and many people use the same username format across multiple accounts (e.g., John_Doe, or John.Doe).
  • This means that any password, no matter how strong it is, is vulnerable the more often it is used with multiple accounts, especially when it is associated with the same (or similar) username.
  • If 83 percent of breaches were perpetrated by external actors, this means that 17 percent were committed by insiders. Many internal attacks don’t have to target one particular employee’s access; in many cases, accessing one member of a team or department (or even the entire company) is all that is required. Thus, having an employee record usernames and passwords, and store them in an obvious place, makes internal attacks much easier and more likely.

Passwords Are Not Enough

Having a system of employee usernames and passwords is not enough. Passwords, to be at all effective, need to be randomly generated strings of characters, changed frequently, and accompanied by two-factor authentication and protected by additional layers of security, backup and recovery, and monitoring. And even though 91% of people understand that reusing passwords is a security risk, more than 6 in 10 people admit to reusing passwords.(LastPass)

Passwords alone cannot protect your organization. Even passwords your employees use outside of your company – say for their pizza delivery service – can end up compromising your network. Credentials are a hot commodity on the dark web, and cyber criminals continue to find more sophisticated ways to steal credentials or trick employees into handing over credentials.

thinkCSC is here to help ensure your cybersecurity systems are strong and vibrant, to assist you in your preparation for and response to cyberattacks. Together, we can avoid the mistakes that are common among so many businesses and organizations, in the end becoming as secure as possible in today’s technological world.

Employees Can Be the First Line of Defense

While thinkCSC believes that employees will always be the first line of defense against ransomware attacks, the only real solution is for leaders of all –organizations – businesses of all sizes, government entities, schools, hospitals, and –others – to invest in stronger IT security that includes offsite backup and recovery and managed security. These protections, combined with ongoing staff training, password manager tools, multi-factor authentication, strict security policies, and constant vigilance, are an absolute necessity in today’s cyber-environment.

We are here to help you with all of your security needs, from password management and MFA to cybersecurity and more. Get in touch.

Mar 05
0
password manager - one password to rule them all

Password Manager – One Password to Rule Them All

By | Data Security | No Comments

Every password needs to be longer. Your passwords must contain multiple types of characters, and you can’t use the same password multiple times.  We’ve seen what happens when people reuse passwords.

  • An executive who had reused his password after the LinkedIn security breach found himself being phished years later, with a costly result.
  • Users of the Ring home security cameras were hacked because, in addition to the company failing to require stringent security, users were utilizing passwords that were already on the dark web.
  • A Dropbox employee’s reuse of a password led to the theft of more than 60 million user credentials

Password Security Is Not Enough

In addition to requiring unique and stringent passwords, companies must employ additional layers of security, including multi-factor authentication (MFA). A good example of this would be a push notification to the individual’s cell phone. However, even MFA isn’t enough to protect you, with threats like Cerberus finding a way around the authentication process.

A Password Manager Should Be Mandatory 

In any organization that is serious about password security, minimizing risk, and avoiding data breaches, employing a password management tool needs to be mandatory. Your employees will otherwise resort to reusing passwords, writing down passwords, or using the same password on multiple sites. It’s too difficult to remember many different passwords for these temptations to become irresistible. Password management resolves those issues by:

  • Allowing your employees to access every app and software with one single password
  • Autogenerating unique and complex passwords for each access point it manages
  • Improving efficiency by automatically logging into accounts on any device
  • Providing your organization with full visibility and control over company accounts
  • Helping you identify and address weak links
  • Maximizing your team’s security while minimizing the risk of data breaches
  • Automatically handling push notifications for MFA

Chrome and Other Browsers Are Not Secure Password Managers

Your employees may already be using a password manager of sorts offered by their browsers. Chrome offers to remember passwords for you; it will even generate complex passwords when you reset a password or sign up to use a new app or software. Firefox provides the option of a basic encryption and master password but does not generate passwords. However, the passwords it stores are stored unencrypted on the machine and are easily hackable. A password manager, such as Myki, which thinkCSC employs, encrypts passwords and stores them offline. It also generates the most complex passwords – up to 200 characters long – to help prevent hacks. Password management is necessary. We feel so strongly about it that we include it – and require it – with our Managed Services.

thinkCSC has more than 20 years of experience helping clients exceed their goals. We understand that business and technology are so intertwined that you can’t be strategic about one without taking the other into consideration. We offer more than the typical MSP, and we bundle the IT services you need to achieve objectives; increase efficiency, productivity, and agility; cut down on IT costs; and ensure you have a competitive edge.  Whether you want to outsource most or all of your infrastructure management, or you simply want to optimize the systems already in place, thinkCSC provides personalized IT expertise that saves money and provides the manpower that ensures your infrastructure is always an asset – never a liability. Get in touch to learn more.

Oct 29
0

Your Credentials Are a Hot Commodity on the Dark Web

By | Data Security | One Comment

John Larger, manager of thinkCSC’s NOC, shares his insight on the Dark Web and why your business credentials can be a hacker’s dream if you’re not vigilant.

Usernames and passwords are the go-to security solution for so many networks, services, and social media sites, but they are the weakest link in your security efforts, particularly when taking into consideration the risk of human error. Usernames and passwords are often the only layer of security that stands between your employees and your business network. While best practices demand that we should use different passwords for every service (do you?), the reality is that most of us repeatedly reuse passwords. That is a huge problem. The password that may have just been stolen from your employee during the Capital One breach, for example, may be the same one used to connect to your network, your financial system, or their work email.

Password Reuse Is a Huge Risk

In fact, passwords being shared among different services is one of the most common issues we come across. When one service is compromised, every subsequent use of that credential is at risk. We commonly see malicious actors inject themselves into the middle of an email conversation regarding an invoice or other financial transaction and intercept data (e.g. provide the other party with different bank routing info). We’ve seen these cyber criminals create rules to forward, delete, or hide messages so that their activity is undetected. Sometimes it might be used only for gathering information for other nefarious purposes. It all starts with a password that someone used in more than one place and found its way into the hands of the criminal element on the Dark Web.

Learn more about how even the information you store with your favorite pizza place can be used against you and your organization. Read the full article on the Columbus Chamber blog.

At thinkCSC, we offer Dark Web monitoring to identify exposed credentials and alert our customers before hackers can do harm. thinkCSC’s Dark Web monitoring services are provided through a strategic partnership with ID Agent, provider of Dark Web monitoring and identity theft protection solutions. With Dark Web ID, thinkCSC can now offer 24/7 monitoring of millions of sources, including botnets, criminal chat rooms, peer-to-peer networks, malicious websites, bulletin boards, and illegal black-market sites, to alert you of stolen or compromised data. To learn more, please get in touch with us.

Mar 18
0
password spraying

Citrix Data Breach – What You Need to Know

By | Data Security, thinkCSC Security Alert | No Comments

Recently, Citrix, a U.S.-based software firm, confirmed that the “international cyber criminals gained access to the internal Citrix network” and downloaded business documents and other files. The hackers gained access using a method called “password spraying.”

What Is Password Spraying?

Password spraying occurs when hackers use a list of common passwords to try to breach the system. They sometimes use passwords leaked from other breaches, according to Dark Reading, hoping that employee reuse their passwords at work.

How Do You Protect Your Organization from Password Spraying?

Nothing makes a stronger argument for more stringent password requirements for your employees than the results of this study conducted by the National Cyber Security Centre, UK’s independent authority on cybersecurity:

  • 75% of the participants’ organizations had accounts with passwords that featured in the top 1,000 passwords
  • 87% had accounts with passwords that featured in the top 10,000

Allowing your employees to set their own passwords puts your organization at risk.

Most people don’t want to remember numerous usernames and passwords for multiple accounts and programs, and many don’t feel confident in their ability to accurately recall that information. More so, they dislike having to regularly change passwords on individual accounts and being forced to forget previous passwords in exchange for new ones. To deal with this frustration, they tend to do one of two things (or both):

  • Re-use the same usernames and passwords across multiple accounts
  • Write down their usernames and passwords, and store them in their workspace (usually in a place that is easy to find, often on their desk or in a top drawer)

Learn a Lesson from Citrix

If you do not have strong password security and password policies, today is the day to change that practice. Passwords should be long, randomly generated, changed often, and only one layer in many of your overall security effort. You should also be monitoring the Dark Web. thinkCSC is here to help ensure your cybersecurity systems are strong and vibrant, to assist you in your preparation for and response to cyberattacks. Together, we can avoid the mistakes that are common among so many businesses and organizations, in the end becoming as secure as possible in today’s technological world.

thinkCSC provides Dark Web monitoring services provided through a strategic partnership with ID Agent, provider of Dark Web monitoring and identity theft protection solutions. With Dark Web ID, thinkCSC can now offer 24/7 monitoring of millions of sources, including botnets, criminal chat rooms, peer-to-peer networks, malicious websites, bulletin boards, and illegal black-market sites, to alert you of stolen or compromised data and passwords.

While thinkCSC believes that employees will always be the first line of defense against ransomware attacks, the only real solution is for leaders of all –organizations – businesses of all sizes, government entities, schools, hospitals, and –others – to invest in stronger IT security that includes offsite backup and recovery and managed security. These protections, combined with ongoing staff training, strict policies, and constant vigilance, are an absolute necessity in today’s cyber environment.

For new customers interested in information on obtaining our services, please contact us at sales@thinkcsc.com.