In recent days we have seen cases of ‘techprenuers’ and CEO of tech companies who have had their social media accounts compromised. Most are linked to the 2012 LinkedIn data breach while others are taken over due to the owners failing to follow simple security measures. In addition the hijacking of the accounts is letting us know how the presumed tech fellows are poor in taking measures to secure their profiles.
It’s baffling how individuals who we expect know the basis of security be the same guys letting their guards low! The same case is replicated in enterprises; it’s the IT team (Admins, Developers, Security Analysts etc) who will force everyone to set complex passwords while they exempt their profiles and in some worse case use default accounts and passwords.
We are humans and there is some psychology behind the behavior.
As humans we have a cognitive bias that causes us to believe that we are less likely to experience a bad/negative event as compared to others. This applies especially in situations where we believe we dominate the others in the society (practically majority of us think that way). Given the science, IT fellows (this includes IT Staff, Techprenuers and owners/CEO’s of Tech companies) disregard the reality of being compromised because they think they are excluded from potential breach. What a fallacy!!!
The simplest passwords including the word ‘password’ are used by the presumed security conscious individuals. In the Corporate arena default passwords are still in use despite the risk associated considering everyone knows them. There exists an excuse that creating personalized passwords which at some point are shared with other staff could end up relieving their other accounts. Passwords replication is the order of the day so in the process of securing their individual profiles they compromise an entire enterprise.
Microsoft is considering none use of commonly used & weak password will be a savior to majority of users who are too lazy to set a complex password. When conducting Security Assessment we find that it makes sense to target IT fellow as during the process you kill two birds with one stone. You not only gain access but you are rewarded with privileged access! When such access is with a malicious actor be assured the end result is catastrophic.
Generic and default accounts & passwords become a nightmare when an IT staff who had access to the accounts leaves the organization. Do you change all passwords? Which passwords did she have access to? Given the pressure that IT works under it may prove to be tricky to start changing all accounts after the exit of the employee. This shows the downside of using default, sharing accounts -it’s an open can of worms. If employee didn’t leave in good terms rest assured the disgruntled employee may hit back and considering they not only know the enterprise infrastructure but also have access to some privileged accounts.
Sorting the mess
Security Awareness Training – We can never run away from this one
Sounds obvious but wait till you get to see the kind of security practices of our good IT fellows. OurMine the Saudi Arabian Hacking group has of late been teaching us some important lessons. The fellows know what security measures they need to take but what mayn’t be very clear to them is the impact of their accounts compromised. In the Corporate front, once an administrative account(s) is compromised the malicious actor has keys to all locked rooms in the enterprise.
Specialized awareness training for IT staff needs to be conducted based on their job description. A helpdesk coordinator needs to carry out verification from callers and from the responses they get they can pick up a social engineer trying to impersonate staff members. A simple call back to verify authenticity of caller would save the day.
Developers must be enlightened on importance of considering and giving security top priority as they develop their programs. OSWAP Top 10 gives flaws that developers need to keep into consideration as they develop, test and release their programs (web applications). Awareness gives an opportunity for developer to appreciate what malicious actor can access when the flaws are exploited.
Walk the Talk
System users will practice what they see their IT fellows doing. IT staff need to set an example to the rest of the user community. IT staff sharing passwords verbally in presence of users will create the impression that it’s ok for even the users to share passwords. It’s interesting how sharing passwords is ignored, as we visit clients am always amazed how IT staff comfortably share passwords in presence of even visitors(ourselves). The user community presumes that the IT staff is on the top hierarchy in relation to technology know-how and hence will replicate traits/behaviors of the ‘gurus’.
The tech fellows will exempt their accounts from expiry and other account settings for ease of use as well some of the accounts are configured to run background processes. Hence having the account not expire, lock etc ensures background processes are never interrupted due to accounts issues. On the face value makes a lot of sense as IT needs to ensure the business is running however on the downside is that when that account is compromised the malicious actor will have full control of the enterprise resources and processes.
‘Everyone needs to keep their guards high no matter who you are.’
2018 © Villbo Group Limited.