We may earn money or products from the companies mentioned in this post.
By Max Dorfman, Research Author, Triple-I
It’s Cyber Security 101: Multi-factor authentication and hard-to-crack passwords are essential to prevent attacks.
Still, “password,” “12345,” and “Qwerty123” are among the most commonly found passwords leaked by hackers on the dark web, according to mobile security company Lookout. And despite the attention the issue is receiving, the situation doesn’t seem to be improving.
A survey by EY, a UK-based consultancy, found that just 48 percent of government and public sector respondents said they were “very confident in their ability to use strong passwords at work”. The problem is illustrated by a recent study by the US Office of Inspector General – part of the Department of the Interior (DOI), the agency responsible for managing state lands and natural resources.
As it turns out, hacking DOI is relatively easy.
In less than two hours — and at a cost of just $15,000 — the Office of the Inspector General was able to obtain “plain text” (not encrypted) passwords for 16 percent of user accounts. A total of 18,174 out of 85,944 — 21 percent of active user passwords — were hacked, including 288 elevated accounts and 362 accounts held by senior US government officials.
Much of this problem is due to the report’s lack of multi-factor authentication, as well as password complexity requirements that allowed independent employees to use the same weak passwords. The Office of the Inspector General found that:
- DOI has not consistently implemented multi-factor authentication;
- Password complexity requirements were outdated and ineffective; and
- The department failed to deactivate inactive accounts or enforce password age restrictions in a timely manner, leaving more than 6,000 additional active accounts vulnerable to attack.
The most reused password was used for 478 unique active accounts. Investigators found that five of the 10 most reused passwords at DOI contained a variation of “password” combined with “1234.”
Simple passwords make hacking easier
Since the average person has over 100 different online accounts with passwords, password reuse is understandable — but simple passwords make it easier for hackers to access personal information and accounts.
“Compromised, weak and reused passwords continue to be responsible for the majority of hacking-related data breaches and represent one of the top risk issues facing most organizations,” said Gaurav Banga, CEO and founder of cybersecurity company Balbix. In 2020, Balbix found that 99 percent of enterprise users reuse passwords across work accounts or between work and personal accounts.
A growing danger
“The cost of ransomware attacks has increased as criminals have targeted larger companies, supply chains and critical infrastructure,” says Allianz in its Allianz Risk Barometer 2023. “In April 2022, an attack impacted around 30 government institutions from Costa Rica and paralyzed the territory for two months.”
The global insurer continues: “Double and triple racketeering attacks are now the norm…. Sensitive data is increasingly being stolen and used as a means of blackmailing business partners, suppliers or customers.”
Some of this growth can be attributed to the rise of ransomware as a service – a subscription-based business model that allows affiliates to leverage existing ransomware tools to execute attacks. Based on the “Software as a Service” model, it helps bad actors attack their targets without knowing how to code or hiring unscrupulous programmers.
Moving Goals
Michael Menapace, an insurance attorney at Wiggin and Dana LLP and a non-resident Triple-I grantee, told attendees at Triple-I’s 2022 Joint Industry Forum that “ransomware is still alive as a business model.”
What has changed in recent years, he said, is that “where bad actors would encrypt your systems and ransom to give you your data back, now they will exfiltrate your data and threaten to make it public.” .
The types of targets have also changed, according to Menapace, with an increased focus on “softer targets — especially municipalities” that often don’t have the staff or finances to maintain the same cyber hygiene as large corporations.
Organizations and individuals need to take the threat of cyber attacks seriously and do as much as possible to reduce their risk. Improved cyber hygiene policies and practices are a necessary first step.