Who is Your Weakest Link?
When you want to find which of your company’s servers are weak, you order up a penetration test. But what does a company do when it wants to find which of their employees’ digital security is weak? Order up a colonoscopy of online security habits and passwords?
Well, just like that particular medical procedure, it might not feel good, but it has to be done.
So how do you test to find which of your employees leaves you the most vulnerable? The ones who could click on a fake email link and destroy your entire company. Or the person whose email account is used to launch “phishing” attacks. The answers might be found within a new frontier of corporate security management used to secure their human end points and in this article, we’ll explore a new security weapon.
When a Cheetah charges a herd of African Impala, it doesn’t know right away which one will become dinner. As the pack disperses, the weak lag and the Cheetah zeros in on the slow or sick prey. The same thing happens within an organization. Hackers probe and prod, then charge. They are looking for weak vectors or employees who will bite on the hook, the line, and if really weak, the sinker. The goal of their attack is to establish a permanent beachhead within your network, then dine on all its intellectual property, credit cards, trade secrets, or hold the company hostage as we’ve seen with recent events.
As an IT professional, what tools do you have to keep a busy C-level employee from making that disastrous click on a spear-phished email that came internally from a trusted colleague? How do we shore up the organizations passwords to prevent this?
One thing you can do is what an old IT manager friend of ours recommended. Go around the company after hours and collect every single sticky note of written passwords from out of every desk drawer, under every mouse pad in every cubicle and every office. Then call all the employees into the “Principal’s Office” and announce that IT now requires all corporate passwords to be unique and at least 10 characters, with numbers, letters and symbols, and no words. This goes for all personal accounts as well. And that’s just the initial step.
That tightens up the company a bit, but what about employee’s remote work access? Recently, Yahoo and IBM took steps to eliminate “work from home” programs. Security was just one of the reasons. These days when an employee dials into the network remotely, their personal passwords and security habits put that work PC at risk, which in turn puts the company at risk. So, in a company of workers, everyone is in this together. Employees therefore, as an extended asset, need to shore up their personal security life as well. This new approach will likely require Human Resource guidelines to outline the risks to the corporation since a single employee’s overall security habits could put all parties at risk.
But to see who your weakest link might be, one simply needs to look at the passwords they’ve used in the past. We can do this by running your company through Password Progression Test using PitchFork, Insedia’s database of approximately 4 billion compromised cyber prints. The test can show how many of a specific employee’s passwords show up in other compromised breaches. The same used password or a variation of that password is available to hackers in the underground. That gives the Cheetah an edge. He now can drill on you and your social media accounts, creating a personal profile for that employee from cyber prints they have left behind and a menu for an attack. Remember, a sophisticated hacker or hacker group wants very badly to dine at the corporate cafeteria. It’s worth potentially millions of dollars to them.
As an example, we have run a test on Anthem Blue Cross to show some compromised accounts and have put their passwords in these categories: The Good, The Bad, and The Ugly. And as you’ll see, a hacker has a decent sized pack to choose from within the Anthem Blue Cross herd.
Of the 16,452 compromised accounts, almost 49% of the passwords are only 7 characters or less. From the outset, that is very weak protection. No surprise that females are slightly better with passwords of at least 8 characters. They instinctively want to protect their young. The most alarming was a lack of the use of symbols, a mere 5%.
As we can see 9% of Anthem’s employees use names in their passwords. This makes it much easier for hackers to cross reference social media accounts and craft a specific message tailored especially for that weak Anthem employee. People love to put personal things in their passwords where they inherently feel safe, but because of this practice, the Cheetah doesn’t have to run quite as fast to catch them.
Here are three people within the organization whose password we drilled on:
The Good: 48fbjy06xjnwi
The Bad: anthem9
The Ugly: marxism1946
When we ran 48fbjy06xjnwi across LinkedIn, we found he works in IT, no real surprise here as reflected in the strength of his password.
Anthem 9 works in claims, hmm!
And as for Marxism1946, that’s one we might call ugly. An enticing cyber print that can be used to create a profile and eventually a realistic email with a link that, if clicked, could do REAL damage. The point is people leave very interesting cyber prints that can follow them and render any business they’re associated with vulnerable for their entire lives.
Whether at home, traveling, or on the corporate premises, employees need to be diligent and mindful with their computer security access to both personal and company devices. One mindless click can lead to sophisticated malware designed to infiltrate your company costing you potentially in the many millions of dollars in fixes, potential legal problems and bad publicity.
Besides educating your employees on phishing, you can use the PitchFork database to periodically scan breached information to see if your employees are still using their same old passwords or variations. It’s a tool to trust, yet verify that they have upgraded their security practices in all aspects of their lives.
Man cannot out run the Cheetah, the fastest animal on the planet in the same way he can’t prevent a hacker from taking passwords from its weakest prey, but he can educate and periodically move his employee herd outside of their criminal range.