Video Screencast Help
Cyber Security Group

Users cannot be trusted with their passwords!!!

Created: 29 Apr 2013 • 9 comments
Joseph.Rogalski's picture
0 0 Votes
Login to vote

Let’s face it users cannot be trusted to know their entire password, I am not talking about the user that writes down their passwords on sticky notes the bad guys would need physical access to actually access those. What I am really speaking to how easily with social engineering or malware passwords can be compromised. If you are not protecting your Internet facing systems that contain anything but public data with multifactor authentication you are asking to be breached, this includes Outlook Web Access. 
 
So how could Outlook Web Access lead to a breach? When trying to breach your company I would first look to the many lists of username, email addresses and password that are available from any of the Social Media password breaches of late. This is a value because as you know many users reuse passwords and it only takes ONE of out of the 1,000, 5,000, 10,000, 100,000+ users that work for your company that decided to reuse that password. Next I will use the username\password combination against Outlook Webacess. If those combinations don’t work it’s not a problem as I have a list of email addresses within the company as well as their personal addresses too. With a bit of research run a targeted attack against them both at work and their personal accounts. Odds have it again that one of the users will click on the link I send and I will own their home PC collecting all kinds of information including their Outlook credentials. Without a second factor of authentication I am in and will send emails to internal users containing malware that exploits recent Java vulnerabilities giving a backdoor to do my bidding.  
 
This is not a Sci Fi story either, this happens all the time. It is not just Outlook either, these types of attacks can be perpetrated on any system that has communication abilities, Salesforce.com, or SharePoint for example. If that Internet facing system contains Intellectual Property needless to say it would be gone in a blink of the eye.
 
This is a very real and serious threat. The best answer for protection is multifactor authentication for any Internet facing systems as well as you high value internal systems. In addition you should be protecting any accounts that have super user rights as well. If you have thoughts on other ways to protect these systems I would appreciate your feedback.

Comments 9 CommentsJump to latest comment

alan Bell's picture

I am a bit pissed about this blog.

The two factor password is fair enough, but we employ symatec (EPP) to do some of the email protection described in this article and can not see how to configure it to properly to stop even the most basic phishing attempts.

IMHO EPP should do better

1) emails containing embedded links, i.e. where the apparent web adress address is not the same as the actual address - this should be blocked and both turned into plain text or the mail deleted.

2) block links to graphics downloads where the host site is not the same as the email source, or block them anyway

 

 

 

+1
Login to vote
Joseph.Rogalski's picture

 

Alan- I appreciate your comments there are no silver bullets and we need to employ layers of protection.  Unfortunately passwords are not nearly as affective as they once were but there is no perfect solution.  Two factors tokens and texts can and often is defeated when a machine is infected with Zeus but the protection is better than a static password.

-1
Login to vote
Robert Shaker's picture

Alan,

I'm the CTO for the Security Business Practice here at Symantec. I appreciate your position and would like to offer some assistance. Please feel free to contact me offline at robert_shaker@symantec.com and provide me with your contact information so I can get the appropriate resource to help you with your concerns.

Bob is a Senior Leader on the Symantec Managed Incident Response Service team. He can be found online at LinkedIn or Twitter

-1
Login to vote
Spencer Simpson's picture

The point is that people re-use their passwords everywhere.

They use the same password to log in to their company network as they use to log into that poorly-secured (or easily-faked) social networking site that had all of its passwords stolen last week. 

You can hope that your users know about (or care about) the risks and avoid using the same password everywhere, but you can't stop them.   Company and EPP policies are no guarantee because they may not use the same protection (or any protection for that matter) at home. 

The best you can do is add some layer of verification (another "factor" in the multifactor scheme) that the login attempt is coming from where it's supposed to come from. 

+1
Login to vote
alan Bell's picture

Even with 17 factor authentication when an email carrying malware is targeted at a known recipient there is a good chance it will get clicked.

I read recently that "social engineering" was being used to target key people in some organisations, so using linkedin it is quite easy to spoof a sender name as colleaguefirstname.colleaguesurname@companyurl

Hence the importance of the EPP in highlighting / blocking any email that is iffy, and my request that epp does a little better.

For example, the email from Symantec notifying ss's post contained 8 hyperlinks, any of which could take you to malware.com.

+1
Login to vote
Spencer Simpson's picture

Yes, well...really it's not an either/or thing.

If someone has used the same password for Fakebook that they use on your coporate network, you're compromised without anybody clicking in any phishing emails, and without any way to control it except to add some way to make sure it's really Kristi trying to log in when a login attempt from Kristi is received. 

+1
Login to vote
alan Bell's picture

Spencer,

Your point is well made, although I suspect Geroge is as likely to re-use passwords as Kristi

Part of any IT admin role is to set user access levels to the skillset / role / competence of users, so George / Kristie may reuse the same pass word, but their rights on the network hopefully would be correspondingly limited.

 

 

 

+1
Login to vote
Robert Shaker's picture

I agree with all of you. You can't go with single factor for anything internet facing. You can't trust users to use unique passwords, you can't trust they won't get phished or infected with something that steals their passwords (in so many different ways!), or share their passwords or use complex enough passwords. What we need to do is go two-factor, employ good mail-based spam and malware protection, endpoint protection and security awareness and training. Joe's right, there is no silver bullet but there are a lot of layers of protection we can put in place to protect our users from themselves.

Bob is a Senior Leader on the Symantec Managed Incident Response Service team. He can be found online at LinkedIn or Twitter

+1
Login to vote