The single area that continues to contribute to breaches and/or other system errors (e.g. ransomware) are the users. The easier attack for this avenue has been the users. The easier attack for this avenue has been with phishing. The general format is the email from the employee’s “friend” or someone from “management” with various topics, including the person to click on the cat picture or a link.
Another form of attack involves passwords. These are intended to protect and secure the access to the application. To make the potential breach more difficult to achieve, one method is to have the users make their passwords more robust. Although this is a grand plan, this policy is not always followed. There are lists published annually showing the most commonly used passwords. These show the feeble passwords that are presently in use. Recently there have been many high-profile instances of this. Most of these have resulted have resulted in significant losses to the entity and confidence. A less detrimental issue has been with Facebook CEO Mark Zuckerberg’s social media accounts being breached due to a weak password (dadada). Of all people this was substantially surprising. Other breaches with vast liability attached to the user’s password malfeasance are by far more common. For instance, the latest two large breaches would be the Anthem breach arising from several employee’s credentials being stolen, and the infamous Office of Personnel Management (OPM) breach from the contractor’s credentials. Earlier breaches which are notable are the Evernote issue with 50M credentials and Adobe’s with over 38M credentials being compromised.
The passwords need to be robust and crafted. This includes the length being at least 12 characters for the password’s composition, this needing to be varied, and to avoid patterns that could be easily understood after looking at the password briefly (e.g. a person walking by glancing at the screen should not be able to recognize this as a password).
“The passwords need to be robust and crafted.”
The users need training or meeting to internalize a better appreciation of the process and what could happen with a poorly executed password. At the National Cybersecurity Institute, we offer a variety of face-to-face training including Cybersecurity Awareness for Administrative Assistants and Cybersecurity Awareness for Supervisors and Mangers. Participants do not need to have a background in IT to take these classes.
About Charles Parker, II
Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s
background includes work in the banking, medical, automotive, and staffing industries.
Mr. Parker has matriculated and attained the MBA, MSA, JD, LLM, and is in the final stage of the PhD in Information Assurance and Security (ABD) from Capella University. Mr. Parker’s areas of interest include cryptography, AV, and SCADA.