Cyber attack: Hacked accounts of senior executives? Blame it on passwords
Cyber security—or rather, the lack of it—has been an issue highlighted in almost all the recent elections around the world. Towards the end of the year 2016, it was United States and, very recently, it was France and even India, where there has been much debate about the possibilities of hacking an electronic voting machine (EVM). On 6 May, the legendary investor Warren Buffett mentioned that he saw cyber attacks as a bigger threat to humanity than nuclear weapons.
Closer home, we have seen multiple incidents of cyber breaches, but a common theme across the board for publicly disclosed ones is “No financial loss from the cyber attack”.
It can be safely assumed that very few attacks involving financial losses are reported in the public domain.
Nevertheless, cyber attacks happen all the time and building a cyber-resilient organisation is a long-term, continuous goal for companies. However, several organizations miss out on the basics, which start with securing the weakest link in the chain, i.e., the end users. Awareness is the key here and the lack of it, especially among the top-level executives, often results in attackers having a field day.
Let’s look at how security checks at end user level are done in banking processes. In the case of opening a new bank account, apart from the mandated know your customer (KYC) compliance details, bankers typically ask users for a keyword to be shared with them. This keyword is used for identification in case additional identity checks are required. By way of an example, co-operative banks typically ask for your ‘rashi name’? (zodiac sign?) or something only your close friends and family would know when opening a locker for storing high-value items. In cyber terms, the combination of your username, password and secret question replaces the same.
Let’s now look at specific issues in this area and highlight some best practices.
Username: The choice of the username is generally a trade-off decision made by a company in terms of something unique but sufficiently easy to remember as well. Corporate email addresses and employee ID numbers are generally accepted as a norm. Based on the level of single sign-on integration, especially from the Internet, a careful decision needs to be made.
Password: The strength and complexity of the password is again a trade-off decision made by a company in terms of something which is implementable, enforceable and acceptable by end users. Most password policies require the password to be at least 8-character long, comprising alpha-numeric characters and, in some cases, requiring inclusion of capital letters and special symbols (such as *, #, etc). Other best practices include making it mandatory for the password to be changed every 90 days, with provisions such as exclusion of immediate previous passwords and of certain defined keywords like company name, user name, etc.
The choice of the password, however, is on end users and they often use ‘jugaad’ tactic to comply with the password rules. This leaves the resultant password extremely easy to guess via a social engineering attack—if the same is not already pasted on the computing device or shared with a co-worker. The ready-reckoner of the most common passwords of 2016 is an interesting read.
Secret questions: Secret questions are leveraged when the user forgets the password, in which case the self-service password reset mechanism can pop up one of these questions to ensure some level of authentication and security. However, again, the choice of these questions and answers in most companies is left to the end user and the exercise is generally done as a one-time activity during user enrolment.
When it comes to the top executives of a company, who may have certain requirements and preferences, the basic controls may get further diluted. I would recommend that what must never get diluted is the continuous monitoring process of keeping password controls as tight as possible. Affordable technologies are available today which, when deployed appropriately, store, process and analyse user behaviour on a real-time basis at scale. The entire process can be done without affecting the overall end-user experience.
A human oversight either via the end user himself and/or done centrally in a security operations centre (SOC) goes a long way to detect and hence respond to as well as recover from a cyber breach. Given privacy concerns today and the serious impact of cyber data breaches, notifying “no financial loss” as the outcome of a cyber attack will not ensure a safer cyberspace in the long run.
Getting the basics right in terms of a robust password policy that gets continuously monitored, however, will be a concrete step in the long march towards building cyber resilience.
Nimitt Jhaveri is an information technology architect and cyber security expert who runs his own venture, BitScore CyberTech LLP.