Why your organization should be concerned with others’ breaches.
It seems we’re constantly reading about breaches that result in the leak of login credentials–Gawker, Toshiba, Sony, Yahoo, LinkedIn…this list goes on. Just this week ArenaNet (developers for Guild Wars 2) announced they are experiencing account hacks believed to be facilitated by the use of password lists stolen from other games and sites. Many organizational executives or security personnel might read about these breaches and let out a sigh of relief, thankful the attack wasn’t directed at them. Instead they should be asking themselves “does this breach affect my organization?”
You see, one of the fundamental flaws with a single-factor password authentication solutions is that users tend to re-use passwords between personal and work accounts. Organizational password complexity enforcement does little to stop this and remembering only one password is certainly easier for users. Outside of making employees appreciate how dangerous this practice can be through security awareness, there’s really no way to stop password reuse. What does this mean to you? If it’s your employees reusing their credentials on these sites, maybe a lot!
Let’s look at the July 2012 Yahoo Contributor Network breach that resulted in the leak of a reported 450,000 users. Doing a very quick-and-dirty analysis of the actual leaked data, there’s over 30,000 unique email domains linked to user accounts. Searching through the domains for the top 25 companies of the Fortune 500, 13 are clearly represented. Of the accounts attributed to these 13 companies, 18 users can easily be confirmed as valid employees based on the uniqueness of their names. Some have titles such as Communications Coordinator or Project Manager while others hold more interesting positions (in terms of potential targeted attacks) including Executive, Security Manager, Associate Partner, and Vice President. Several of these represented companies have externally facing webmail or employee portals that only require username and password authentication for access. Assuming the companies use their user IDs to construct their email addresses and a standard lockout of 3-5 failed attempts, that’s 39-65 educated username/password guesses. Depending on the success of the attack, you could be faced with data theft, system compromise, targeted phishing attacks against other employees, or at the very least, mass spamming.
Beyond the private sector, there were at least 1500 .edu domains, ss well as email addresses belonging to employees of city, state and federal government and all branches of the military. Looking at the data from other past breaches, there’s much of the same — accounts belonging to users other than the hacked company. What about breaches such as LinkedIn that only resulted in the wide release of passwords (and no email addresses) ? By analyzing that data, it’s clear that some users construct their passwords using their first and last names. While this might not be a problem for someone named John Smith, it’s easier to deduce the identify of someone with a very unique name, especially since the population is further limited to LinkedIn users. These observations are based on my cursory, 15 minute inspection of a small portion of the leaked data…imagine what additional information could be gleaned from a more thorough analysis.
The companies included in these breaches that have implemented two-factor authentication for externally facing systems have little to worry about (at least as far a single-factor-caused breaches go!), but if you’re responsible for the security of one of the other organziations that still rely on usernames/passwords to protect your assets, which of your implemented controls makes you confident that none of your employees reused their credentials and put your data at risk? You don’t have to answer that…
If you’re not using multi-factor authentication, there are some steps you can take to react quickly and stay ahead of a potential breach of your own.
- Monitor for reported breaches — Regular monitoring of near real-time feeds (Twitter, RSS, etc) can alert you of potenial breaches when they are reported. Also, proactive searches for your organization’s domain name(s) on sites like Pastebin (a favorite for declaring breaches and dumping stolen credentials) can identify breaches of smaller organizations that may not get wide press but still involve your users. Remember, if you hear of a breach through these means, you’re already behind the curve so you must act quickly.
- Attempt to obtain a copy of the breached data. — Again, sites like Pastebin are a favorite for dumping these credentials and sometimes posts on these sites will link to another file-hosting site. Wherever it’s posted, your time to download is limited because it will likely to be removed–either for violating terms of service or because of the amount of traffic it’s generating to the respective site.
- Search the data for organizational accounts — if the data contains email addresses, the search is fairly straightforward, looking for the applicable domain name(s). If the data only contains passwords, I also recommend you search for high-profile employee or executive names, if possible. You can automate this task with grep or a simple script.
- Reset accounts as necessary — If any accounts are confirmed to be included in the breach, the safest thing to do is reset the password and educate the user (and maybe the organization) on the dangers of reusing company credentials on personal, external sites.
- Monitor your systems/network — there’s no harm in closely monitoring externally facing systems (webmail, portal, etc) following a major breach involving another organization. At a minimum, monitor the accounts belonging to any employees confirmed to have reused their account credentials on the breached site.
It’s inevitible…breaches will happen, passwords will be stolen and leaked. Even when these credentials weren’t stolen from your company, you still may be at risk. Of course, the best proactive control to protect against breaches caused by username/password compromise is to implement multi-factor authentication, but this has its own challenges and is often cost-prohibitive. The next best thing is to conduct regular awareness training and alert users to the dangers of password reuse; however, we all know that even with a solid awareness campaign you’ll still have users that don’t get the message. In these circumstances, be prepared to react quickly to a publicized breach, examine the data for employee credentials and mitigate any potential damage to your own organization.