By Max Dorfman, Research Writer, Triple-I
It̵7;s Cyber Security 101: Multi-factor authentication and hard-to-crack passwords are table stakes to prevent intrusions.
Still, “Password,” “12345,” and “Qwerty123” are among the most common passwords leaked on the dark web by hackers, according to mobile security firm Lookout. And despite the amount of attention the issue is getting, the situation doesn’t seem to be improving.
A survey by UK-based consulting firm EY found that only 48 percent of government and public sector respondents said they are “very confident in their ability to use strong passwords at work.” The problem is exemplified by a recent study by the US Office of Inspector General – part of the Department of the Interior (DOI), the agency responsible for managing federal lands and natural resources.
Hacking the DOI, it turns out, is relatively easy.
In less than two hours—and spending just $15,000—the inspector general’s office was able to obtain “plaintext” (non-encrypted) passwords for 16 percent of user accounts. In total, 18,174 of 85,944 — 21 percent of active user passwords — were hacked, including 288 elevated-privilege accounts and 362 accounts belonging to senior US government employees.
Much of this problem, according to the report, stems from the lack of multi-factor authentication, as well as password complexity requirements that allowed unrelated personnel to use the same weak passwords. The Office of the Inspector General noted that:
- DOI did not consistently implement multi-factor authentication;
- Password complexity requirements were outdated and ineffective; and
- The department did not disable inactive accounts in a timely manner or enforce password age limits, leaving more than 6,000 additional active accounts vulnerable to attack.
The most frequently reused password was used on 478 unique active accounts. The investigators found that five of the 10 most reused passwords on DOI included a variant of “password” combined with “1234”.
Simple passwords make it easy to hack
With the average person having over 100 different online accounts with passwords, it’s understandable to reuse passwords – but simple passwords make it easy for hackers to access personal information and accounts.
“Compromised, weak and reused passwords still account for the majority of hacking-related data breaches and are one of the biggest risk concerns for most businesses,” said Gaurav Banga, CEO and founder of cybersecurity firm Balbix. In 2020, Balbix found that 99 percent of business users recycle passwords between work accounts or between work and personal accounts.
A growing danger
“The cost of ransomware attacks has increased as criminals have targeted larger businesses, supply chains and critical infrastructure,” Allianz said in Allianz’s 2023 Risk Barometer. “In April 2022, an attack hit about 30 institutions of the Costa Rican government, paralyzing the territory for two months.”
The global insurer goes on to say, “Double and triple extortion attacks are now the norm…. Sensitive data is increasingly stolen and used as leverage for extortion demands against business partners, suppliers or customers.”
Part of this growth is due to the rise of “ransomware as a service” – a subscription-based business model that allows affiliates to use existing ransomware tools to carry out attacks. Based on the “software as a service” model, it helps bad actors attack their targets without having to know how to code or hire unscrupulous programmers.
Michael Menapace, an insurance attorney with Wiggin and Dana LLP and a Triple-I Non-resident Scholar, told attendees at Triple-I’s 2022 Joint Industry Forum that “ransomware as a business model remains alive and well.”
What has changed in recent years, he said, is that “where bad actors would encrypt your systems and extract a ransom to give you your data back, now they’ll exfiltrate your data and threaten to make it public.”
The types of targets have also changed, Menapace said, with an increased focus on “softer targets — particularly municipalities” that often don’t have the staff or finances to maintain the same cyber hygiene as large corporate entities.
Organizations and individuals must take the threat of cyber attacks seriously and do as much as possible to reduce the risk. Improved cyber hygiene policies and practices are a necessary first step.