While speaking to a Chicago group about security recently, I picked someone out of the audience and asked him to tell me his password. He looked at me like I was up to no good.
“Let me guess,” I said. “Is it at least eight characters with one number and one special character?”
He said yes.
Glancing around at the 3,000 people in the room, I asked how many use “GoBears!” as a password. About 25 percent looked like they wanted to crawl under their chairs.
When CDW’s Security Solutions team attempts to crack passwords for clients with a large number of users, about 85 percent of them break in in five minutes or less. The reality is that with some basic knowledge about a community and common password policies, most hackers can take a reasonable guess. If they try it against 1,000 accounts, it’s likely going to work. Then the question becomes, “What happens now?”
More often than not, once hackers get in the door, it’s simple for them to expand their access and move on to their objectives, whether those objectives are money, intellectual property or sensitive data such as Social Security numbers and medical information.
The likelihood of a breach necessitates a fundamental shift in how we protect networks. Most are built using a security approach similar to a piece of M&M candy: hard on the outside, soft on the inside. But with that first crack in the outer shell, hackers have free reign inside. If organizations start strengthening inside the network, they can contain and limit the damage. They can do this by developing plans for before, during and after a breach.
Strengthening the Mushy Middle of IT Security
Most security plans address prevention (before a breach). If they paid equal attention to prevention, containment and detection (during), and remediation (after), they could minimize the potential for damage.
For instance, strong backup procedures can neutralize a ransomware attack. Segmentation can enable enterprises to keep running even after a breach, because instead of moving into other systems, attackers are boxed into a small segment of a network.
Just as security efforts focus too heavily on prevention, most are disproportionally fortified with technology solutions. They use firewalls, virtual private networks and intrusion detection systems to keep out the bad guys. If organizations put as much effort into policies and people, they would limit the potential for damage.
Organizations can create policies and teach users to replace passwords with passphrases; to use password managers, which generate unique passwords for each account; or to go with the security zone method, using different passwords for categories of accounts — for example, one for finances, one for medical, etc. Enterprises can then conduct audits and train users who fail to use more robust password-management practices.
Phishing audits also reduce user-behavior vulnerabilities. When organizations hire CDW to phish them, we see a click rate of 80 percent. But when we show users an educational video that teaches them how to avoid falling prey to phishing attacks, over time, that click rate can drop to the single digits.
There’s no stronger lesson than experiential learning. The next time a user is prompted to create a password, he’ll remember the pit in his stomach when he clicked a link or logged into his account to see the smiling face of a security officer. You can bet he won’t choose “GoBears!” again.
This blog post brought to you by: