By Max Dorfman, Research Writer, Triple-I
It’s Cyber Security 101: Multi-factor authentication and hard-to-crack passwords are table stakes for preventing incursions.
Nevertheless, “Password,” “12345”, and “Qwerty123” are among the most commonly found passwords leaked on the dark web by hackers, according to mobile security firm Lookout. And, despite the amount of attention the issue receives, the situation does not appear to be improving.
A survey by EY, a consulting firm based in the United Kingdom, found that only 48 percent of government and public sector respondents said they are “very confident in their ability to use strong passwords at work.” The problem is exemplified by a recent study by the U.S. Office of Inspector General – part of the Department of the Interior (DOI), the agency responsible for managing federal lands and natural resources.
Hacking DOI, it turns out, is relatively easy.
In fewer than two hours – and spending only $15,000 – the Inspector General’s Office was able to procure “clear-text” (non-encrypted) passwords for 16 percent of user accounts. In total, 18,174 of 85,944 – 21 percent of active user passwords – were hacked, including 288 accounts with elevated privileges and 362 accounts of senior U.S. government employees.
Much of this issue, according to the report, stems from a lack of multifactor authentication, as well as password complexity requirements that allowed unrelated staff to use the same weak passwords. The Inspector General’s Office found that:
- DOI did not consistently implement multifactor authentication;
- Password complexity requirements were outdated and ineffective; and
- The department did not timely disable inactive accounts or enforce password age limits, which left more than 6,000 additional active accounts vulnerable to attack.
The most commonly reused password was used on 478 unique active accounts. Investigators found that five of the 10 most-reused passwords at DOI included a variation of “password” combined with “1234”.
Simple passwords make hacking easy
With the average person having over 100 different online accounts with passwords, reusing passwords is understandable – but simple passwords make it easy for hackers to access personal data and accounts.
“Compromised, weak and reused passwords still account for the majority of hacking-related data breaches and are one of the top risk issues for most enterprises” said Gaurav Banga, CEO and founder of cybersecurity firm Balbix. In 2020, Balbix found that 99 percent of enterprise users recycle passwords across work accounts or between work and personal accounts.
A growing peril
“The cost of ransomware attacks has increased as criminals have targeted larger companies, supply chains and critical infrastructure,” Allianz says in its Allianz’s 2023 Risk Barometer. “In April 2022, an attack impacted around 30 institutions of the government of Costa Rica, crippling the territory for two months.”
The global insurer goes on to say, “Double and triple extortion attacks are now the norm…. Sensitive data is increasingly stolen and used as a leverage for extortion demands to business partners, suppliers, or customers.”
Part of this growth is due to the rise of “ransomware as a service” – a subscription-based business model that enables affiliates to use existing ransomware tools to execute attacks. Based on the “software as a service” model, it helps bad actors attack their targets without having to know how to code or hire unscrupulous programmers.
Shifting targets
Michael Menapace, an insurance attorney with Wiggin and Dana LLP and a Triple-I Non-resident Scholar, told attendees at Triple-I’s 2022 Joint Industry Forum that “ransomware as a business model remains alive and well.”
What has changed in recent years, he said, is that “where bad actors would encrypt your systems and extract a ransom to give you back your data, now they will exfiltrate your data and threaten to go public with it.”
The types of targets also have changed, Menapace said, with an increased focus on “softer targets—in particular, municipalities” that often don’t have the personnel or finances to maintain the same cyber hygiene as large corporate entities.
Organizations and individuals must take the threat of cyberattacks seriously and do as much as possible to reduce their risk. Improved cyber hygiene policies and practices are a necessary first step.