“Companies spend millions of dollars on firewalls, encryption, and secure access devices and it’s money wasted because none of these measures address the weakest link in the security chain: the people who use, administer, operate and account for computer systems that contain protected information.”
~ Kevin Mitnick, Hacker
The trick to security is not always trying to make it impossible to break. That is an almost futile endeavor. However, by putting up enough walls, in fact, layers of walls, you can create a situation where the time it takes to crack your system will grow too long, the cost will become too expensive, and/or the resources needed to do it will be too rare to justify the value of the data they would acquire. It all eventually comes down to economics for both the hacker and the chief information security officer (CISO).
One should never underestimate the intelligence and resourcefulness of hackers. They think outside the box. They look for weak points to exploit that will lead them to another weak point, then another, and another, until they are in. Hackers don’t care how they get in, just as long as they do. Sadly, most IT administrators don’t think like hackers. IT administrators tend to think logically and sequentially, which is great for designing networks that allow companies and employees to do what they need to do. Hackers like to deconstruct a thing, then put it back together in a way that makes it do something it was never intended to do in the first place. It’s a unique mindset, which makes them tough to stop and even tougher to catch.
To develop a strong cyber defense, management needs to have a high-level understanding of what their CISO and IT managers guard against daily. Through this lens and understanding, risk assessments can be thoroughly analyzed so that the most appropriate security precautions for each environment can be implemented. One hundred percent protection is usually cost-prohibitive. Because new ways of breaking into networks and files are being developed and released daily, it is impossible to stop every possible attack. I suggest you implement practical protection.
Common Password Attack Methods
The following is a shortlist of known attacks that hackers use to go after passwords. Knowing these attack methods helps determine your specific vulnerabilities and also helps justify your return on investment. New attacks hit the Internet almost every hour. While some are just repackaged old attacks, there are new ones that systems cannot detect. How do you secure against something you never saw coming.
A brute-force attack is the crudest, but sometimes the most effective way to break a password. It requires continuously trying every possible combination of letters, numbers, and special characters until a match is found. It does not require any injection of malware into the intended victim’s computer or server.
The best defense against a brute-force attack is to make the time it takes to discover the password longer than the value of the information.
The dictionary attack is a slight spinoff of the brute-force attack, but instead of trying every possible permutation, the hacker relies on the fact that humans generate passwords they can easily remember. This means passwords based on words found in a dictionary, names, dates, and keyboard patterns (e.g., 123456 or qwerty).
The best defenses against dictionary attacks are password length, multiple character types, and character randomness.
This used to be someone simply looking over your shoulder as you typed your password. However, with cameras being so small and available everywhere from smartphones, nanny cams, Google Glass, and closed-circuit cameras, over-the-shoulder attacks have become more anonymous and remote. The thief no longer has to stand next to you. A clever hacker could break into the video conferencing camera on your monitor and watch you typing.
The best defenses are common sense. Don’t ever type your password while another person is standing next to you. With a password manager, no passwords are typed, so there is nothing for anyone to see.
Sticky Note Security:
Writing passwords on sticky notes and placing them in your office is not secure. Even trying to hide them under a tissue box or keyboard doesn’t work because the odds are that someone can see you look at it.
The main sticky note defense is to get employees out of the password management business. The only reasons passwords are written down are because people have too many, they are too complex, and they change too frequently to remember. A password manager removes the need to remember passwords.
Storing Passwords in the Browser:
This is one of the early ways software companies tried to make password management easier on the user. Note that I said “easier,” not “safer.” The browser file that stores passwords is well known to hackers. All they need to do is steal the file and then have their computer run programs to break any encryption or protections.
The defense here is, do not use Web browser storage. Second, don’t leave computers unlocked and unattended. The best defense is to use a multi-factor authentication password manager.
In part 2, I’ll discuss the more sophisticated attacks.
Dovell Bonnett has been creating computer security solutions for over 25 years. He has spent most of his career solving business security needs, incorporating multiple applications onto single credentials using both contact and contactless smartcards. In 2005, he founded Access Smart LLC to provide logical access control solutions to businesses. His premiere product, Power LogOn, is an Identity Management solution that combines Multi-Factor Authentication and enterprise password management.