Risky Business

According to recent studies, the average user has approximately 100 passwords to remember. As if this isn’t challenging enough, password requirements differ among the myriad of applications we use. Some apps require simple passwords of only six characters, while others require longer or more complex passwords, using numbers, uppercase letters, and special characters. With so many passwords to remember, coupled with the never-ending list of password requirements, users are partaking in a risky solution – reusing passwords. Imagine having one key to unlock your front door, start your car, and open a safety deposit box at a bank. If that key were lost or duplicated, you run the risk of losing everything. The same is true when users reuse passwords for different applications.

The Domino Effect

Hackers have many methods to obtain a user’s password. Social engineering, keylogging, password spraying, and brute forcing are all common ways a password can be compromised. The internet and dark web also contain password lists with billions of stolen passwords. Often, hackers target a user’s personal account, such as Gmail or a social media account like Twitter or Facebook. Knowing that password reuse is a common practice by users, it only takes one successful password compromise to start a chain reaction of falling dominos.

Not Just an End-User Problem

Password reuse is rampant among end-users, but even IT professionals can let their guard down for the sake of convenience. During a recent customer internal penetration test, SBS CyberSecurity’s network security team found several administrative accounts used by the client’s managed service provider (MSP) which reused the same password. Here’s a brief overview of how the issue was identified and the resulting impact to this client’s network:

A Nessus vulnerability scan was performed on the client’s internal network. One of the vulnerabilities identified was a device using an old protocol named IPMI v2.0.

This protocol is inherently vulnerable due to the method in which it authenticates a user. Simply by knowing a valid username for the device, an attacker can capture the encrypted password hash of the account. Running a Metasploit module then allows the network engineer to capture the hash.  

The password hash was then cracked by SBS and used to gain admin access to the web interface of the device.

Knowing that password reuse is a common practice, the network security team attempted to reuse the password to authenticate to other devices on the network. We successfully accessed a Linksys Smart Wi-Fi router.

We also authenticated into the web interface of a Dell iDRAC using the same password.

But perhaps the most damaging result came when we reused the password to RDP into the domain controller as a DOMAIN ADMINISTRATOR.

Mitigation Strategy

Password reuse can be difficult to detect and remediate, but there are several strategies an organization can implement to reduce the associated risk:

• Employee awareness training
• Implement a password management system
• Require multi-factor authentication
• Deploy a third-party password filter for Active Directory

Reclaim Security

Password reuse is a hidden blind spot in security. Many users are unaware of the dangers associated with reusing passwords. Educating users is the first step to reduce this risky practice. Implementing technical controls to aid users in password creation and management provides layered password security.

Written by: Bryan Barnes, Network Security Engineer/Regional Director
SBS CyberSecurity

SBS Resources: 
SBS CyberSecurity has been helping organizations identify and understand cybersecurity risks to make more informed business decisions since 2004. If your organization is looking to better understand your cyber risk; build, maintain, or test your cybersecurity program; and make smarter, more informed cybersecurity business decisions, SBS can help.

• {Service} Penetration Test: Safely simulate a cyber-attack to ensure your network is hardened against known vulnerabilities.
• {Service} Network Security Audit: Execute a strategic combination of network testing services to provide a comprehensive assessment of your network security.
• {Service} Security Awareness Training: The goal of a strong Security Awareness Training Program is to create a culture of information security throughout your entire organization. SBS can help create, implement, and maintain a training program that can keep pace with changing technologies and new security threats.
• {Tip Sheet} Password Tips: It’s important to create strong, complex passwords for your systems. That’s why we’ve put together these best methods for stronger passwords to help you train your employees. Keep in mind, though, that based on the risk of each system, these standards may fluctuate. 

Related Certifications:

Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a full list of certifications.