October is Cybersecurity Awareness Month and here at SSL.com, we aim to educate companies, government agencies, and the general public on how to be more vigilant while treading the ever-expanding terrain of the internet. For this article, we’re going to discuss the alarming rise of cyber attacks on large organizations.
The past two years have been particularly concerning because of the increase when it comes to cybersecurity breaches, particularly ransomware. The early months of 2020 saw a steady rise with ransomware attacks and led to a steep increase during the first half of 2021. By June of 2021, 78.4 million attempted ransomware attacks were recorded!
As with other hostage-taking situations, the goal of ransomware hackers is to steal a company’s valuable data or access to their computer systems and demand huge sums of money before they relinquish their hold on such assets. Now you might think that with all the modern security software developed, ransomware gangs spend all their time developing super-sophisticated tools to attack their victims. But as we will explain in the following sections, many of them recycle their hacking weapons and start with the non-technical and peripheral route of invasion: human error. The development of the malware itself does require technical skill but the execution of it occurs in as simple as an employee clicking a link or file in a malicious email. It is important to remember that ransomware attacks occur in stages and it is often in the simpler phases that full-blown attacks get momentum.
In fact, in a study conducted by IBM, the removal of human error from the equation would lead to 95% of data breaches being prevented from occurring.
The Problem with Highly-Inviting Passwords and Lenient Employees
A 2019 research from PreciseSecurity.com identified poor passwords as the third leading cause of ransomware attacks, behind the lack of cybersecurity training of employees, and phishing. As you can notice from these three leading causes of ransomware infections, all of them are indeed originating in human errors.
In reality, the human brain is really a powerful organ that is highly capable of memorizing lengthy multiple passwords for various accounts especially if these are regularly used. But, in a survey conducted by Google and Harris Poll, 53% were found to have the same password for multiple accounts while 13% used the same password for the entirety of their accounts. Combined together, this data suggests that 65% of people recycle their passwords even if they have all the options to come up with others.
Google and Harris Poll’s survey suggests the trend in modern cyber culture wherein people want faster access, and even a master access to their multiple accounts and devices. Understandably, there is the monotony of regularly having to type lengthy passwords or the reasonable difficulty in generating strong passwords if we’re talking about more than a dozen accounts. But it does not help the cause when 23.2 million of data breach victims around the world were found to have used 123456 as their password while another 7.8 million used 12345678. Worse, another 3.5 million in various countries chose to use the word “password” itself to be their barrier from cyber thieves.
In the next section, let’s see how bad passwords and badly-behaving employees have paved the way for the biggest ransomware and cyber espionage attacks in history to happen in just the past two years – a time period when people ought to have more knowledge and capabilities of defending themselves from cyber criminals.
The Colonial Pipeline Ransomware Attack
In May 2021, the ransomware gang DarkSide attacked Colonial Pipeline – a major gasoline and diesel pipeline system in the country, and caused the disruption of 50% of the country’s fuel supply chain.
The cyber kidnappers stole almost 100GB of information from the company and made threats to divulge it on the internet if the company did not pay the ransom. For fear of subsequent attacks occurring, Colonial Pipeline decided to shut down their operations and paid nearly $5 million to Darkside. This ransomware attack affected fuel supplies in airports and flight schedule changes and caused panic buying.
At a Senate hearing, CEO Joseph Blount , revealed that the attack was initiated with an employee login of a legacy Virtual Private Network (VPN) system that was set up with only single factor authentication. This means that secondary passes such as security codes sent to mobile phones were not necessary to access it.
Mandiant, the cybersecurity firm that was consulted to analyze the attack, theorized that the employee could have used the password on a previously-compromised website.
NEW Cooperative Ransomware Attack
In just the previous month, Iowa-based farming cooperative, NEW Cooperative, was attacked by a Russian ransomware gang calling themselves BlackMatter – believed to be a rebranded version of the DarkSide gang. The cyber criminals demanded $5.9 million payment in order to restore the coop’s access to their computer systems that they use for feeding 11 million animals including cattle, chickens, and pigs.
Tammy Kahn, Chief Operating Officer of digital identity security company FYEO, analyzed that the ransomware attack on NEW Cooperative was enabled by the use of bad passwords by many of the employees.
When FYEO audited the website of NEW Cooperative on their database, they found that the organization had 653 passwords that were compromised in the past. To make matters worse, it was discovered that the most common password used among 120 of the employees was a combination of an all-too-common farm animal and the number that comes first when counting: chicken1. Such a simplistic password as this is bound to fail. Forget about phishing campaigns and brute force hacking tools. With email addresses of employees and executives being publicly shared online, hackers oftentimes only have to guess the passwords and something like “chicken1” is almost a dead giveaway.
SolarWinds Cyber Espionage
IT software company, SolarWinds, was infiltrated by suspected Russian hackers in the early months of 2020. A trojan was implanted into the updates of their monitoring software system called Orion which was used by 33,000 of the company’s high-profile customers, including thousands of government agencies here and abroad, as well as the biggest US corporations. The malicious code then enabled the hackers to install more malware that allowed them to spy on the affected victims.
Security researcher Vinoth Kumar claimed to have warned SolarWinds in 2019 that the company’s password for its update server was accessible by anyone. That password was apparently: solarwinds123.
At a congress hearing, SolarWinds argued that the weak password was an error done by their intern who also shared the password on GitHub.
Representative Katie Porter was so incensed by the revelation that she exclaimed: “I’ve got a stronger password than ‘solarwinds123’ to stop my kids from watching too much YouTube on their iPad.”
Making matters worse, SolarWinds CEO Sudhakar Ramakrishna admitted that the compromised password was used since 2017 but it was only with the 2019 warning by Kumar that the firm acted on it, which was already too late.
The SolarWinds attack is one of the biggest cyber espionage in history and is considered to have caused an average of $12 million financial loss per company that was infiltrated.
How Employees Can Strengthen their Company’s Cybersecurity through Good Password Practices
Now, more than ever, companies should invest in fundamental cyber security practices. The difference in settling for a repetitive, let alone highly-simplistic password and taking the time to come up with stronger ones can be the protection of hundreds of thousands of the company’s financial assets. In fact, a white paper by cyber insurance firm Coalition revealed that the average ransom demand from cyber criminals leapt from $230,000 in the first quarter of 2020 to $338,669 in just the second quarter of the same year. That’s a 47% increase in just a span of 6 months!
Businesses and other organizations should also take note that cybercriminals conduct allied operations with other gangs so once passwords are compromised, there is a good chance that these will be rapidly shared in underground forums thereby increasing the points of attack. In fact, research by Agari found that compromised passwords are quickly feasted upon once they are shared in phishing websites and forums. When they posted the credentials of fake accounts on these portals, 20% were infiltrated in just an hour, and 40% were breached within just six hours.
Below are some practical tips that even employees with zero computer science background can implement to strengthen the cyber defenses of their companies.
Be Creative with your passwords using character substitution and passphrases
As you have seen in the cases of NEW Cooperative and SolarWinds, sophisticated cyber attacks can occur even with tiny dents in the cyber wall. So how can you come up with better passwords than chicken1 and solarwinds123?
First is to check the password requirements of the account. Nowadays, most platforms require users to include an uppercase letter, a lowercase letter, a number, and a symbol.
Character substitution and passphrases are good combined strategies to create a strong password from mundane words. Say, you have pet lizards, so you can choose a phrase like: Lizards are scaly but I like them. You can then substitute some of the letters to numbers or symbols. Letter “i” can become 1, letter “s” can become 5, and letter “a” can become @. You can also put a character like “,” after the word scaly. So your pass phrase then becomes: L15@rd5@re5c@ly,but1l1kethem. It will be awkward at first to type this but your brain will quickly adapt to it with multiple repetitions.
The good thing with passphrases + character substitution is that they treat the human brain’s propensity to remember things that are personal or meaningful not as a hindrance but as an advantage. You can combine words from things close to you like your pets, family members, favorite places but make sure to string them into phrases and not just standalone words and come up with unique codes. Passphrases are definitely easier to remember compared to a random jumble of characters. And character substitution using codes can be repeated into other passwords but only you know what the code stands for.
Include foreign words in your passwords
If you have been taking foreign language classes or know how to speak a foreign language, then you should consider using your linguistic skills to strengthen your passwords.
Internet communication and transactions are primarily in the English language so if you can come up with a password like: “Mam-is baw kayman nan ba-at ya ubi,” hackers would have a difficult time cracking it. In English, this phrase means “Bananas and sweet potatoes are surely delicious.” If the password was generated in English, hackers would have more chances of cracking it because it sounds like a common phrase. But because it is written in a local language originating from the mountainous terrain in the northern part of the northern island of the Philippines, hackers would have a hard time guessing even if they have their brute force hacking software which is most likely set in English. Combine this strategy with character substitution and passphrases and you’ll further increase your account’s security.
Another good thing with using foreign words is that they keep your brain healthy because it becomes a cognitive exercise. So there’s a nice motivation to learn another language!
Put spaces in your passwords
Ethical hacker, ED Skoudis, shares one simple thing that even the least IT-literate employees can do to strengthen their passwords:
“There’s a really simple thing that you could do also to make it harder to attack your passwords… Simply putting a space in your password, now not all systems support that, but some do but I’m telling you as a computer attacker, putting a space in your password makes it harder for me to crack or guess your password. You could put it in the middle somewhere. Maybe put a couple of spaces. The most insidious place for you to put a space in your password though is at the end and you know why? Because if the attacker successfully cracks your password it’ll display on the attacker’s screen and they won’t see the spaces, right? So they’ll go in and they’ll lock out your account wondering why your password doesn’t work because they’re not typing in the spaces. And I’d rather have my account locked out than the bad guy get access to it.”
Use a password manager
Going back to the Google and Harris Poll survey mentioned at the beginning of this article, it was a sad finding that only 24% of the respondents used a Password Manager and only 55% was able to correctly define the term. This should therefore prompt companies to implement systems where their employees could use and gain more education about the benefits of password managers.
For those who want to avoid the burden of having to remember and type lengthy, randomized passwords for various accounts, password managers are a great solution because their sync and password-generating abilities allow ease of access to various accounts.
Take it from the once infamous hacker turned security consultant Kevin Mitnick who says: “A password manager allows you to manage the rest of your credentials, so you choose a master password to unlock the password manager, and the password manager takes care of the rest. And you could actually configure these password managers to randomly create, for example, 15-character passwords.”
We hope you have learned something practical from this article and during this Cybersecurity Awareness Month, we encourage you to learn more about the importance of cybersecurity not just in business but in everyday life as well. Stay safe and stay vigilant!