Today’s blog explains the corporate security crisis that is created when employees’ credentials are stolen.
A Small Breach, Big Problem
The crisis starts as a very simple, seemingly insignificant breach of Mr. Someone’s account on a social media site. The breach goes unnoticed because nothing of substance, such as money or personal identity information is stolen. Bear in mind, our hypothetical “Mr. Someone” is an employee at some organization. The password he used on the social media site is the same one he uses to log on to his company’s network. He uses the same one because his organization forced him to create a strong password. Since it is a strong password, he reasons that it must be more secure and therefore good to use on many sites. Besides, it is easy to remember when he uses it so often.
His stolen credentials, along with thousands of others are compiled in a database. The database is sold on the “Dark Web”. Buying the stolen credentials is like buying a bag of keys so you can try them in every lock you find. The difference between that metaphor and the reality is that the “keys” (aka credentials) can be tried on hundreds of Internet accounts in only a few minutes. With 10’s of thousands of credentials, it is not long before the hacker finds some that work in multiple accounts. With some good database management skills and time, the hacker starts to build a list of potential targets based on the matching credentials and accounts. With a bit of social engineering and research, the hacker develops detailed information on the (individual) password owners and identifies where they work. With a bit more time and diligent effort, the hacker penetrates Mr. Someone’s corporate network security perimeter. He also uses social engineering to elevate his privileges or install malware that helps for downloading sensitive information, such as proprietary documents, personal information, and internal communications.
The Problem Becomes a Real Crisis
According to Cyber Experts Blog at National Security Institute – There is an inevitable PR nightmare that causes considerable reputational and financial damage. The losses go beyond lost sales, businesses are forced to spend hefty funds on improved security measures, security vendors, and test runs – not to mention the fees for lawyers, pending lawsuits and the payment of fines from data protection authorities.
Experian conducted a survey called “Reputation Impact of a Data Breach.” Of the companies surveyed, the average loss to the value of a brand ranged from $184 million to $332 million, depending upon the type of information that was compromised. Survey participants were also concerned with the time span required for recovery of brand image – some respondents estimated it would take longer than a year.
Security Breach After-shocks
In an article on PR Week, (original UK article) Tim Luckett writes: “Cyber security is no longer an IT issue. It needs to be brought into the boardroom, and fast.” The article makes numerous points to support this opinion.
- Upcoming EU legislation will require that companies report breaches and proactively publicize those breaches to affected consumers.
- The communications, operational and legal responses to data breaches must go hand-in-hand. Careful planning is key to mitigating reputational damage, enabling CEOs to respond quickly and appropriately when an attack happens.
- Diligent companies are in building IT defenses, which could all be for nothing if employees or third-party contractors aren’t trained. Senior executives need to educate employees on data management and security.
- Something as simple as sharing a password, sending confidential work to personal emails or using the same log-in details across different accounts can open up a world of possibilities for a hacker.
Preparing for and mitigating against data breach should be a core part of the company’s business strategies.
It is not always an employee that does not understand about security which is the initial victim enabling the breach. It can be the very person you would expect to be the most security aware.
This Ars Technica article tells how Facebook Chief Mark Zuckerberg’s social media accounts were hacked. According to the article, the hack originated from the LinkedIn security breach that occurred in 2012. The passwords to Zuckerberg’s little-used Pinterest and totally dormant Twitter accounts were apparently the same as those for his LinkedIn login (“dadada”).
The apparent motive for this attack may have been to obtain valuable Facebook account information. It appears the hackers had to settle for embarrassing Zuckerberg personally and professionally.
There are three security errors brought out in this information that should be avoided.
- Zuckerberg used the same password for multiple accounts.
- His password was far too simple. (dadada – really?)
- He left open accounts that he did not actively use.
To Beat the Hacker – Think Like a Hacker
Some companies have taken to collecting data on hacked accounts and searching for credentials that match those of their customers. They contact the customer and force a password reset. Netflix, for example, sent out a notification to users who made the mistake of re-using their Netflix password at Linkedin, Tumblr or MySpace.
We have not seen any articles about companies taking this measure with their employees, but it does seem like a logical security process to implement.
There is a downside to this that should be weighed against the benefits. It is virtually impossible to collect a substantial share of the data available, because:
- It requires dedicated effort and staffing across multiple geographies
- Such data, in many cases, will only show up for a very limited amount of time – sometimes only minutes.
- The people who do this job need to be connected in the Dark Web and have access to sites that require invitation
- Privacy implications – those companies are actually storing account credentials that do not belong to them.
VeriClouds was founded by Rui Wang and Stan Bounev in 2014 to resolve the authentication security issues in Cloud Services. Information Security is not just a business opportunity. It is a calling, a passion, even an obsession. Rui and Stan joined forces to create ways to make the world more secure by making it safer to do business online. Rui has a Ph.D. in Cyber Security, and Stan is a successful entrepreneur with over 14 years of corporate and startup experience in the banking and technology industries.