Wednesday 30 August 2017

Phishing and passwords - 3 years on

Nearly three years ago, I wrote a blog piece about the compromise of iCloud accounts aka "The Fappening".  In the last 3 years there have been little improvement to the users interacting with phishing attacks, and it's disappointing to hear of the Fappening 2017.

I've been guilty in the past to blame users for not checking the constructs of an email, and detecting incorrect domain names, etc, but with the technology available today, this shouldn't be the job of an email users.  Using a mainstream web-based email solution, these checks are done for you:

In a commercial environment, there are email filtering solutions to prevent the user from ever seeing these in the first place.

The previous advice around regularly changing passwords may not have been the best, as people will just increment numbers, and typically the password will become weaker.  The advice now is to use stronger passwords and use a password manager to secure these passwords.

2-Step Verification
Many websites, including Facebook, LinkedIn, Twitter, WhatsApp and many more, support the use of 2-step verification.  This is a process where you log into one of these websites with your username/email address and your password.  Before you can gain access to the site or application, it will text your nominated mobile number with a code, which will need to be entered into the website before you can gain access.

Even if your login details were compromised, a hacker would be unable to gain access to the site or application without access to your mobile phone.

These solutions are provided free of charge, so it would make sense to enable this wherever possible.

So what?
So some people's iCloud accounts were compromised due to falling for a phishing attack... so what?

Well looking at security and the principles in play, this also makes corporate networks susceptible to these sorts of hacks.  Phishing attacks happen to gain access to corporate credentials, in fact worse so, as there are also spearphishing attacks.  Phishing attacks are typically broad brush attacks, spreading the net (excuse the pun) wide.  Spearphishing is targeting an individual, such as a member of the senior management team, or someone with administrative credentials, enabling access to personal information.

Privileged Access Management
The priority for any organisation, is the protection of administrative passwords, typically known as Privileged Access.  Depending on the analyst's reports you read, 80-100% of data exfilration compromises have required administrative credentials.

Privileged Access Management is a technology to grant administrative access to a user, without them knowing the password.  The technology will securely store the password, and is also able to change the password once the user is done with that session.  What could be more secure than a user unaware of the administrator password?  

Some other benefits include the ability to record the screen of the user session, as well as in depth analytics.

Securing passwords
Whether you are a home user, or a corporate user, passwords have always been important, but password security is more important than ever.  Whatever the situation, there are ways to secure the password and minimise the damage a hacker can do.