~ How multiple layers of security helps manufacturers keep passwords out of the wrong hands ~
In 2021, one of the largest password collections ever was leaked onto a hacker forum. A user posted a file that contained 8.4 billion passwords, likely compiled from previous leaks and breaches. According to a 2022 Statista report, the biggest impact of cyber attacks on manufacturers is the disruption to operations that they cause. Here, Craig Serventy, service delivery team leader at cyber security specialist OryxAlign, goes through the typical process of a phishing attack, highlighting the lines of defence a company could employ at each stage to protect sensitive details like passwords.
Contrary to popular belief, hacking is not usually a complex endeavour involving intricate code and cutting-edge technology. Most breaches occur from phishing attacks. This type of attack involves fraudsters sending false emails, messages or websites that look genuine, with the goal of tricking the receiver into sharing sensitive information such as financial or login details. According to a report by APWG, December 2021 saw a record number of phishing attacks, with over 300,000 instances.
This means that, although antivirus software like extended detection and response (XDR) is an important tool to have if a breach does occur, the best line of defence is the individual. With consistent and targeted training, the amount of users falling for phishing attacks can fall from 32.4 per cent to just five per cent within a year, according to a 2022 report from security awareness training provider KnowBe4.
But what if a hacker has successfully breached your system?
Lock your details in a vault
Among the many things the hacker might be looking for, such as personal and financial information, obtaining usernames and passwords is a common goal. With these credentials, hackers can access multiple accounts, escalate their privileges within the network, and move laterally to explore more valuable targets. With a simple search through the file directory, the hacker could be taken straight to sensitive files.
Back in 2014, Sony suffered a massive data hack in which hackers gained access to a folder entitled ‘Password’. Cybersecurity experts strongly advise against using easily guessable names for files containing sensitive information. Using unique and obscure names minimises the risk of unauthorised access by hackers.
Regardless of how they are named, it’s highly inadvisable to store login details in a plain text file like Word or Excel because these make passwords vulnerable to unauthorised access. Many companies that use plain text files to store their passwords do not even encrypt the files to restrict unauthorised access. Encryption is crucial for securing sensitive data, as it makes it much harder for unauthorised individuals to read or decipher the information.
Implementing access controls and permissions to restrict who can view or modify the file is also tricky. Similarly, it is difficult to trace who accessed or modified the passwords, making it challenging to hold individuals accountable for any security breaches or unauthorised access.
One of the most secure ways of storing sensitive information like login details is through password vault technology products. There are many on the market, some of which are free. These store usernames and passwords for multiple applications securely, and in an encrypted format. Users can access the vault via a single “master” password and there is often the option to add multi factor authentication, further enhancing security. The vault then provides the password for the account they need to access.
It is worth noting that no tool is perfect, and even vault providers have been the subject of cyber attacks, however they remain one of the best ways to securely manage your passwords alongside partnering with a dedicated cyber security provider.
Pa$$w0rd
Bitwarden’s 2023 survey of 800 top level IT professionals in the UK and US found that 90 per cent admitted they reused passwords across different accounts. It’s not uncommon for workers to also reuse passwords from their personal lives at work. With the four most common passwords of 2023 being 123456, 123456789, qwerty and password, these are worrying facts.
Having vault technology in place eliminates the need for users to remember multiple passwords, allowing them to choose more elaborate and secure passwords. Similarly, Google has the function to suggest strong passwords when a user is creating a new online account, giving the option to save the password in its own vault.
In some instances, it may be possible to eliminate the need for passwords altogether. Passwordless technology is an approach to authentication that eliminates the need for traditional passwords. Instead of relying on memorised passwords, users prove their identity through methods like biometrics (fingerprint, facial recognition), physical security tokens, or mobile device authentication like one-time passcodes.
Security software
Even with all of these measures, it’s still advisable to have a security software in place. Traditionally, antivirus systems have operated in silos – limited to detecting and responding to threats on individual devices, or endpoints. However, if a threat moves through different parts of the IT infrastructure, it can be difficult to identify and resolve.
Advanced software like XDR provides end-to-end visibility, detection, investigation, and reaction across the entire IT ecosystem, including networks, endpoints, and cloud environments. This means that all devices and endpoints can be set to one standard, minimising the opportunity for weak spots and gaps to appear. In the event of a breach, such as a member of staff clicking a malicious link, an XDR system can isolate the threat to stop it spreading and roll-back the endpoint to a safe state.
Audits and policies
As an IT managed service provider, OryxAlign works with companies to assess their cyber security posture and advise on any actions that could be taken. It can perform security audits to ensure that passwords are protected and only accessible by the people that need them.
Security audits allow organisations to evaluate the effectiveness of their password storage and security practices. These audits encompass various aspects, including assessing password policies for complexity and multi-factor authentication, ensuring passwords are encrypted and hashed, and monitoring access through logging and privileged control. Audits also review password recovery procedures, vendor risk management, and user awareness training. By identifying vulnerabilities and ensuring compliance with regulations, security audits help organisations enhance their overall cybersecurity posture and safeguard sensitive data.
OryxAlign has also partnered with Knowbe4 to provide cyber security training for staff. Its SecuryXDR extended detection and response system also has customisable service plans based on customer needs.
It is also important for companies to have strict and enforced policies when it comes to their password security. By communicating with their staff, the dangers of phishing emails and storing login details on plain text files or even sticky notes, businesses can start to take ownership of their cyber security.
By following these measures and partnering with a trusted cyber security advisor, users can rest assured that the next major leak is unlikely to contain their personal information. You can find out more about how to keep your data safe at www.oryxalign.com.
