With all the recent data breaches, one would think an alternative to passwords (or even simply utilizing stronger passwords) would be a given. A recent data breach of a Medicaid server at the Utah Department of Health has resulted in the exposure of 255,000 people’s Social Security numbers. The cause of the data breach? The breached server authentication layer was still utilizing a default administrative password, or an easily guessable one, according this recent report.
“By taking advantage of the error,” the report cites, “the attackers were able to bypass the perimeter-, network- and application-level security controls that IT administrators had put in place to protect the data on the server.”
It would seem this kind of mistake would be rare (and easily avoidable) for such an enterprise, but analysts continue to find that weak passwords are surprisingly common.
The report goes on to cite another large enterprise guilty of using weak or reusable passwords, mentioning the results of a recent information security audit at a power company that showed that 11 of its servers were at risk for such attacks.
Furthermore, “An attack on the U.S. Chamber of Commerce by Chinese hackers and a compromise of the open-source WineHQ database last year are also believed to have originated with compromised administrator accounts,” the report cites.
Knowledge-based authentication (KBA) mechanisms, which prompt an answer for an easy-to-guess security question—such as a first pet’s name or the name of a favorite movie—aren’t particularly helpful in preventing data breaches, either.
One of the most important measures companies can take to ramp up their security is to raise the bar for passwords and authentication mechanisms, the report finds, calling for “safety interlocks” in the process, similar to having to “shift gears” between “Park” and “Drive.”
Although the problem facing companies is a complex one, such as managing multiple passwords across different accounts or within various personnel, enterprises need to evaluate the ongoing risk they face.
The key takeaway: “At this stage of the IT game, there is really no excuse for using default passwords.”