By Avishag Daniely
Although password strength is not a topic we usually discuss at length—mostly because it’s only a small component of effective privileged account security—it is still a fundamental security best practice that requires our attention. In fact, the root cause of many advanced attacks can still be traced to weak passwords (particularly of the privileged variety, of course).
Take the sophisticated cyber-attack espionage underway since 2007, for instance, dubbed “Red October”. Red October is an elaborate cyber-attack, featuring a network of 60 C&C servers, which targeted computer networks of various international diplomatic service agencies, mostly related to the region of Eastern Europe, former USSR members and countries in Central Asia. The espionage originated when attackers began collecting passwords from various locations on a user’s PC and across the network, including registry, various caches and files. Using the passwords that were all too easily collected, the attackers formed a vast list of all passwords used in the network, and tried to use these credentials in all sorts of permutations to further spread across the network and gain access to various locations. The tactics worked, quite successfully, I may add.
Furthermore, a recent ArsTechnica article described how easy it has become for attackers to use the web to obtain passwords through a tactic known simply as “brute force”. The writer describes how Wikipedia pages and phrases that appear on the site can be used to break any password. By using a set of rules and permutations on words found in Wikipedia, an attacker can basically break any password—including powerful privileged accounts with comprehensive access to sensitive information.
Both these examples; Red October and the ArsTechninca article, prove how important it is to keep all passwords as sophisticated and random as possible since any average hacker using a powerful graphics processing unit can break any password up to 12 characters. Or, they can even use this processing power to create permutations on already available phrases and passwords (from Wikipedia pages or a list compiled from the network).
It’s a simple problem that merits a simple reminder. Establish a password management policy that involves sophisticated and random passwords. Even better, your policy should leverage technology, such as CyberArk’s Privileged Account Security Solution to establish frequent, automated password changes, as well as monitoring and threat detection, as part of an overall password and privileged account security strategy. CyberArk’s solution, after all, automatically generates strong passwords, ones that a user could never remember, a wiki page would never store and a power graphics card could never break. The more organizations that take this first step, the more likely they are to eliminate the threat of an attacker brute forcing his way through their network.