Conversant Group is a Chattanooga based cybersecurity consultancy. We have been consulting organizations in cybersecurity for 12 years, and we collectively have hundreds of years experience in cybersecurity and technological infrastructure. We perform risk assessments, penetration testing, vulnerability scans, technical control configuration assessments, security projects, infrastructure projects, and breach recovery regularly. Thus, we have the past and current experiences required to advise clients effectively on security matters. John Anthony Smith, Conversant Group’s CEO and Chief Listening Officer, is regularly, passionately trying to protect as many as possible, and as such, he has volunteered to write a series of articles to help our readership better protect themselves from current and future attacks. What follows is article one in a series of articles aimed at building a more secure Chattanooga.
Most breaches, exploitation events, security incidents, ransomware events, and other malicious activities have very common causes. Mostly, the causes are well communicated and known by the information technology community; however, for a variety of reasons, the solutions never get implemented. Instead, many organizations are exposed. Shockingly, we often find organizations vastly exposed, and leadership is often blind or willingly ignorant to the risks being accepted by the organization. I would say bluntly, “Most organizations are standing in an open field naked, completely exposed.”
Though I didn’t watch it, there was once a show on television called, “Naked and Afraid.” The premise of the show was to take complete strangers and place them in a remote, desolate location without food, water, and clothing. In many ways, these circumstances are similar to most organizations’, and frankly most people’s, security situation. The key difference is it doesn’t take many resources for an individual to properly protect his or her personal accounts, and for organizations, they often have the resources to better invest in security; however, most organizations simply do not. They deprive their organizations of necessary safety by starving their technology teams of necessary resources, leadership, and focus. Also, technology professionals often find themselves in perilous upward political pressure in order to get security done well. Thus, most organizations are naked, but frankly, are not afraid enough!
Two of the most common causes are the lack of strong password policy and two factor/multi-factor authentication (2FA/MFA). You may ask, “What is MFA exactly?” It means that to log into a system your identity must be verified by something you know AND something you have. Ten plus years ago, the something you have was commonly a physical token. Today, the something you have is your phone or your computer. The point is that it requires something more than simply knowing your username and password to get into a sensitive system. Sometimes, the something you have may still be a token, a certificate, a Yubikey, etc.
Most organizations and users of personal systems such as banking, investing, and e-mail web sites, do not use proper password policy. Your Gmail, Hotmail, Comcast, banking, and investment passwords should be 12 characters or greater in length. Further, those same sites should have multi-factor authentication enabled. Gmail calls it 2-step authentication. Hotmail and other systems may utilize Microsoft Authenticator, Google Authenticator, or text messages as the second factor. I know that for deeply in tune security engineers and consultants that you are going to say that the SMS (text messaging) network is also not secure, but that is a discussion for another time. For now, you should enable MFA on all your personal accounts!
For organizations, the old standard was to change passwords every 90-120 days using a length of 8 characters requiring complexity. You must know that length is more critical than complexity! If your passwords are allowed to be less than 12 characters in length, they are far more easily cracked. The modern and best approach is to move toward security pass-phrases: short sentences you can remember. Move toward longer passwords. We prefer 15 characters plus, but 12 characters are adequate.
On assessment, we almost always find externally exposed systems with weak passwords and no MFA.
If you don’t have strong passwords and MFA ubiquitously applied throughout your organization and on your personal accounts: you are in an open field naked. You are exposed, and you should be afraid. Ubiquitously means that you have MFA and long passwords on everything exposed to the Internet. In a company, systems like Outlook Web Access, Office 365, ADP, Paylocity, all admin consoles used by your IT staff, and all externally Internet exposed line of business applications must have long passwords and MFA.
ADP Workforce Now, as an example, doesn’t support MFA, and in my opinion, you should convert to something that does. If you use any externally exposed apps that do not support MFA, you have really one of three choices:
- Accept the risk.
- Buy a different product and convert.
- Remove access to the application from the Internet.
A matter of fact, Conversant has consistently seen organizations exposed by the lack of strong password policy and MFA. Actually, I have heard many times: “Why would we put MFA on our email system? There’s nothing sensitive in my email.” My immediate response to this rebuttal, as an example, is: “Have you ever emailed your bank? Have you ever emailed your accountant? Have you ever emailed your lawyer? Have you ever wired funds?” If you don’t believe me, you will regret not taking this action later, as many other organizations before you have.
If a hacker in China, Russia, Iran, or insert nation state here, obtains your username and password to a sensitive system, by whatever means, you want to stop him or her by forcing a MFA challenge. Because most people don’t practice good password and security hygiene and there are frequent breaches of public systems, passwords are easily obtained by threat actors. Often, passwords are even easily available on the Dark Web.
I implore you. Please apply MFA on all of your externally exposed systems, and please advance your password policies (longer passwords). Further, please do not use your corporate password on any other systems. Your corporate password should be sacred.
If you don’t follow this simple guidance, be afraid. Be very afraid.
Your organization is standing naked in an open field.
We are happy to help your organization adopt better security protocols and technologies. As an organization, there are good reasons to consider MFA via other methods than Microsoft Authenticator and Google Authenticator. We can help you make better decisions on authentication, single sign on, MFA, password policy, and authorization.
Our hand is extended. Please compute safely!