The password problem
Nearly all IT professionals (~95%) agree that passwords pose real security risks to their organisation. People have been using weak passwords for as long as we can remember, then there's mishandling passwords (writing them on post-its) and reusing the ones we feel comfortable with. Not exactly best practices according to LastPass, but also no shocking news, as we're all guilty as charged.
Do you recognise yourself in this video?
Just watch it, at the very least you'll have a good laugh.
Passwords are too weak
Among the top frustrations for employees is changing passwords, remembering the previous 100 passwords and not being able to re-use them. This makes password management a tedious part of the job and surely doesn't really add any security if done improperly. It also increases the additional labour required for simple hygiene; just think about the time wasted on password resets.
In order to combat weak passwords, we need to be building security habits that aren't overly complex and actually make life easier, instead of harder. Weak and/or re-used passwords pose a real threat to organisations because they're typically the one thing between your data and bad actors. The bad actors have done a marvellous job in indexing the most common passwords to make password spraying attacks easier and more effective. You just have to look for the right dataset, taking culture and language into account. Not just bad actors, but the good guys also index weak passwords, they do it for awareness reasons.
See below the top 11 of most used passwords for 2020 in the world. View all 200 most common passwords.
Let's assume, for the sake of argument, that you have adopted on-par security habits, even if you do everything right, your secure passwords might be leaked. Your responsibility is only a part of the puzzle. The other side (the application), should also take measures to safely store the information you use to authenticate. This means they should hash the secret info and secure the systems and infrastructure on which this information is stored and accessible.
Information leaks all the time, in the past months we've seen TicketCounter.nl (August 2020), Eneco (January 2021), GGD GHOR (January 2021), AlleKabels.nl (Februari 2021), NAM (March 2021), RDC.nl (March 2021), DS-IT (April 2021), Gemeente Amsterdam (April 2021), Heijmans (April 2021) and a few weeks back New York Pizza (June 2021). It doesn't take long for this information to surface on the web, in fact, you can quite easily find combined (COMB) datasets with a quick google. COMB stands for combination and is basically a combination of leaks, sorted for ease of use.
The bad guys are typically a few steps ahead of us, there's no silver bullet, nor a 100% safe system. At some point, we should assume systems are going to be breached and data leaked. If you've taken the measures prescribed by the various best practices, you are at least safer. Unfortunately, there are a lot of tools readily available to 'crack' even the hashed passwords.
Let's use this example:
Someone "found" a dump of leaked credentials, note that this information is quite easy to find.
"It’s well known that most people base their password on a word, in various forms:
- Just a word (potentially with different capitalisations) — Password
- A word followed by some numbers/symbols — monkey! or Coffee12
- A word with ‘leet speak’ applied — p4ssw0rd or f4c3b00k
- Multiple words stuck together — isthissecure"
In order to crack hashes you typically use highly efficient tooling, which is available for free (open-source), like Hashcat. I will not dive deeper than this, you can read the whole article online. Apart from tooling, you need a strong processor. You don't even need to own the hardware anymore, you can 'rent' an Nvidia Tesla K80 GPU on AWS for as little as $0,90/hour. It's able to calculate ~800 million SHA-256 hashes per second… let that sink in.
In the article the author used a dataset of 14 million credentials and reached the following milestones:
- 2 hours: 48% of the passwords were cracked
- 8 hours: nearly 70% of the passwords were cracked
- 20 hours: over 80% of the passwords were cracked
In summary: "20 hours. $0.90 per hour. That’s just $18 spent to have 80% of 14 million passwords cracked."
The below table depicts how long it would take for an NTLM hash (i.e. Windows passwords) to be cracked. Note that these numbers may vary across research papers, these are pretty up-to-date and pertain specifically to NTLM hashes and the use of AWS compute available in 2020.
Note: the above table is based on 632GH/s cracking power (AWS p3.16xlarge @ $25/hour) for NTLM hashes, The Security Factory.
Multi-factor authentication (MFA)
This is why we need MFA sooner, rather than later. This will add a 'factor' to the login sequence, in other words, you need more than just your username + password (something you know). Because the other factors are not found online, it's way harder for the perpetrator to get into your accounts. Let me emphasise, it's not a silver bullet, there can be bugs in the system using or providing MFA functionality. But at least you've done all you can do in this regard.
What is MFA?
- Something you know -> e.g. a password
- Something you have -> e.g. your phone or a token
- Something you are -> biometrics; e.g. face ID and fingerprints
- Somewhere the user is -> geolocation
Passwordless, is that a thing?
Microsoft has already adopted this new idea, why should a password be safer than something that you have and are (still two out of the three tenets for MFA)? You just have to fill in your account login (e.g. your email address) and the system will send a push notification to your phone. This push notification can only be viewed if you authenticate on your phone with biometrics (e.g. fingerprint or face ID). This makes it way more difficult for bad actors to abuse your account because it's more difficult to get in, they will need your phone and you.
We will see more adoption of this idea because it eliminates one of the fundamental IT problems: password management. No more password reset requests or remembering all these different passwords or issues with password managers that don't integrate properly. Just a new way of signing in, and preferably one that holds your authentication for every app that you need for work until something changes in your session/behaviour. For example, your IP address, turning off security features on your laptop, privilege escalation etc.
In conclusion: what should I do?
So, what you're saying is that I should consider passwords pretty much compromised by default? Well yes and no, you can't go through life without passwords (yet), so at least use different passwords for different sites/services; if a passwords leaks, the damage is contained to that one account.
Advice #1 use a password manager
A little bit of personal advice, passwords are annoying (I know), but they’re pretty much the only thing between you and people trying to abuse some(if not most) of your accounts. Corporates tend to ask you to change your passwords frequently, which is a solid countermeasure, but not very user friendly. It’s therefore advisable to use a password manager and have it generate ridiculous passwords for your online accounts (16+ characters). You can determine for yourselves if you feel safe to store all your passwords there, in general, it's safer than the alternative (weak and reused passwords).
Which password manager is the best? There no easy answer, it boils down to two things: safety (most password managers score well in this area) and ease of use (this is quite personal). So try one or two before you buy (if you're going to buy).
Advice #2 use MFA whenever (and wherever) possible
On top of that, certainly for sensitive accounts, please enable MFA. Don’t worry if you haven’t heard of it, or if you call it something else. This typically requires you to use your username + password and a code/push notification in an app on your mobile phone (or tablet).
Drawing money from an ATM is comparable, you need the bank card and the pin code; something you have and something you know. You can use any of readily available authenticator apps; Microsoft Authenticator, Google Authenticator, DUO Mobile, etc. Even today, in 2021, many accounts are protected by weak passwords (and lots of passwords are leaked every day) and adding MFA makes it a whole lot more difficult for hackers to get into your accounts.
Tip: try enabling MFA on LinkedIn/Facebook/Instagram/Personal email, etc. This is easy to set up and gives you extra security.
Enable it, open your Authenticator App, scan the QR-code (press the plus sign, typically on the right side of the screen) and you’re all set! You have just upped the ante on your security game.
PS: while you're at it, you might want to change your password if you've never done this (especially if you joined before 2013).
Advice #3 stay vigilant!
Keep people from glancing at your keyboard when typing in passwords/passcodes etc. Setup monitoring of your account and/or regularly check the activity logs. You can also setup Google Alerts, to notify you when something about you pops up on the internet (note: it will not detect everything of course). It's quite easy, browse to google.com/alerts (and if necessary, sign in); here you can configure what to monitor.
Another tip is to register at haveibeenpwned.com; this site indexes leaks and notifies you if you're email has been in any of the known leaks.
If you have any questions, want a sparring partner, or you're curious about what this all means? Feel free to contact us.
Top five OT security threats
These OT Security threats provides an overview of critical and most common cyber threats to Operational Technology.
Multicloud Cloud security
How to protect your multicloud?
Protect your data across the multicloud and drive increased innovation and agility.
The password problem
What do these numbers and letters have in common? 123456, 123456789, picture1, password, 12345678, 111111.
EDR NDR XDR MDR
EDR, NDR, XDR, MDR - Different concepts of Detection & Response
"Threat Detection & Response" is nowadays considered an indispensable means of securing corporate networks. We explain the difference between EDR, NDR, XDR and MDR.
Cyber attacks Cloud security
Top cybersecurity threats to be aware of in 2021
Remote working, which is still the standard in 2021, brings new cybersecurity threats. These are the top threats of 2021.
Cyber attacks Security
Top cybersecurity companies to watch in 2021
We selected 6 top cybersecurity companies to watch in 2021, who have successfully differentiated themselves from other players in the market.
Double Trouble: Ransomware with Data Leak Extortion, Part 2
As data leak extortion swiftly became the new norm for big game hunting (BGH) ransomware operators since late 2019, various criminal adversaries began innovating in this area. This includes collaboration between ransomware groups, auctioning leaked data and demanding not just one ransom for the ransomware decryptor but also a second ransom to ensure stolen data is deleted.
Security survey says: Don’t wait until it’s broken to fix it
In the report, “Network security in the spotlight: Understanding why it can go wrong is key to making the right investment decisions”. The Register conducted a survey of network and security professionals examining what drives organizations to excel in the delivery of information security.
The importance of multi-factor authentication
Ethical hacker Victor Gevers reached news headlines this week as he managed to access president Donald Trump’s Twitter account for the second time.
Network security Network infrastructure
Viabuild selects Infradata as their guide towards an optimal security infrastructure
Infradata deploys a next generation endpoint protection solution at Viabuild enabling more visibility for remote workers.
Webinar: How CASB can protect your sensitive data
This is the last webinar in a serie of three cybertalk sessions. In this webinar Remco Hobo, Head of Cyber Security, explains how Cloud Access Security Broker (CASB) protects your sensitive data.
Webinar: Why DLP matters to your security strategy
This is the second webinar in a serie of three cybertalk sessions. In this webinar Sr. Solution Architect Cyber Security Kunal Biswas will simplify Data Loss Prevention (DLP).
Webinar: Demystifying SASE
This is the first webinar in a serie of 3 cybertalk sessions. In this first webinar our Sr. Solution Architect Cyber Security will demystify SASE (Secure Access Service Edge).
McAfee Named a 2020 Gartner Peer Insights Customers’ Choice for CASB
For the third year in a row, McAfee was named a 2020 Gartner Peer Insights Customers’ Choice for CASB with its MVISION Cloud solution.
CrowdStrike Joins with Netskope, Okta and Proofpoint to Secure Remote Work
CrowdStrike, Netskope, Okta and Proofpoint are joining together to help better safeguard organizations by delivering an integrated, Zero Trust security strategy that is designed to protect today’s dynamic and remote working environments at scale.
CrowdStrike named a “Leader” in Q1 2020 Forrester Wave report for EDR
Learn all about the CrowdStrike Falcon endpoint protection platform being named a Leader in The Forrester Wave: EDR, Q1 2020 report.
5 reasons to consider a managed SOC service provider
When dealing with security threats, organisations could opt for a managed SOC (Security Operations Center). We provide five managed SOC service provider benefits.
Cybersecurity in the Time of COVID-19: Keys to Embracing (and Securing) a Remote Workforce
Learn what six key factors can help ensure remote worker cybersecurity and how to adopt a remote workforce quickly.
Juniper Networks Network automation
Juniper Networks’ 2019 State of Network Automation Report
Discover the impact of network automation. This report reveals how today’s use of automation affects engineers, NetOps teams, and business.
5 ways to boost your cyber security in 2020
Finding the best cyber security solutions in 2020 starts by improving policies and strengthening existing security tools in use.
Endpoint security EDR
Top 5 Endpoint Security Solutions 2020
A cyber security strategy that does not address endpoint security, is no strategy. We select the 5 best endpoint security vendors to watch in 2020.
Security Managed services
Eight major benefits of having a Managed Security Services Provider (MSSP)
Managed Security Services Providers (MSSPs) provide structural security solutions against cyberattacks, including always up-to-date expertise in the latest cyber threats and appropriate solutions. Here's 8 benefits of the best MSSP to prevent cyberattacks and save costs.
Prevent lateral compromise with microsegmentation
Why network microsegmentation matters for network security and how it helps mitigate the spread of lateral compromise.
Why 5G Security and Interoperability must not be optional extras
Mobile Solutions Architect Ditri Trio elaborates on 5G Security and Interoperability challenges with existing 3G and 4G networks.
19 Cloud Security Best Practices for 2019
Mitigate risks to using any cloud service with these Cloud Security Best Practices. Cloud computing has become near-ubiquitous, with roughly 95 percent of businesses reporting that they have a cloud strategy.
Rapid international expansion thanks to specialisation
Interview with Infradata Group CEO Nino Tomovski. About the international growth of Infradata Group, Cyber Security solutions and the importance of local expertise.
Maintaining Effective Endpoint Security 201
With the threat landscape evolving every day, is there more these organizations can do to sustain an effective endpoint strategy while supporting enterprise expansion? Let’s take a look at how teams can bolster endpoint security strategy.
The Dark Side of Governments: A Growing Threat of APT Groups
For most nation states, covert advanced persistent threat (APT) groups are an equally valuable tool that operate in the shadows, stealing data, disrupting operations, or destroying the infrastructure of targeted enemies.
Top 5 Network Security Solutions and Technologies
The 5 best Network security solutions and technologies that help define and guarantee business success. Unfortunately many enterprises do not know what network security solutions are essential to securing their network and data.
Endpoint security EDR
5 Endpoint Security Best Practices
Your Cyber Security strategy should include Endpoint Security, as it is one of the most critical components for network security. In this article, our experts sum up Endpoint Security best practices for the Enteprise.
Fortinet Wins SE Labs Best Network Security Appliance Award
Fortinet has been awarded the Best Network Security Appliance award from SE Labs – one of the most respected labs in the testing community. SE Labs has been testing FortiGate products for the past three years, and in addition to this accolade, have awarded a AAA rating to the FortiGate solution for the third year in a row.
CrowdStrike Endpoint security
CrowdStrike Positioned as a Magic Quadrant “Leader” for Endpoint Protection Platforms 2019
Crowdstrike is positioned as a “Leader” in the 2019 Gartner Magic Quadrant for Endpoint Protection Platforms (EPP). This recognition from Gartner is the first time Crowdstrike has been placed in the Leaders Quadrant with their Crowdstrike Falcon Endpoint Protection Platform.
Network security Enterprise networking
Top 5 Key Challenges for Network Security
We have compiled a list of key challenges regarding network security and cyberthreats, as numerous companies and governments are taking measures to ensure privacy and maintain security by preventing cyberattacks. Nevertheless, cybersecurity remains a constant and ongoing issue of considerable concern.
4 Emerging Challenges in Securing Modern Applications
Advanced threats force the best application security solutions to do more. Web Application Firewalls must be tested for security effectiveness. Here's 4 emerging challenges in securing modern applications
Mist Will Join Juniper Networks to Accelerate AI for IT Adoption
Five years ago, I had the good fortune of launching a new company with two luminaries in the networking space – Bob Friday and Brett Galloway. Together, we recognized that the world of IT was at an inflection point whereby the old, reactive way of delivering services needed to be replaced by a new model built on AI-driven automation and user insight.
Top 5 Endpoint Security Solutions of 2019
Here's the 5 best endpoint security solutions. Recent studies show that 30 percent of known breaches involved malware being installed on endpoints. Select an Endpoint Protection Selecting that fits your needs considering these vendors
Juniper Networks Acquires Mist Systems to Bring AI to IT
. With a shift from mere service management (ITSM) to strategic enabler, the very purpose of IT has changed. Where the past was about uptime in a largely static environment, the present is about user experience
Infradata delivers National Education Network security system to Poland
Infradata Polska will launch the NASK National Research Institute project for the delivery of the National Education Network (Ogólnopolska Sieć Edukacyjna, OSE) security infrastructure system. Infradata’s offer was selected in a tender. The project will ultimately cover 25.000 schools.
The 5 key IT security assessment types
Different IT Security Assessment types explained. Every day, digital attacks threaten the continuity of your business. Cybersecurity assessments accurately map out the threat.
Cisco announces Wi-Fi 6 product portfolio
Cisco announced Wi-Fi 6 solutions and products for improved wireless connectivity this week. Besides the Wi-Fi 6 Access Points, Cisco also announced the Catalyst 9600 campus Core Switch purpose-built for cloud-scale networking.
Effective Endpoint Security Strategy 101
Balancing your business’ objectives while ensuring your organization’s data is secure can be a challenge for many. But that challenge can be assuaged by addressing cyberthreats at the start – the endpoint. Adopting an effective endpoint protection strategy is crucial for a modern-day organization
Juniper Networks introduces SD-WAN as a Service solution
Juniper’s Contrail Service Orchestration now manages the full enterprise branch, campus and cloud SD-WAN, now adding branch security, LAN and Mist Learning WLAN
Establishing the Zero-Trust Cybersecurity Framework
The principle 'Zero-Trust' is one of the most integral security frameworks in recent times. Its crux lies in simplicity - a default deny for all flows and concept of minimal access. To effectively realize 'Zero Digital Trust' in your ecosystem here's what it entails.
Ransomware 'LockerGoga' wreaks havoc on Norway's Norsk Hydro
What is 'LockerGoga' ransomware and how did it infect Norway's Norsk Hydro? Read all about it in this blog.
5G security: Challenges to overcome enabling new business models
As the world is about to start rolling out 5G networks, the question arises what the challenges will be to address 5G security and privacy concerns. In this blog René shares his thought on 5G security challenges and potential business benefits.
Juniper Networks expedites 5G Transformation for Service Providers
Juniper Networks continues to expand to address use cases across access, pre-aggregation and aggregation to assist in the transitions from 4G LTE to 5G. Includes ACX700 Universal Metro Routers, industry-first 400GbE native MACsec support and Triton Silicon-powered 14.4Tb line cards for the PTX10008
Another coding example that turned into a malicious threat
Two days ago an example of bad code popped up in the security community when a programmer was reviewing 7Zip's code to see if it would suit his needs. 7Zip is a free open source software for compression and packing/unpacking of ZIP and GZIP formats.
What is zero touch provisioning and is it useful for me?
Zero Touch Provisioning or ZTP is a term that appears increasingly on the feature list of networking products. ZTP can be found in switches, wireless access points, (SD-WAN) routers, NFV-platforms and firewalls.
Global media company transforms network security with visibility and Network Access Control (NAC)
Infradata supports a leading media company to strengthen the security of the network through Network Access Control (NAC). With this security solution, the security policy for access to the entire network as well as endpoint security is greatly improved.
6 cybersecurity trends you need to know for 2019
With the continuous growth of new emerging technologies and innovative Cyber Security solutions being developed, we asked our Cyber Security experts: What are the 6 cyber security trends for 2019 to watch?
Arista to Demonstrate Any Cloud Networking for Kubernetes at KubeCon NA 2018
New solution uses Arista virtual and cEOS software instances to provide a uniform enterprise-class/cloud-grade routing platform with enhanced visibility and security features tied into OpenShift and Calico commercial enterprise platforms from Red Hat and Tigera.
Forcepoint Reveals Cyber Security Predictions for 2019
Forcepoint launched its Forcepoint Cyber Security Predictions 2019 Report . The report provides guidance on the sophisticated threats facing organizations in the months to come.
Pulse Secure expands Firewall Auto-provisioning and Behavioral Analytics for IIoT Security
Pulse Secure, the provider of Secure Access solutions to both enterprises and service providers, announced the release of Pulse Policy Secure (PPS) 9.0R3 to extend its Zero Trust Security model to IIoT devices and smart factories.
Fortinet Introduces New Security Automation Capabilities on Amazon Web Services
Fortinet announced the expansion of its Fortinet Security Fabric offerings and new automation capabilities for AWS to provide streamlined and consistent security management for hybrid infrastructures.
CrowdStrike gets highest score in Gartner peer insights customer's choice Endpoint Protection Platform
CrowdStrike Falcon receives high score of 4.8 out of 5 based on highest user satisfaction among Endpoint Protection Platform vendors
The road to next level Data Loss Prevention
Data leaks happen constantly to many different organizations. We have examples of cases in which credit card data of hundreds of thousands of users was leaked, or disgruntled workers that copy sensitive data of the organization they want to leave, to later publish or sell that information in the external world, damaging users and businesses. There is no limit to the amount of data that can be leaked, nor to the amount of damage that can be done.
UK Government launches Code of Practice for IoT Security
The UK department for Digital, Culture, Media and Sport has launched a Code of Practice for consumer IoT security. The aim of the Code of Practice is to "support all parties involved in the development, manufacturing and retail of consumer IoT", as stated on the UK.gov website.
Why Mozilla Firefox's upcoming DoH update might be a mistake
"DoH does not solve a real problem. Contrary, it creates a problem." In his blog solution architect Hilmar Burghraaff dives into the potential risks of Mozilla moving DNS to HTTP over DNS.
Gartner and Forrester position Crowdstrike leader in endpoint security
Crowdstrike's cloud-delivered Endpoint protection solutions have been named a leader by Forrester and leads the visionary quadrant in the 2018 Gartner Magic Quadrant for Endpoint Protection Platforms.