The Pandemic of Poor Passwords
Published On October 2, 2020
Blog Post by Kevin Sacco, Ethical Hacking Leader at Meditology Services
pandemic / pan·dem·ic \ pan'demik / adj.
(of a disease) prevalent over a whole country or the world.
In almost 20 years of penetration testing and compliance, there is one theme that I have seen that has consistently led to unauthorized access to sensitive information and systems: BAD PASSWORDS. Bad passwords are a disease that has affected most healthcare organizations domestically and globally.
The stats from recent breach reports and regulatory bodies indicate that this outbreak is having a material financial and operational impact on our industry. As reported in our related publication, Analysis of Healthcare Breach Trends | Insights from the 2020 IBM/Ponemon Report, the top source of breaches for healthcare entities is malicious hacking, with 53% of breaches coming from external attacks. The average cost per breach event in healthcare is $7.13m.
A primary vector for externally based breaches is poor password management and authentication models. In this blog post, we will explore some of the symptoms of the bad password disease and provide treatment recommendations for limiting its spread and impact on vulnerable healthcare populations.
Organizations with the bad password disease commonly display one or more of the following symptoms:
- Dozens and sometimes hundreds of accounts with common dictionary word passwords that do not comply with industry standard password controls (e.g. password, welcome)
- Passwords in use that technically comply with complexity and length requirements but are easily guessable by attackers (e.g. Summer2020!)
- Misconfigured multi-factor authentication including self-enrollment that can allow attackers to send authentications codes to their own devices upon initial login with an easily guessable password
- Password policies and configuration standards that do not align with industry standards for length and complexity
- Passwords that are rotated from one easily guessable value to another every 90 days (e.g. Spring2020! to Fall2020!)
- Service accounts (machine to machine logins) with administrative access that use the same complexity standards as normal end user accounts; service accounts with excessive administrative privileges
- A large number of privileged accounts including domain administrator accounts; often with a password policy applied that is an exception to standard password control requirements including passwords set to never expire and password set manually by IT admins
- Default vendor accounts in use with externally facing access and administrative privileges to one or more sensitive systems
- Shared accounts or passwords that automatically log in to systems and applications
- Passwords stored in plaintext in emails, Microsoft Office documents, text files, scripts, databases, Active Directory comments, GPOs, and other insecure locations for formats
- Databases with default or blank administrative passwords or default vendor passwords
- High volumes of security incidents and response activities
Patients are advised to implement the following precautions to prevent and contain the spread of the bad password disease:
- Implement password filters and bad password list technology to prevent known bad passwords and common password lists from being used (contact your Meditology cyber physician to learn more)
- Implement multi-factor authentication across all user accounts including privileged accounts for externally-facing access and any critical systems or segments on the internal network
- Establish password controls for service accounts (machine to machine logins) that have substantially stronger complexity requirements (e.g. minimum 25 characters)
- Change vendor default passwords
- Conduct routine penetration tests for both external and internal facing networks and specific scenario-based testing
- Explore options for deploying Microsoft’s LAPS (Local Administrator Password Solution) to create unique local administrator passwords on workstations and servers
- Implement strong endpoint controls and vulnerability management programs to protect against credential dumping
- Perform vendor risk management and due diligence reviews to ensure application and system accounts and passwords are assessed prior to implementation
- Investigate privileged account management software solutions and implement where appropriate
- Update and deliver password-specific awareness training for end users and privileged users / admins
- Commission routine user access reviews to identify excessive or unnecessary administrative access
- Conduct routine password audits and password cracking exercises to evaluate the effectiveness of password controls and awareness approaches
When to Seek Professional Help
Organizations are advised to seek professional services if they experience one or more of the following conditions:
- Suspicious network or system activity
- Outbreaks of ransomware or other computer viruses and malware
- Breaches of one or more externally facing systems
If symptoms persist, do not attempt further self-diagnosis or treatment. Contact your Meditology cyber physician right away and our team of trained and experienced professionals will work with you to adopt proven treatment plans and arrive at a cure.