#PMP #PPM #project #Agile #cybersecurity #cryptocurrency #ai #SAFe #zerotrust #virtual #mindmap #remote #scaledagile #machinelearning
  • Welcome
  • Contact
  • Resume
  • Expertise
  • Blog
  • Books / White Papers
  • Software / Service Reviews
  • Mentoring Contact Form
  • This Week in PM
  • PM Video Series
  • Awards/Recognition
  • Templates & Downloads
  • Clients
  • Professional Services
  • Past Survey Results

Weak Passwords are not Your Friend

1/11/2021

0 Comments

 
Picture
Dive Brief:​
  • The Cybersecurity and Infrastructure Security Agency (CISA) found bad actors used password guessing and spraying "in some cases" for initial access, according to an updated SolarWinds advisory on Wednesday. 

  • In some cases, CISA found intrusions in organizations where SolarWinds Orion was not in use or the platform was not exploited. In these cases, the agency found evidence of adversarial tactics, techniques and procedures (TTPs) using passwords and "inappropriately secured administrative credentials accessible via external remote access services," according to the advisory. 
​
  • The agency said the initial access root cause is still under investigation and the latest findings do not "supersede the requirements" of the initial emergency directive 21-01, where the agency asked federal agencies to power down SolarWinds products.

Dive Insight:

As investigators and researchers work to understand the full extent of the SolarWinds hack, the latest CISA update points to a constant in cybersecurity: weak passwords.

Password spraying is often described as a brute force attack, where attackers inundate usernames with rounds of passwords, looking for a match, according to Microsoft. When hackers are seeking out specific targets, they'll research an individual, looking for clues on social media or other platforms, to build possible passwords. 

"Weak passwords are a major vulnerability that offers an easy entry point to any system no matter how much we spend on sophisticated approaches in other components of the system," said Hanan Hibshi, research and teaching scientist, Information Networking Institute at Carnegie Mellon University’s CyLab Security and Privacy Institute, in an email.  

In its advisory, CISA included research from Volexity, which found the advanced persistent threat (APT) leveraged a previously stolen secret key "to generate a cookie to bypass the Duo multi-factor authentication (MFA) protecting access to Outlook Web App." The same activity was seen in SolarWinds' supply chain hack, leading Volexity to conclude there are undiscovered initial vectors outside of SolarWinds Orion, according to the memory forensics company. 

Last week, the Department of Justice found about 3% of their Microsoft Office 365 inboxes were compromised as part of the attack. The APT relied on authentic credentials "in the form of assigning tokens and certificates to existing Azure/Microsoft 365 (M365) application service principals," CISA said in its Wednesday update. The TTP granted attackers escalation tools and a way of "interacting with the Microsoft Cloud tenants." 

Microsoft has issued guidance on how organizations can identify whether authentication took place outside of the purview of the system owner and their infrastructure and changes to the identity federation. 

If MFA isn't available, CISA advises organizations to use complex passwords consisting of more than 25 characters. Complex passwords hurt user experience, leaving many employees recycling their passwords across platforms and devices. 

Password managers can mitigate the risk of poor, overused passwords because it limits how much an employee has to remember. But doing so "does not come without the cost of organizations investing in those solutions," and appropriate employee training, said Hibshi.

0 Comments



Leave a Reply.

    Author:

    Picture

    Brad Egeland


    Named the "#1 Provider of Project Management Content in the World," Brad Egeland has over 25 years of professional IT experience as a developer, manager, project manager, consultant and author.  He has written more than 8,000 expert online articles, eBooks, white papers and video articles for clients worldwide.  If you want Brad to write for your site, contact him. Want your content on this blog and promoted? Contact him. Looking for advice/menoring? Contact him.

    Picture
    Picture
    Picture
    Picture
    Picture

    RSS Feed

    Archives

    August 2022
    July 2022
    June 2022
    May 2022
    April 2022
    March 2022
    February 2022
    January 2022
    December 2021
    November 2021
    October 2021
    September 2021
    August 2021
    July 2021
    June 2021
    May 2021
    April 2021
    March 2021
    February 2021
    January 2021
    December 2020
    November 2020
    October 2020
    September 2020
    August 2020
    July 2020
    June 2020
    May 2020
    April 2020
    March 2020
    February 2020
    January 2020
    December 2019
    November 2019
    October 2019
    September 2019
    August 2019
    July 2019
    June 2019
    May 2019
    April 2019
    March 2019
    February 2019
    January 2019
    December 2018
    November 2018
    October 2018
    September 2018
    August 2018
    July 2018
    June 2018
    May 2018
    April 2018
    March 2018
    February 2018
    January 2018
    December 2017
    November 2017
    October 2017
    September 2017
    August 2017
    July 2017
    June 2017
    May 2017
    April 2017
    March 2017
    February 2017
    January 2017
    December 2016
    November 2016
    October 2016
    September 2016
    August 2016
    July 2016
    June 2016
    May 2016
    April 2016
    March 2016
    February 2016
    January 2016
    December 2015
    November 2015
    October 2015
    September 2015
    August 2015
    July 2015
    June 2015
    May 2015
    April 2015
    March 2015
    February 2015
    January 2015
    December 2014
    November 2014
    October 2014
    September 2014
    August 2014
    July 2014
    June 2014
    May 2014
    April 2014
    March 2014
    February 2014
    January 2014
    December 2013
    November 2013
    October 2013
    September 2013
    August 2013
    July 2013
    June 2013
    May 2013
    April 2013
    March 2013
    February 2013
    January 2013
    December 2012
    November 2012
    October 2012
    September 2012
    August 2012
    July 2012
    June 2012
    May 2012
    April 2012
    March 2012
    February 2012
    January 2012
    December 2011
    November 2011
    October 2011
    September 2011
    August 2011
    July 2011
    June 2011
    May 2011
    March 2011
    January 2011
    December 2010
    November 2010
    October 2010
    September 2010
    August 2010
    June 2010
    May 2010
    April 2010
    March 2010
    November 2009

    RSS Feed

Powered by Create your own unique website with customizable templates.