Persistent & Rising Threats in Cybersecurity: Many of today’s physical and cybersecurity threats take advantage of one of the weakest features in modern operational and information security systems: passwords.
AI (Artificial Intelligence) & ML (Machine Learning)
Artificial Intelligence and Machine Learning generally refer to when machines, particularly computer systems, exhibit intelligence by perceiving their environment, use learning and reasoning to draw conclusions, and take actions that maximize their chances of achieving defined goals.
Cybercriminals are leveraging AI & ML-powered tools to craft more sophisticated, legitimate-looking phishing emails and scam call scripts, automate attacks with unprecedented speed and volume, evade detection of traditional tools and even tech-savvy users, and launch campaigns targeted at specific audiences to maximize the chance to capture the most access data possible like passwords that they utilize in the service of broader, more destructive and lucrative criminal activities.
Quantum Computing
A quantum computer is a computer that exploits quantum mechanical phenomena and can perform some calculations exponentially faster than any current traditional computer.
Quantum computers, still in their infancy, are predicted in the near future to be capable of breaking encryption algorithms that are currently uncrackable by the intelligence services and resources of nation-states. And when that technology is available, it will allow criminals to crack passwords even faster than current Brute Force hacking hardware.
IoT (Internet of Things)
The Internet of Things (IoT) describes devices with sensors, processing ability, software and other technologies that connect and exchange data with other devices and systems over a network, most commonly the Internet.
As more and more insecure devices such as household appliances, HVAC, physical perimeter security, vehicles, etc. are connected to the internet, made remotely accessible and controllable, that adds more attack surfaces with more negative real-world consequences for hackers to gain access to through password hacking.
OT (Operational Technology)/Infrastructure
An extension of the IoT problem, as more and more industrial equipment controlling manufacturing, food production, power generation and distribution, water purification, etc. are connected to the internet, made remotely accessible and controllable, that adds more attack surfaces with more dire, life-threatening real-world consequences for hackers to gain access to through password hacking.
Ransomware
For quite a few years now criminals have generated a major source of income from other people’s data that they’ve encrypted and exfiltrated, including their backups, so that victims have no choice but to pay the ransom to get their data back, get back access to their IT systems, and keep the embarrassing crime out of the media.
This attack often starts with password hacking to gain access, then more advanced techniques such as installing a RAT (Remote Access Trojan) are utilized to gain access to more systems and their valuable data and ends with a notification that an organization’s data has been stolen and encrypted.
Social Engineering
Social engineering is the psychological manipulation of people into performing actions that are not in their best interests, such as divulging confidential information. Examples include phishing emails and fake customer support calls to trick unsuspecting victims into revealing access data like passwords.
Cloud Computing
Cloud computing is the on-demand availability of computer system resources, especially data storage and computing power, without direct active management by the user. Large clouds often consist of data centers distributed over multiple geographically diverse locations.
“The Cloud” is often affectionately referred to as simply “someone else’s computer” and suffer from the same vulnerabilities, including unauthorized access, data breaches, misconfigurations, account hijacking, almost all of which start by gaining access through password hacking.
Supply Chain
A supply chain attack targets the interconnected network of vendors, suppliers, and partners that support an organization’s operations. It often starts by gaining access somewhere in the supply chain through password hacking, and then hackers use additional tools and techniques to spread their access and control to desired systems in the network of companies in order to achieve their criminal objectives.
Remote Work
Remote work, also called telecommuting, telework, work from home (WFH), work from anywhere, or hybrid work when done part of the time between traditional office work, is the practice of working from one’s home or another space rather than from an office. It’s a target rich environment, and “soft-target” for hackers, because security is usually significantly weaker than in an office environment.
Unsecured home network devices often use publicly accessible factory-default passwords. Phishing attacks target remote workers to trick them into revealing access data like passwords. And there are innate vulnerabilities in remote access tools and technologies such as a VPN which is secured using a user-chosen password which is often too simple, reused, and may already be compromised from previous use in other settings such as e-commerce websites.
Lack of Awareness
Many individuals and businesses are still unaware of the prevalence and severity of the risks they and their organization face from internal and external threats, the importance of cybersecurity to protect against them, and their role in that mission.
People are by far the weakest link in cybersecurity, especially concerning password hygiene, but some companies can be just as bad. An organization can have the most expensive, sophisticated, multi-layered cybersecurity systems in the world, and it can all be bypassed by an employee using 12345678 as their password. And companies that still allow 8-character, simple passwords are equally at fault.
Complexity of Attacks
Almost gone are the days of well-known and easily recognizable scams like a foreign prince wanting to share his fortune with a lucky email recipient, as cyberattacks are becoming more sophisticated and complex, more difficult to detect, and more challenging to defend against. These days, email, text, phone, and even snail mail scams look and sound legitimate and convincing, taking advantage of vulnerabilities in commercial electronic payment methods to ensure stolen funds are instantly irretrievable. A victim unwittingly revealing their password is too easy, and often recent attacks are so good criminals can get people to share a variety of PPI (Personal Identifiable Information) such as social security numbers or bank account information.
Human Error
Despite the best security measures, human error remains one of the most significant cybersecurity vulnerabilities, as even the most advanced technology can’t protect against careless mistakes. Lacking malicious intent, mistakes such as poor password hygiene, misconfigured hardware and software, etc. lead to exploitable vulnerabilities.
Insufficient Resources
Even the most diligent, best intended of organizations can suffer from a lack of cybersecurity budgeting/funding, with too few staff dedicated to cybersecurity, too few staff with experience and expertise because they are too expensive, and inadequate training of non-IT staff about good password hygiene, avoiding phishing scams, etc.
Rapid Evolving Threat Landscape
Before AI makes it even worse, with just human ingenuity, cyber threats constantly evolve and need to be adapted to. New attack techniques and permutations of existing attacks appear frequently and can easily slip past or overwhelm an organization’s defenses. Trying to just strengthen password length and structure, or change passwords more frequently, is entirely inadequate.
Add Your Heading Text Here
Weak and Common Passwords
Users create passwords that are easy to remember and guess, which makes them vulnerable to Brute Force (or dictionary) attacks, where every possible password combination is tried methodically by hardware and software specifically designed for the task, and which can crack an 8-character password of any combination of characters in seconds.
Password Reuse
Rather than try to recall a growing list of passwords made up of a nonsensical jumble of different letters, numbers, and special characters and cases, users tend to reuse the same password across multiple accounts and services, sometimes even after the password has been compromised on an account with or without the user’s knowledge. This practice leaves the users accounts vulnerable to Credential Stuffing where hackers use stolen credentials from one site to gain access to other sites.
Verizon 2023 Survey: 74-80% of security breaches involved the use of lost or stolen credentials
Real-World Examples of Data Breaches Caused by Weak Passwords
One in three respondents to a 2022 Bitwarden survey said that they’d experienced a data breach in the last 18 months because of a poor password choice.
Here are the top 4 instances when a weak password led to a major hacking incident, in order of recentness:
GitHub, 2013
The data breach affected an unknown number of users (GitHub declined to reveal how many), and was the result of an astonishing number of brute force login attempts executed from nearly 40,000 separate IP addresses.
Taobao customers, 2016
In this incident, 21 million user accounts were compromised, and hackers gained further unauthorized access to 99 million usernames and passwords. Many users had reused passwords previously compromised on other accounts, and a huge number of users had simple passwords that were commonly used and easily guessable.
The Northern Irish Parliament, 2018
Hackers had guessed users’ passwords from a list of commonly used ones, and once inside the network, hackers used their skills to access the mailboxes of assembly members and their sensitive communications within the government and with their constituents.
The Canadian Revenue Agency, 2020
Over 11,000 accounts were compromised in this attack which targeted weak passwords and took advantage of previously compromised account details.
How Passwordless Authentication Can Prevent Such Incidents
Passwordless authentication can significantly reduce the risk of hacking by eliminating the vulnerabilities associated with traditional passwords.
Eliminates Password Theft
Since no passwords are used, there are no credentials to steal, phish, or intercept. This minimizes the success rate of cyberattacks targeting password theft.
Reduces Credential Stuffing
Hackers often use stolen credentials from one site to gain access to other sites. Passwordless authentication, using methods like biometrics or security tokens, makes this tactic ineffective.
Prevents Phishing Attacks
Without passwords, phishing attacks that trick users into revealing their credentials become useless. Instead, authentication methods like biometrics or one-time passcodes are used.
Enhances Security with Multi-Factor Authentication (MFA)
Passwordless systems often incorporate MFA, adding an extra layer of security. Even if one factor is compromised, the attacker would still need to bypass additional security measures.
Connection to the recent CrowdStrike Microsoft Outage
The recent CrowdStrike incident caused a significant global IT outage, affecting millions of Microsoft Windows systems. On July 19, 2024, a faulty update to CrowdStrike’s Falcon Sensor software led to widespread crashes and disruptions. This update caused around 8.5 million Windows devices to crash, impacting critical services worldwide, including airlines, hospitals, and financial institutions.
At this time there is no indication that the faulty update was done maliciously as an attack, either by a disgruntled employee at CrowdStrike or within Microsoft, or by a criminal hacker group, terrorist organization, or hostile country’s government. However, there is ongoing investigation and speculation as to how an error of this magnitude could have gotten past the software developers and quality control teams at both companies and gotten distributed to companies worldwide without being caught before causing such disastrous results.
If it is found that the CrowdStrike Microsoft outage was done maliciously, it would be classified as a Supply Chain Attack where an attacker targets a trusted third-party vendor or service provider to compromise their software or hardware, which then impacts all the clients using that vendor’s products or services. If intentional, it would be a strategic way to disrupt numerous organizations by exploiting the trust placed in CrowdStrike’s security software. Hackers often gain initial access to trusted vendors in a Supply Chain Attack by exploiting one or more of numerous password vulnerabilities.
If further investigation finds that the recent fiasco involving CrowdStrike’s update and Microsoft simply revolved around a compatibility issue that led to system crashes, this incident highlights the importance of thorough testing and compatibility checks in software updates, especially for critical cybersecurity tools. And although not directly linked to password-related challenges, this incident has yet again brought cybersecurity vulnerabilities to the forefront, and this incident serves as a good reminder of how the upcoming decade will be dominated by cybersecurity challenges and an effort to solve them. Elimination of passwords will remove one major challenge.
Conclusion
It’s widely recognized that passwords are an outdated technology rife with easily exploitable vulnerabilities, and it’s long pass time to move away from them to Passwordless Authentication using biometrics and other means.
OLOID Passwordless Authentication addresses all the aforementioned security challenges, and benefits both employees and employers in numerous other ways, including increasing efficiency, productivity, reducing costs, and increasing profitability, all with a fast adoption rate and subsequent ROI on the investment to migrate to the solution.
If you want to explore in more detail how the OLOID Passwordless Authentication has benefitted countless organizations, visit our website and Contact Us to speak with a specialist about how we’ve done so for Tyson Foods, and many other companies across diverse industries over the years.
