Last week, Krebs on Security published an article “Ayuda! (Help!) Equifax Has My Data!” which reported “that an online portal designed to let Equifax employees in Argentina manage credit report disputes from consumers in that country was wide open, protected by perhaps the most easy-to-guess password combination ever: ‘admin/admin.’”
Yes, you read that correctly. This is equivalent to making the password to your bank account “password.”
However, that is not all. According to the article, once the researchers were inside the portal, they could view the names of more than 100 Argentinian Equifax employees, their employee ID and email address. And, in order to view an employee’s password, all someone had to do was “right-click on the employee’s profile page and select ‘view source,’ a function that displays the raw HTML code which makes up the website. Buried in that HTML code was the employee’s password in plain text.”
I wish at this moment I could say “No, you read that wrong,” but unfortunately, you read that correctly. All hackers would have to do is guess “admin” for the admin account’s password and they would have the “keys to the kingdom”—the credentials of all employees located in Equifax’s Argentinian office.
Passwords are the keys to the kingdom and cyber criminals know it and exploit it. In fact, according the Verizon Data Breach Report, 81% of breaches involve weak, default or stolen passwords. Identity IS the top attack vector.
So, what can companies, like Equifax, implement in terms of password management to protect against compromised credentials for IT users?
Change Their Operating Model
IT users should login as themselves with role-based privileges, minimizing the use of shared accounts (in other words, don’t treat everything as an emergency). Getting IT users to login as themselves has many advantages — we can attribute activity to the individual, which means there is no more “I did not do this,” and they are only allowed to run commands that their role is assigned to. Most organizations don’t do this, and they instead use shared accounts with a shared password like “admin” !
Implement Shared Account Password Management for Emergency Situations
There are situations when getting users to login as themselves is not optimal, and a shared account is necessary. The best way to control this scenario is … and wait for it, don’t let anyone know the password in the first place. And every time they use it, it’s rotated, so even if they have it, they don’t really have it, because it’s changed again. That’s what shared account password management (SAPM) does. Each time an authorized internal user, outsourced IT and third-party vendor needs access they go through an approval process. And, once approved, a password is auto generated for their specific session. Moreover, for even better security, they don’t even know the password because they are auto logged into the system so they can perform their admin tasks — once done, it will be reset.
MFA Everywhere: Reinforce the Above with MFA
When users login as themselves, they should always use MFA. This way, if their password is compromised, a second factor of authentication is required (eg mobile phone), and access is denied to the hacker. Additionally, when users login as themselves and need to run a privileged command, enterprises should enforce re-authentication using MFA at this point – thus, another check is performed using MFA before the command is executed.
For shared accounts (as in above), do the same. When users request access to a shared account they are authenticated using MFA as part of the approval process – this again helps ensure that a compromised password in the hands of the hacker will deny access to the shared account.
Yes, “admin” as a password for your admin account opens the door to hackers, but the solution is not to just replace it with a “more difficult-to-guess password.” Companies need to rethink security and move away from a password approach to one that implements MFA across the enterprise and enforces privileged access policies – if they do not, then they are at risk of becoming the next breach headline.
Learn how to rethink your security without relying on passwords with our e-book, “Rethink Security: A Massive Paradigm Shift in the Age of Access.”
Secure Thinking by Tom Kemp
