How were we Hacked? Part 1
When we read about hackers, we either think of people in Anonymous wearing Guy Fawkes masks or else that film from the mid-’90s were roller blade rolling teens bring down the baddies with elaborate rabbits and trojan horses. While complicated CIA type hacking may exist the VAST majority of hacking is simply someone getting your password and logging in online just like you would
The VAST majority of hacking is simply someone getting your password and logging in online just you would
How hackers get your credentials?
So how are hackers getting our passwords? Understanding this will lead us to be more careful in how we create, manage, use, and re-use our credentials.
1) It was so bad it got guessed - Password spraying
Many people simply cannot fathom that they will ever be the one to get their account hacked. “Sure, it will never happen to me. Why would a hacker be interested in me? I’ll just use “Password1” cause I could not be bothered coming up with a better one and remembering it”. Many of us would gasp at this contrived example, but it does happen. A lot. One way or another, there is a reason why “Password1” is on the list of most used passwords because there is no end of people like this. I’ve seen it used and hacked in corporate environments.
The reason this happens is not that the password is weak in and of itself, but rather that people think they are unimportant, off the beaten track, it will happen to someone else. This is where they are wrong. Using a technique called password spraying, hackers use automated programs to try random accounts against the most common passwords rapidly. It is happening 24x7, 365 days a year. So it is only a matter of time before you are hit.
2) A strong password, but used everywhere - Credential Stuffing
So you now have a strong password. Its “m2knaKaKatlB*”, derived from the first letters of each word in the sentence “my two kids names are Karl and Kate and They like Big * (stars)“. This is an excellent approach. It’s memorable to you, contains secret knowledge, and includes capitals and symbols. However, you liked it so much you used it for a few sites, including dodgy-garden-gnomes.com and yahoo.com. The problem now is that the well-meaning but much less security-conscious people at the gnomes sites, and yahoo may get hacked and lose all passwords. Now all sites using the same password are also wide open. These hacks frequently happen and from big names too (including yahoo). When usernames and passwords get breached en mass, they get re-distributed amongst the baddies who then try them for other sites/domains in a technique called credential stuffing
So by using the same password at Office365 and dodgy-garden-gnomes.com, you implicitly make the typically reasonably secure Office 365 as weak as the dodgy gnome site. And the more you do it, the higher the risk. So STOP. Make up a new password for EACH site and use a free password manager like LastPass, 1Password, Dashlane or similar, to remember them all for you.
Thankfully, for existing passwords, it is possible to safely check your usernames and passwords against these credential stuffing lists. haveibeenpwned.com is reputable and safe to use for this purpose. Make sure you check the URL and send it directly to your employees to ensure this, and only this, is used.
3) Clicked a link and entered credentials - Phishing
You get a legit-looking email purporting to be from a reputable vendor or site asking you to come in and do something. It looks important. You click, it takes you to offices.com (note the extra ‘s’), requests for credentials which you duly enter.
Phishing (and its variants: spear phishing, smishing, whaling, vishing) is some of the hardest attacks types to combat because it is a social engineering trick. Again a human weakness completes the exploit. No matter how we inform and educate employees, they just keep clicking those links eventually.
The best defence is a combination of regular education, anti-phishing policies and anti-spoofing in your Office 365 tenant, using Multi-Factor Authentication, and checking/managing the location of user activities.
4) Wrote password on a yellow sticky note
Then you stuck it to your monitor. You can trust all the people who pass your desk, right? All of them? Forever? What happens if you work in an open office, or the cleaner moonlights as a hacker or Bob the disgruntled ex-employee decides to “show them” how wrong they were to fire him. The list goes on. Again the best solution is simply DONT do this. Use a password manager, MFA
5) Brute Force
Unless you are using a 30 digit randomised password, then there is always a chance this can happen. Especially if you are someone of importance in your company or outside of it. The risk, however, is low. With a strong password, it’s far more likely that a phishing attack or re-using it elsewhere will lead you to ruin.
Key loggers are another risk on the lower end of possibilities. Keyloggers are used in targetted attacks where the attacker either knows you personally or targets you specifically. The odds increase if you are a high-value employee (CEO, CFO, accountant, etc.) or if you work in a large or high-value organisation. Keyloggers can use hardware or software (malware) to gather information. Naturally, software versions are higher risk since they require only malware installation to get what they need.
Preventing against software keyloggers requires everything from good general hygiene, malware detection and prevention etc. Update Malware filter policies
General of Preventions and Solutions
Unfortunately, given the myriad of ways that credentials are at risk, the best approach is on many fronts.
- Use a password manager to generate a strong and unique password for every site/domain.
- Monitor remote access events in the audit logs.
- Role out MFA to high value, high risk and administrators
- Update Malware filter policies
- Anti-Phishing Policies
- Anti Spoofing Intelligence
- Ask your employees to check their credentials against haveibeenpwned.com. Act accordingly
Octiga - An easy All Angles solution?
Octiga to the rescue! Prevent, Detect, Recover
Octiga offers a solution to help you configure many of the above items easily. Its called Office 365 Prevent. Monitor for changes and dodgy logins using Octiga Office 365 Detect. If you suspect a breach, then come straight to Octiga Office 365 Recover for rapid detection and remediation.