Their Breach is Your Breach

When you’re catching up on the news, it’s become all too common to see stories about new breaches—all of which resulting in the theft of customers’ personal and financial information from businesses of all sectors. If you’re a regular reader of my column, you’ve probably gotten past the fallacy of thinking “that can’t happen to me”, but there’s still something very detached about it all. Even when you get a letter or email notifying you that your information has been stolen from an online service you use, it happens so often you have a hard time seeing the urgency.

Unfortunately, as a stakeholder in your business, there could be urgency in every breach—even when it involves companies with no direct relationship to your own organization. You and your employees have accounts on systems across the Internet. Some of these sites may be work-related, such as those run by your vendors. Others, such as web-based email, social networking, and streaming media, are personal.

A breach in any of these services represents a threat to your business as well, even in services that are strictly for personal use, never even touched at work. The issue I’m talking about here is password reuse. As password policies demand longer and more complex strings of numbers, letters, and symbols, users have a more difficult time committing them to memory. Most individuals will commit one password, maybe two, to memory, and then reuse them across multiple services and systems.

Password reuse is a dangerous practice. Attackers are well-aware of this aspect of human nature, and take advantage of it. If they are able to obtain a user’s password for one service, they will soon try that same password on every other one of the user’s systems and services. Breaches of large companies are often leaked onto the public Internet after the attackers have rinsed all the profit and intelligence they wanted to gather. This covers the attacker’s tracks by making it less suspicious to find the data on their own drives in the event of forensic analysis, and by having other attackers generate a lot of network activity and fraud related to the data.

These attacks will spread to your business’ systems as well; of that you can be sure. On most of the penetration tests we conduct, we demonstrate to our clients how the database of breach credentials we have collected can be used against them. It’s common to find that employees were victimized in the LinkedIn breach of 2012, and that their corporate email accounts make use of the same password. How many of your employees have been victimized in recent years’ breaches? And how many of those reuse passwords across multiple systems?

This can be a difficult problem to address. Password length and complexity requirements do not prevent people from using the same password on their social media accounts. At a minimum, you should have a stated policy, backed by user education, that employees’ passwords are not to be reused outside of the organization. This can be supported with training in password management tools, such as Keepass, that make juggling multiple passwords a lot easier for the user. Requiring users to change passwords periodically may help matters, but if you do it too frequently, users will tend towards predictable schemes for modifying their reused password each time. Checking employee accounts against collected breach databases should be part of your penetration test.

The next time you read about a new high-profile breach, don’t just ask “what’ll I do when it’s me?”. Address the impact that breach will have on you. And take action.