“Davey Cameron is a Pie”. There said it. It means very little in itself, but does reflect a major problem with our Political Parties within the UK. They all fail to ‘Secure the human’ and reduce their Insider threat. This statement isn’t so much as an attack on the Prime Minister of the UK, but a reflection of the poor security of MP’s and their cohorts.
The Pie-Minister (sorry) isn’t the issue here, but the ridiculous attachment to Social Media between political parties and the proletarians. Twitter feeds lit up as citizens noticed that Jeremy Corbyns Twitter feed broadcast profanities (unsavoury) and pie references (savoury). It was hard to comprehend that if you had the skills and knowledge to hack a twitter account, why expunge that effort into just making 3 or 4 nonsensical statements.
The answer comes down to poor process, a lack of security controls and the weakest link in most business processes, the human. The Corbyn account hadn’t been hacked, but merely hijacked in high jinx.
Someone within the communications team had logged into a random computer in a Berlin Hostel. They had used a privileged account to perform some social media task and then they failed to log out of the account. Subsequently someone else found the machine still logged into Twitter and took an opportunist punt. It’s not clear why this task was being performed late at night from an overseas hostel. Nor is it clear why this wasn’t detected as an unusual activity and prevented in the first place. One can only assume said person is no longer in employment.
The impact of this is that no one has actually broken any law. There have been no data protection act breaches nor does the computer misuse act come to play. The harm is purely reputational, something that is hard to translate into a quantative figure. Without that translation it’s very hard to get funding to reduce risk.
Secure the Human
Securing the human factor is always hard. We are after all the weakest link. We aspire to educate our staff not to do silly things, but we also have to expect that they will. The likelihood of the ‘pie incident’ above could have been reduced with a good and enforced Social Media policy combined with appropriate staff training.
Information Security (or Information Governance) tends to be the smallest part of any company’s induction. Most healthcare public sector organisations will also insist on annual retesting, but this only equates to a half hour 20 questions multiple choices ‘quiz’. This actually only equates to 1/3840th of the standard employees work effort per year.
A business case to improve security in a company looks impressive when you are spending thousands on shiny new ‘tin’ or on Security as a Service from the ‘cloud’. Perversely the number of 0’s seem to ooze management speak for the amount of protection that is being purchased. Yet spend a fraction of that on disrupting important projects and taking the staff out for security training is unattractive.
Therefore, it should come as no surprise when someone does something ‘stupid’.
And speaking of ‘Stupid’
The annual survey of most common (and weak) passwords has just been published by SplashData. Every year they compile a list of ‘stolen’ credentials, leaked onto TOR or simply shared on PasteBin and other data sharing websites.
Most common passwords Jan 2016, as compiled from stolen/released data sets
- 123456 (Unchanged)
- password (Unchanged)
- 12345678 (Up 1)
- qwerty (Up 1)
- 12345 (Down 2)
- 123456789 (Unchanged)
- football (Up 3)
- 1234 (Down 1)
- 1234567 (Up 2)
- baseball (Down 2)
- welcome (New)
- 1234567890 (New)
- abc123 (Up 1)
- 111111 (Up 1)
- 1qaz2wsx (New)
- dragon (Down 7)
- master (Up 2)
- monkey (Down 6)
- letmein (Down 6)
- login (New)
- princess (New)
- qwertyuiop (New)
- solo (New)
- passw0rd (New)
- starwars (New)
It’s good to see the old favourites are all still there. Most of the ‘New’ entries are reoccurring regular weak passphrase. There is one good sign in there – the use of ‘Solo’ and ‘starwars’. This does at least reflect that people are changing their passwords every few months. For the fans of the franchise, I hate to have to inform you that ‘princess’ isn’t there due to Ms Leia Organa. It’s just another recurring passphrase, presumably for the huge fanbase of 1970’s British Leyland cars.
This list is also a good insight to the human psychology. People will pick easy passwords as they are easy to remember or type. Our staff need to be advised and trained into using a secure passphrase. Technology and adoption of alternate authentication systems hasn’t negated the need for strong passphrases yet, so foremost we need to educate and improve the security in the person.
So where does this leave us?
The short answer – training and education. It is a fine balance of investment in your staff against your organisations risk appetite. Train your employees to use current Best Common Practice (BCP) and take time to explain to your employees why this is so important. Let them know the impact of when it goes wrong and how they can protect your business and themselves. Secure your brand – secure the human.
Backdoors : The Killer Feature
The introduction of backdoors appeared in a couple of news articles earlier this...