[BreachExchange] Security Officers, Are Your Employers Practicing Good Habits from Home?

Destry Winant destry at riskbasedsecurity.com
Mon Oct 12 10:33:04 EDT 2020


https://www.darkreading.com/vulnerabilities---threats/security-officers-are-your-employers-practicing-good-habits-from-home/a/d-id/1338986

Even if you can't see your employees in the office, they still need to
be reminded that criminals are always trying to spot a weak link in
the chain.

When the world shifted to working from home, criminals pounced. Never
wanting to miss a chance to capitalize on people in a time of
weakness, they stepped up their phishing attacks, created fake
COVID-19 information sites, and spoofed government health sites in
efforts to access potentially valuable account information.

While those types of attacks and scams have been around for years,
people have been more exposed these last few months. With schools
closed, students have switched to online learning programs and video
calls. Parents find themselves sharing their work laptops with kids to
do their schoolwork and join virtual classes. All of a sudden, family
and personal accounts for Facebook, Nintendo, Xbox, and Netflix are
right alongside office tools like Zoom, Microsoft Office, and
corporate email clients.

In some cases, parents have used their work email to create new
accounts for their children. They may have even reused the same
passwords and shared the credentials with the family. It's easy to
imagine parents letting their kids use company Zoom credentials for
school calls, and then someone goes and reuses the same login and
password to create a Fortnite account.

Then there's the huge boom in online shopping to think about. With
stores closed, consumers have turned to e-commerce to get products
delivered. In the first half of the year, online spending with US
retailers grew 30% — up $60.4 billion — compared with the same period
last year, according to the US Department of Commerce. As shoppers
have placed online orders with grocery and retail stores for the first
time, it's also easy to imagine how many new accounts have been
created with reused work credentials — and then shared with family
members.

Although security experts recommend using unique passwords for each
account, the prevailing practice for most people is to reuse passwords
across multiple sites. In fact, SpyCloud's report on password reuse
among Fortune 1000 employees found that 76.5% have reused the same
password paired with their corporate email on more than one breached
account. With the shift to e-commerce likely permanent, along with the
continued acceptance and prevalence of remote work, the consequences
of those reused and shared logins have staying power.

Criminals love this. If a login and password is ever stolen in a data
breach, the information will eventually circulate on Dark Web
marketplaces where bad actors buy and sell breach data. Those breached
credentials are then available to criminals for credential stuffing,
where credentials are tested against other sites to see which
additional accounts they can take over. Some criminal tools can even
test for common password variations, like changing certain letters to
numbers (Password vs. P at ssw0rd) or adding numbers or symbols to the
end of a word (password123). If a password has been exposed in one
data breach, any other account with a variation of the same password
is at risk.

That's exactly what happened to Nintendo account holders earlier this
year. On April 24, the company confirmed that attackers were able to
access 160,000 Nintendo accounts that were vulnerable because people
used passwords that had been exposed in previous data breaches. The
criminals behind it were able to extract specific billing and account
information from the breached accounts, including rewards points,
Nintendo Store, and Nintendo eShop balances, PayPal subscription IDs,
credit card types, card expiration dates, currency denominations, the
first six digits of the credit card numbers, and the last four digits
of the credit card numbers.

So, now what happens when your employee's 10-year-old has one of their
online accounts exposed in a breach, and your employee has set up the
account with their corporate email and password? Suddenly, the risk to
sensitive company email skyrocketed. At work, the company can monitor
corporate credentials for breach exposures to keep attackers locked
out of work accounts, but when employees reuse exposed passwords
across personal logins, they can create a dangerous blind spot for
corporate security teams.

Security awareness education — and constant reminders — are necessary.
Share relatable scenarios like the ones in this article to teach the
dangers of reusing passwords and the need for smart and safe online
habits. It may be awhile yet before offices reopen en masse, which
means the threats from intermingling personal and professional account
credentials will continue. And even after we start going back to the
office, criminals will be lurking, waiting to exploit our bad habits.

Security leaders, stay vigilant. Even if you can't see your employees
in the office, you need to tell them that criminals are always trying
to find a weak link in the chain.


More information about the BreachExchange mailing list