Passwords, Phishing and the Dark Web
Matthew Locker, a Cyber Security Consultant at Apstorm has shared his ideas on how law firms can remain compliant in the modern world.
In today’s digital society, passwords have become a necessary evil and are the guardians of some of our most important information, e.g. online retail, banking, email accounts, customer contact databases, social media platforms, the list goes on and unfortunately it continues to grow.
Passwords what’s the risk?
In a 2020 study by Nord Pass it is claimed the average person has 70 passwords!? Which seems a lot, but even at half that size, which is realistic, it posses a significant challenge to remember them all.
Another 2020 survey by Digital Guardian of 1000 people found that on average 61% of people used the same password for multiple applications. Not surprising with the amount we have to remember! However, it found password strength is getting better, with 56% of people creating more than just a word, probably driven by service providers enforcing the use of complex passwords.
The Dark Web
So, perhaps we are overloaded with passwords and maybe we are not great at managing them, but are they that important and should we care?
Well, in a “Dark web audit” the Digital Shadows, Photon Research Team identified 15 billion stolen logons.
Concerningly the average traded price for a stolen logon in the dark web was £12.32, with more valuable credentials like bank account details fetching an average of £56.65, and some reaching circa £400, depending on how recent they were and the number of funds available.
On the website have “I been pwned?” https://haveibeenpwned.com/ users can enter their email address and see if that account has been compromised and on which sites. The site has over 10 billion accounts that have been compromised on nearly 500 websites.
How do passwords get stolen?
The obvious way is that hackers break into websites and databases by exploiting vulnerabilities, there are an array of tools available both legitimately and illegally. Nowadays, you do not have to be a computer genius to do hacking, lowering the bar for would-be entrants. If you are using the same password across multiple applications a hacker can take your credentials from a poorly secured website and use it to access a more valuable, well-defended one, e.g. an online retailer.
Phishing for credentials
The other way of illegally gaining passwords is Phishing, this is the practice of sending out fake emails that mimic a real brand or person, the user then thinks they are interacting with that entity, the more convincing it is the higher the success rate. The Covid19 pandemic has created a huge increase in online shopping and home working. From the Phishers perspective, all they have to do is “lure” the user to click a link and they can insert either malware on to their device, gaining access to it, or take the user to a page where they enter their user name and password and “Hey presto”, they have the credentials.
Steps to protect ourselves and our employees
Staff naivety and error are a serious cyber risk but is easy to address. Having internet and email policies is the way to start and examples can be found and purchased by searching for them on the internet.
There is also free training from the National Cyber Security Centre (NCSC) available specifically for staff, which can be found here: https://www.ncsc.gov.uk/blog-post/ncsc-cyber-security-training-for-staff-now-available . The training covers the areas discussed in this article and is about 30 minutes long. The NCSC also have downloadable infographic posters that can be displayed around the office as a reminder.
Beyond this, commercial tools are available that can simulate Phishing emails to see how susceptible staff are. Reports are sent to management and update training provided via video to remediate the issue.
Passphrases are harder to crack than passwords and longer. Take three or four random words and combine them, E.g. sofa-fiat-amazing-calculator, according to security.org it would take 1 hundred decillion years to crack that password.
Two Factor Authentication
Unfortunately, passwords entered into a phishing scam or if a website gets breached, still leave staff vulnerable. The best way to protect passwords is to create two-factor authentication (2FA), a code is created that can be sent as a text message or via a smartphone app making that logon unique. Many commercial systems offer this inbuilt and turning it on significantly increases the security of that application.
Identity Access Management / Password Management
The next generation of secure passwords comes in the form of Identity Access Management (IAM), a system that looks after all the user’s passwords. It can create huge (50+ random character) passwords that change frequently if needed. All that is needed is one logon to the system, which can use 2FA to make it as secure as possible, it opens up all the applications seamlessly when you need them.
Passwords continue to remain one area of weakness in our security posture. Although it is also an area that is easy to significantly improve, with user education, policy reinforcement and possibly some technology to help, the risk can be reduced.
Apstorm and the legal Sector
The legal sector has specific security challenges; sensitive client information, portability of that data and remote working, data that is stored in structured (Databases) and unstructured (Documents and Folders) formats, making data governance and information security an issue. On top of this, it is a sector in digital transformation, from paper to digital and from digital to the cloud.
Apstorm can help in many ways and historically our staff have done work for several legal firms. If you have any questions or areas you would like to discuss, please contact us on [email protected] or visit www.apstorm.co.uk