At organisations ranging from small governmental bodies to large Fortune 500 companies we’ve found dozens through to tens of thousands of passwords stored openly on each network. Why does it happen and what can you do about it?
Back in the chilly winter days of November 2014, news broke that a group calling themselves the Guardians of Peace had obtained and leaked stacks of sensitive information originating from Sony Pictures. There were accusations of North Korean involvement resulting from the planned release of “The Interview” and much tutting from experienced security types at the apparently naive security posture of this prestigious corporation.
If you imagine your own organisation’s most sensitive information, Sony Pictures’ version of that information was in there. It was, in other words, the mother lode. Salary information, enough sensitive, personally identifying information to take over a lot of people’s identity, insulting emails regarding minimally talented spoiled film stars, confidential company performance data and even passwords to Sony’s systems and accounts.
“Passwords?” I hear you ask. After all, every company needs to keep its employees / financial / corporate secrets somewhere. Hopefully it isn’t stored all over the place, accessible to everyone, is it? Well, more on that later. But Passwords? Who in their right mind sticks passwords in emails, documents and spreadsheets on file shares on a network?
Everyone, it turns out, stores passwords in emails, documents and spreadsheets. Well, everyone in the statistically relevant sense at least. I’m sure there are companies out there where this problem doesn’t exist, but we haven’t found one yet.
So who might these companies be that we can look up to? Many companies now have single sign on systems or tools for privileged access management, but that doesn’t quite cut it. That one system over there with the command line and the old software that no-one dares turn off, that doesn’t support single sign on, does it? Of course, there are companies (like Exonar) whose employees are provided with a platform that gives access to platform agnostic tools, such as Lastpass or 1Password. Maybe in some theoretical company every single employee uses said password management tool every single time they are asked for a password.
Back in the real world then… In big companies, given enough employees with enough time pressure to get stuff done, some people will write, send, re-use and type out passwords in spreadsheets, text messages and emails. They do this because it is easier than the alternative, which is to create and securely store, complex unique passwords for each account they need. They unwittingly store those passwords when their Blackberry, with the text message containing a password, this is backed up to their machine and is in turn backed up to the network. They are stored carelessly when those passwords for some staff for that new external trial system are stored in a spreadsheet. The author meant to delete it after the trial, really he did. They are stored, because often, the user doesn’t know any better, isn’t provided a better alternative and no-one knows he’s doing it.
How bad is this problem? In our experience, pretty bad. Since the Sony breach, we’ve incorporated password searches into our standard information discovery scans. Across the scale of companies we work with we’ve found dozens of passwords through to tens of thousands of passwords stored on shared storage.
It’s hard to argue that this is anything other than a real and serious vulnerability. Hopefully, we’re now past the point where organisations assume their border security controls can flawlessly prevent unauthorised access to the network. The sensible alternative is to design security as though the attacker is already in the network. So, in this model, with some random credentials, there is every likelihood that the attacker can grab these passwords and gain access to customer / critical / sensitive systems.
I always try to imagine the headlines that could be written if a vulnerability is exploited as it helps frame the consequences. To me, “All of Acme’s corporate and security systems taken offline, customer data exposed” seems like a pretty bad morning for all involved.
So what to do about this problem? By breaking the issue down to the three step process of “Discover, Act, Understand” we can start to control the situation and eliminate the risk. There is no reason to restrict this process to just passwords. I mentioned at the top of this article that hopefully your sensitive employee / financial / corporate information is well controlled, but to be honest that is probably even less likely than there being no passwords saved anywhere insecure.
“I just don’t know what we’ve got” says pretty much every CISO / CIO we work with. Visibility of sensitive information is a real barrier to meaningful information security and governance, regardless of what information needs securing or governing.
It’s hard to create change without quantifying the problem. Finding out how big the problem is gives an organisation the imperative to do something now or justification to put the problem off until another day.
The discovery process can be as simple as creating a “data amnesty” for users, where they volunteer sensitive information that is being stored insecurely.
It can take the form of using some manual sampling of files or using the inbuilt, simple search in your operating system.
It could also take the form of getting whoever is managing the network storage to look for files or directories containing the word “password” or one of the common abbreviations.
Robust data is going to be advantageous here. It will help prioritise where to take action and provide sufficient information to quantify the risk.
We’ve developed the Exonar platform specifically for this purpose — to show you where your sensitive data is, what it is and who can access it.
We’re always happy to help out with these initial scans, whether they are to discover where passwords exist within the content of all of your documents or a broader remit. If quickly gathering information on where all your sensitive information is a priority, our consulting partners can make this process thorough, painless and effective.
Okay enough of the Exonar advert. However you decide to tackle the discovery process, the output should be a document that quantifies the issue, the risk it poses your organisation, contextualises the risk in terms of reputation, regulation and cost, and provides recommendations to resolve the problem.
Having quantified the problem through the discovery phase (assuming there is a problem), you’ll be thinking about how to change the behaviour that is causing the problem. A policy and some guidelines will be critical.
How should I store my passwords if I can’t put them in a spreadsheet? Does “Passwords should be securely stored” mean it’s okay to store them in a password protected spreadsheet? The more practical and usable the advice, the more likely you are to eliminate the behaviour that is creating the risk.
This is where the understand phase begins. Being able to pinpoint whether behaviour is changing and where modifications need to be made to guidelines, or extra help provided to particular areas of the business will likely be the difference between success and failure.
This process could be as lightweight as incentivising individuals to report on passwords found on the network, then tracking where these reports are turning up. Again though, robust data will help you affect change more rapidly. Having a tool (cough like Exonar’s cough) that can monitor where problem areas exist, will be a huge boon when it comes to comparing and contrasting the success of the initiative.
“What’s the ROI?” Always feels like a tough question in the context of security or risk. After all, do we invest in that slightly squishy tarmac at children’s play areas because fewer broken limbs in the under-12’s boost the economy?
However, this is a rare case where reducing risk is also likely to have a positive impact on productivity and cost. As part of this process, you’ll quickly find what is technically known as U.O.C. (Useless Old Crap) in every corner of your storage, squirreled away, just in case. Well, be gone UOC, those piles of over-winter information nuts are costing money to store, increasing the surface area for attack and preventing your employees from finding the useful information they need to be productive. We find duplication, and lots of it (the range is 30% to 47% as of now) whenever we scan network storage.
So, don’t delay, go and ask Bob, Beatrice or whoever, where do they keep those passwords. If they choose to admit it, chances are they are writing them down, re-using them or fibbing. But Bob wouldn’t fib to you, would he?