Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

LinkedIn data breach blamed for multiple secondary compromises

Steve Ragan | June 22, 2016
Services like Citrix's GoToMyPC provide front door access, but they're not at fault

So what's the underlying problem?

Weak password policies and recycled credentials are a serious problem.

At the same time, this problem is one that isn't easily fixed. Humans have developed some bad habits when it comes to passwords and access, and corporate policies that limit complexity and require easily guessed formats, further enable these bad habits.

In hindsight, the organizations that were compromised due to the LinkedIn list made plenty of mistakes that proactive measures would have fixed. But singling them out, as if they're something unique, would be a mistake.

Organizations don't track passwords or audit them; users are allowed privileged access without restrictions; two-factor authentication is only sparingly enabled in some cases (assuming it's enabled at all); and security policies are selectively applied.

For example, the Department of Homeland Security banned personal webmail for security reasons. However, DHS Secretary, Jeh Johnson, was exempted from this ban because he liked to check his personal email from the office.

If that seems like a familiar situation to you, that's because everyone who has ever worked in IT can tell horror stories about how C-Level executives are regularly exempted from security policy.

This is why preventing recycled or easily guessed passwords is such a problem. How can you manage passwords and how they're developed or used, when just getting everyone on the same page policy-wise is challenge enough?

Source: CSO 


Previous Page  1  2  3 

Sign up for CIO Asia eNewsletters.