Hello,
I have been doing some research into the effectiveness of default password policies and the protection it offers its clients. An example I can give is a password that incorporates parts of the connection owners name and serial numbers from some hardware being used for the actual connection to their internet. You don't need to social engineer the network owners to narrow down the possibilities. In fact in most cases a simple word list and a good GPU is enough to thwart the security efforts of the company in question.
The problem with using names as part of the default password policy of your company is the fact that there is a very narrow margin of options for the attacker to have to go through to break the password. An attacker need only visit the Census website and download the list of 88,000 Last names. This list is already organized from the highest occurrence of names to the least amount. This makes it much easier to increase the speed and effectiveness of a wordlist based attack on the passwords of a client. The password policy for companies need to be more abstract to make brute force, and word list attacks infeasible. Relying on the encryption protocol to be slow enough to thwart the efforts of brute forcing is not an effective security strategy.
Also another note is that if a client is broadcasting the default name for a device then you can reassured that under most circumstances the following facts will be true. 1) The person most likely is not tech savvy enough to change the settings themselves or were just too lazy too. 2) The default password will most likely be used. 3) The client will most likely not be able to recognize that an intrusion of some sort has occurred.
Some effective means of thwarting these attack vectors would be to incorporate the following. 1) Make the default password policy more secure (Upper case letters, numbers, lower case numbers, and symbols). 2) The password must be a minimum of 12-14 characters to make brute forcing an almost impossible task. 3) Educate your clients in why it is important to customize the password to something different than the default policy.
Another important factor is for example wifi networks. If your company has a default policy for the wifi name of the network it shouldn't include any identifying information to link it to a real life owner of the account. The broadcasting of a default wifi network name for example is major target for a attacker. The attacker knows that one of the aforementioned vulnerabilities will be in place most likely. Also broadcasting something as important as the last 4 numbers of the account holder of the WiFi network is a dangerous thing to be doing. This should NEVER be an occurance. Anyone with WiFi range can exploit the publicity of those numbers to their own gain. Especially if they can manage to get into the personal network of the vulnerable network in question.
So all in all passwords have developed much needed complexity as time has progressed but still the security standards of corporations are still way too lax. We cannot allow clients to be vulnerable to attack for the sole purpose of the company not being inconvenienced for even the smallest amount of time. Improving the security standards of your corporation is a must or you will see a major public failure that will destroy your reputation as a good company to go through.
No comments:
Post a Comment