If you turn on the news, chances are they will be reporting on the latest big breach of a website, database, or company. Unfortunately, breaches are commonplace today. Occurring through phishing emails, third-party website breaches, and the issues associated with poor security practices in storing user data (but that's another lengthy conversation for another time).
What are third-party websites?
A third-party website is a site that is indirectly involved in an interaction between two primary parties.
For example, when you make a purchase from an e-commerce site, there are only two parties involved in this transaction from your perspective; you and the website you made your purchase from.
However, that e-commerce site relies on a network of third-parties such as payment processors, a CRM, and delivery service to fulfill your order. Each one of these third-party's touches your data without any direct interaction with you.
Database breaches can lead to a lot of headache for us as end users and can be impossible to protect against since our data is in hundreds, if not thousands, of places (databases). When these services are compromised so is our Personally Identifiable Information (PII) which includes our names, birthdays, passwords, account numbers, etc.
To help safeguard against credential theft, some recommendations suggest a certain number of characters and other complexities when configuring a password. These recommendations are always changing. In fact, the National Institute of Standards and Technology (NIST) just got away from suggesting that passwords use special characters, expiration time limits, and uppercase and lowercase characters for passwords. This is supposed to help remember passwords and to reduce password reuse.
Following old advisories can lead to easily forgotten passwords, or even worse, password reuse across multiple sites. These tendencies have led NIST to recommend that passwords NOT be changed unless they are part of a breach; but it tends to be difficult to know when a violation of that password has occurred.
Due to the massive number of breaches, the most common information for sale on the Dark Web are passwords associated with an email account. A typical price range for a set of stolen credentials ranges from $1-$8, depending on several factors and are simple to purchase by nefarious actors.
Breaches can also include PII such as name, social security number, other email addresses, mailing address, date of birth, etc.
Now all of this begs the question – why does it matter to my organization? Why does it matter to me?
A study conducted on the Psychology of Passwords indicated that among a group of 2000 users, 59% of those users mostly or always use the same password or a variation of the same password. This reuse is mainly due to forgetting the password and wanting to be in control of every password. 47% say they had no difference between passwords created for a work environment vs. a personal account. So, if your password is stolen from one service, say, the place you do your online shopping, the adversary now has access to your banking and work accounts since the accounts use the same password.
An astounding 81% of data breaches in 2017 involved weak, reused or stolen credentials – up from 63% in 2016. Often an end user doesn’t suspect they would be a target of any type of cyber attack, but the access that a single password can offer if reused across personal and work accounts can be devastating.
It’s easy to gather information as a criminal actor and piece bits of information together to gain access to a system.
The most vigorous defense against compromised passwords is user awareness training. Once users are aware of the implications of reusing passwords in a work environment or using weak passwords it may lead to better password hygiene. Password manager use is also on the rise, but they are not without their vulnerabilities.
With the latest NIST recommendation, one should change their password when the password is compromised. To gain insight into your credential theft, various Dark Web monitoring services will actively monitor dark web activity for hits against an organization’s domain, and alert to the email address and pieces of information referenced in the sale.
It’s crucial to view cybersecurity as layers of security, and monitoring passwords are a critical bit of that layer.
Originally published on 01/03/2019