Security can be a challenge. One unprotected port, one unchanged default password, or even one improperly configured item can leave businesses open to vulnerabilities and breaches. With so much to safeguard, it can be easy to miss the one small thing that could leave a crack in the wall. But hackers are persistent, and they’ll keep trying until they finally find the vulnerability you overlooked. “The adage is true that the security systems have to win every time, the attacker has to win once” says Dustin Dykes; a security consultant interviewed in the book by Kevin Mitnick.
To keep systems protected and business-critical data safe, MSPs and their SMB customers need to truly understand how hackers and social engineers think. To get inside the head of these cyber criminals, I recently read “The Art of Intrusion” by Kevin Mitnick. When he was hacker nicknamed Condor back in the ’90s, Kevin hacked numerous organizations like IBM, Motorola, and even the Pentagon. After getting caught and serving jail time, he turned over a new leaf and now acts as a trusted cybersecurity consultant. In his book, Kevin dives into stories of hackers who have spilled their secrets, and he shares his advice on what businesses can do to mitigate cybersecurity risks.
Problems caused by poor password habits
“The first line of defense against hackers is also our weakest: the users themselves and their password choices,” Mitnick explains in the book. While we have all heard it time and time again, the weakest links continue to be users’ passwords. Whether they’re written on a sticky note in plain sight, something that is easy to guess, or simply used repeatedly for a series of sites, passwords are an easy “in” for most hackers. Passwords help hackers easily gain access to confidential information, and when the account has the right privileges—access to almost everything.
One hacker, nicknamed the Comrade, recalled hacking into the U.S. government’s Defense Information System Agency (DISA) and gaining access to its computer system. He recalled: “That computer was sick. It had four processors, 2,000 users had access to it, the Unix file had 5,000 different hosts, and half of them were using privileged accounts….” Comrade didn’t have much time to explore the system because he got caught by the FBI a few days later.
There are a few actions you can take to avoid your customers’ systems getting compromised. This involves monitoring the network or individual hosts for unusual activity, such as attempts to install a back door or decrypt or obtain plain text passwords.
Another hacker, named Gabriel, was able to hack into a small town bank running on Citrix MetaFrame (software that allows a user to access their work station remotely). After an easy search, he was able to pull up an IP address for the bank and access any machine with a 1494 port open. After searching the machines with open ports for documents containing the word ‘password,’ he eventually stumbled upon an administrator password and—even worse—a router with an unchanged default password, which allowed him complete access to the system.
When you’re conducting security audits, either internally or for your customers, carefully monitor any logins using Windows Terminal Services or Citrix MetaFrame. “Most attackers chose to use these services in preference to remotely controlled programs to reduce the chance of being detected” Mitnick explained.
Password best practices to adhere to
Among many other security measures, setting up a secure password is the first line of defense for you and your SMB customers. But, people are often lazy about their passwords. “Many people rely on a single password for every use; if breaking into a web site leads to capturing passwords, the attackers might be in the position to gain access to other systems on the network and do a great deal more damage” Mitnick explained in the book. That’s why it’s important to educate your SMB customers and your staff about these best practices.
Change any default passwords. Keeping default passwords is one of the biggest mistakes a business can make. One forgotten device could lead to the intrusion of your network. Mitnick suggests changing the password prior to the device being used because an easy Google search can bring up the default password to routers, computers, and other devices.
Eliminate role-based accounts or accounts shared by multiple users. Account information should never be shared with another person—whether it is a personal account or shared by multiple users. Creating this separation can eliminate accounts being abused by a disgruntled employee and minimize the risks of passwords being saved on the network.
Create a password that is not easily predictable. Discourage your SMB customers from creating universal or predictable passwords. According to Mitnick, one Fortune 50 company gives each employee a set password for remote access to the company’s intranet. The password contains the username and a random three digit number—and the employee can never change it. Talk about an example of what not to do.
Change important passwords often. Avoid static passwords when protecting critical assets. When creating a strong password, use at least one numeral, symbol, and an uppercase letter. More importantly, don’t use a password on more than one account—if one system gets compromised, repeated passwords could potentially lead to more damage down the road. Mitnick said this is a mistake he sees all the time. “A domain administer will create local accounts on their machine on the network and use the same password for their accounts with domain administrator privileges,” he explained.
Professional tip: If you want to create a hard-to-crack password, Mitnick suggests using characters from the Greek, Hebrew, Latin, and Arabic alphabets because the most commonly used password-cracking programs don’t attempt to search these characters.
Unfortunately, cybercriminals show no signs of slowing down, so it’s important to continually educate your employees and SMB customers on how to safeguard their data. After all, security systems and practices have to win all the time, but hackers only need to get it right once to win big.
The Art of Intrusion
The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers
By Kevin Mitnick and William Simon
270 pages. Wiley Publishing Inc. $11.26.
Have suggestions for what we should read next? Tell us which book we should read next on our MSP’s bookshelf.