Information Security Pros Must Act After Password Leaks on Other Sites
Information security professionals are often so focused on protecting the hardware and data for which they are responsible that they are often out-of-the-loop on recent developments at other organizations in the security industry. Many are overworked and do not have adequate time to pay close attention to what is going on outside of their realm of responsibility -- other than, perhaps, when they attend conferences or industry group meetings, or come across an item of interest in the news.
While it may sound reasonable that information security professionals at a bank in California, for example, may not spend a lot of time reading up on a breach at an online dating site in New York, for example, there is an acute need for one particular, often neglected, action after such a breach -
If a credential database leaks – you should check that the credentials (typically username-password or email-address-password combinations) are not valid for gaining access to your own site/s.
It’s no secret that a lot of people reuse passwords between sites, so the theory behind this rule is clear. But the risk is not merely theoretical – there have been many instances of accounts compromised by the use of passwords obtained from other systems.
Over the past few weeks, several such high profile accounts have been broken into, including Facebook CEO Mark Zuckerberg’s Twitter and Pinterest accounts – which are believed to have been vulnerable to takeover because Zuckerberg reused his old LinkedIn password on those sites, and LinkedIn suffered a password leak. Twitter also confirmed that some passwords within a large list that appeared online of alleged Twitter passwords might have been real – but that they came from other break-ins & not from a Twitter breach.
These and other episodes highlight an important concept: after any leak of passwords or other sensitive information, even organizations seemingly unaffected by the leak may be at a level of increased risk of some users’ passwords being compromised. So when a password database surfaces online, it may be wise to check whether any credentials match those used by your system. (I am not going to enter here into the discussion about whether a leaked password database should be treated as stolen property and be treated by the law as illegal to possess – as things stand now, once such a list is widely available to criminals and shared online it is appropriate for security professionals to confirm that no credentials within it match those used on the systems that they are tasked to protect.)
Of course, you should also be educating your users about reusing passwords on sensitive systems, but as we all know, some people will reuse passwords no matter the training. Bear in mind also that you should be using multi-factor authentication for users on sensitive systems, though it may usually not be feasible to utilize this for every system.
About the On-Demand Webinar
About the Webinar