Cybercriminals Now Targeting Unemployment Benefit Claims
… a relay for spam, as command-and-control servers for ransomware or to perform other attacks.
“Defacement of these sites leads to loss of reputation and business for the organization,” he said. “The worst, of course, are the ones that end up in data breaches. Getting hacked by these tools can lead to legal action and even business shutdowns.”
In many cases, organizations don’t understand how to block these attacks, Richabadas said. They may also lack time/personnel to keep sites updated and defended. For a long time, website protection has been a lower priority for organizations, though that’s changing rapidly.
“The top two things that can be done are better logging/visibility with a SIEM, and implementing web application protection with a WAF or WAF as a service,” he said. “Without proper visibility, you don’t get a clear understanding of the risks. A WAF can block attacks, including zero-day attacks, and provide the IT team with time to test and patch new vulnerabilities.”
ID Agent: Poor Passwords Still Major Cause of Breaches
Just this week, more than 3 million customers of a U.S. car service had their details compromised after a cybercriminal posted them to the dark web. The resulting data breach involved a large range of data exposure, including more than 93,000 bcrypt hashed passwords.
This is just another example of poor password security causing data breaches. In 2020 alone, more than 81% of data breaches were due to poor password security. And hackers dropped more than 22 million records on the dark web, signaling the need for a password security reset.
Year after year, people fail to recognize the importance of changing their passwords. But with increasing cyberattacks, this issue cannot be ignored.
ID Agent, a Kaseya company, has published a list of the 20 most common passwords of 2020. The list comes from a scan of nearly 3 million passwords found on the dark web last year. And it breaks down the most commonly used types of passwords by category.
The most common passwords by category are:
- Names: maggie
- Sports: baseball
- Food: cookie
- Places: Newyork
- Animals: lemonfish
- Famous People/Characters: Tigger
Among the most common passwords found on the dark web last year are: 123456, password, 12345678, 12341234, 1asdasdasdasd, Qwerty123, Password1 and 123456789.
Mike Puglia is chief strategy officer at Kaseya. He said people don’t take password security seriously. This is especially true as the average U.S. adult has between 90 and 135 different applications that require a set of credentials.
“Most employees that generate their own passwords will use personal formulas made up of words and numbers that are important to them for easy recall,” he said. “Individuals tend to choose passwords that can be divided into 24 common combinations. And users will often only change one letter or digit in one of their preferred passwords when required to make a new one.”
Organizations should train employees in best practices around generating and storing passwords, Puglia said. In addition, they should frequently remind them of the importance of password security.
“Businesses should also use a robust identity and access management (IAM) system,” he said. “A combination of solutions that includes multifactor authentication, single sign-on protections and identity management tools is a critical component of any cybersecurity strategy, bolstering and augmenting the safety of data and systems at every access point.”
MSSPs can help organizations by providing them with IAM solutions that easily integrate with the organization’s existing applications, Puglia said.
“IAM solutions with single sign-on capabilities are especially impactful, as MSSPs can uniformly access all applications from one place and employees won’t need multiple passwords for the software solutions they use daily,” he said. “MSSPs can also work with organizations to set secure password policies that ensure employees aren’t reusing old passwords or creating easy-to-guess ones. Additionally, they can offer organizations automated email phishing defense solutions, as this provides an extra layer of protection from credential compromise.”