Rostelecom-Solar, a subsidiary of Rostelecom, conducted a study that showed that about 80% of companies don’t follow the basic password protection rules. At the same time security analysts managed to get administrator privileges almost in every tested corporate network. This would allow a real cybercriminal to develop an attack that is highly likely to lead to the theft of financial funds or confidential information.
Experts warn that disadvantages related to passwords can lead to complete compromise of the internal network and leakage of sensitive data that is critical for the organization. Especially dangerous is the fact that the exploitation of such shortcomings doesn’t require special technical means from hackers and allows them to remain unnoticed for a long time inside the corporate network.
The research of Rostelecom-Solar is based on data obtained by the company's experts in the course of cyber training, penetration testing and projects to analyze the security of customers from the banking sector, manufacturing, information technology, information security and others. The simulated attacks involved two scenarios: penetration of the corporate network from outside, as well as imitation of the actions of an internal intruder.
The most common error detected during external penetration testing was passwords set by default, weak and easy-to-select passwords for user accounts (for example, admin/admin, admin/12345 etc.) as well as the absence of account locks.
The main drawback found during internal penetration testing is that employees use the same passwords of accounts with different permissions. Another common error is storing account data on public resources in the corporate network or on the PCs themselves.
In some organizations, there are shortcomings in password policies for corporate accounts. In particular, employees aren’t required to create passwords of certain length or that contain special characters (lowercase and uppercase letters, numbers and signs).
"The main reason that leads to such shortcomings is the human factor. Employees of companies often have insufficient cyber literacy and as a result try to simplify passwords or store them in open access: in a file on the computer or on a sticker next to the monitor. On the other hand, system administrators themselves sometimes don’t take enough care of how credentials are stored or allow users to create weak passwords. Often a simple default password is set in new created accounts by default and they aren’t changed for a long time," - said Alexander Kolesov, head of the security analysis department at Rostelecom – Solar.
According to the company's experts, the problem can be solved by introducing two-factor user authentication. However, at the moment many companies don’t do this because of the complexity of the organization and the high cost of that service. A more affordable option is to teach employees the basics of cyber-hygiene: explain the rules for creating strong passwords and storing them safely, including using special databases and programs.