sa

Most security professionals will advise the number one way attackers gain an initial foothold on a network is, and continues to be, phishing and social engineering attacks. Palo Alto recently released their 2022 Incident Response Report which confirmed what most would say is true. At a combined 42%, phishing and social engineering make up almost half of all means of initial access.

Source: 2022 Incident Response Report

The second most common way according to the above chart from Palo Alto is software vulnerabilities. However, in the first week of September, Kaspersky released its 2021 Incident Response Overview and it told a different story. 53.6% of the initial attack vectors they responded to were exploits of public-facing applications.

Source: 2021 Incident Response Overview

2021 had no shortage of time sensitive critical vulnerabilities including Log4j, Microsoft Exchange ProxyLogon, and three other CVEs related to the ProxyLogon vulnerabilities that were released in March of 2021. When these vulnerabilities are made publicly available it is only a matter of minutes before publicly facing systems are being scanned for vulnerable targets. Within hours, proof of concept exploits become available leading to an extremely high rate of organizations falling for such attacks.

In recent years, organizations have prioritized security awareness training and conducted social engineering and phishing training. But have those same organizations made it a priority to have a vulnerability management program in place?

How can organizations stay ahead of these attack trends? Start by building out a mature security program that includes annual penetration testing, ongoing vulnerability scanning, and a properly configured SIEM to alert on network anomalies. If you suspect a breach, identify a firm capable of responding to security incidents and secure an incident response retainer. Lastly, have an expert conduct a strategic security assessment to compare your organization’s security program to a known security standard like the Center for Internet Security Critical Security Controls.

Conventional wisdom says passwords should be longer than 8 characters, they should contain complexity with upper case, lower case, numbers, and symbols, and Rotating passwords periodically is crucial to prevent them from being compromised. Consider rethinking your password requirements if this is still how you instruct your employees. In this security advisory, nGuard will lay out the password requirements you should be utilizing for employees.

Entropy is defined as “a measure of the amount of uncertainty an attacker faces to determine the value of a secret.” Traditionally, it was believed that entropy could be increased by requiring users to change their passwords frequently and by increasing the complexity of passwords. We now know that this is not the case. Length alone can provide password entropy at any level. Furthermore, if you change your passwords numerous times a year, you may find it difficult to remember passwords with high levels of complexity. Let’s take a look at some examples:

Password: nGu@rd2022!

This is an 11-character password with a high level of complexity. According to security.org, it would take a computer about 400 years to crack this password using brute force methodology. Engineers at nGuard say this password has a high probability of being cracked very quickly. It uses the company name with some common substitutions such as the “@” instead of the “a.” It also uses the current year, which is common among companies that force password changes on a regular basis.

Password: nGuard is a leading provider of security

This is a 40-character password with a low level of complexity. According to security.org, it would take a computer about 88 septendecillion years to crack this password using brute force methodology. Septendecillion is a 1 followed by 54 zeros. That’s a lot! The length of this password makes it more difficult to crack, but it is easier to remember and type out. Passwords like this won’t need to be changed unless they become compromised through social engineering or some form of clear-text password compromise.

In order to avoid forcing users to reset their password on a regular basis, nGuard recommends using password phrases like the example above. Set up alerts to notify IT when a specific account experiences too many failed login attempts. Additionally, limit the number of failed login attempts allowed within a certain time frame. With nGuard’s Managed Event Collection & Correlation (MECC) service, these types of things can be monitored. For an organization to maintain a strong password posture, that’s all you need to do. Your organization’s password security posture will be at the forefront of the industry if you do all of this and implement multi-factor authentication if possible.

Following the implementation of a strong password policy, nGuard can provide a variety of services to make sure you’re on the right path. Password Database Audits allow you to test the strength of your passwords against industry leading password crackers. By performing an internal penetration test, you can make sure that passwords are not being stored on machines in a way that makes them insecure (for instance, in plaintext).

Vulnerability Exploits Overtake Phishing as Initial Attack Vector

Password Guidelines You Need To Know