Categories: SecurityWorkspace

Weak Passwords To Be Major Security Risk In 2013

At the start of a new year, two security specialists have highlighted the main areas of concern for corporate IT security in 2013.

The biggest security threats to companies in 2013 will depend on who is attacking the business: Opportunistic criminals will continue scanning for accounts with default or weak passwords, while targeted attackers will refine their attempts to fool employees, business services firm Verizon and security software firm McAfee stated in separate reports.

Weak Passwords

In the past year, about 90 percent of successful breaches analysed by Verizon started with a weak or default password, or a stolen and reused credential, which is a trend that will continue, said Wade Baker, managing principal for the company’s RISK team. The company analysed data gathered from incidents it investigated in 2012 to identify the causes of data breaches.

“Taking all the attacks that happened to larger corporations and government, about 90 percent had weak or stolen credentials,” Baker said. “We see no reason that that trend will change in 2013.”

A year ago, an analysis of the breach of global-intelligence firm Stratfor found that many of the site’s customers had selected weak passwords for their accounts, with one analysis breaking about 10 percent of the passwords in five hours. Other analyses of leaked passwords have found similarly poor password choices, as well as the reuse of passwords across sites.

Malware shows a different trend. Cyber-crime campaigns aimed at compromising specific businesses will become more refined, while broader campaigns will focus on narrower subsets of victims, said Ryan Sherstobitoff, a threat researcher with software-security firm McAfee.

He pointed to the Citadel Trojan as a good example. In October, the creators of Citadel released a new version – dubbed the “Rain Edition” – which allows botnet operators to customise attacks for specific victims. Citadel is a variant of the infamous Zeus banking Trojan, created after the Zeus code base was leaked to the Internet in 2011. In one case, a campaign using Citadel targeted victims that lived in Madrid.

“Things are becoming more targeted and more detailed: They are targeting specific populations and specific users,” Sherstobitoff said.

The tools are becoming more user-friendly for criminals as well. Citadel, for example, allows support, has a customer relationship management (CRM) tool and has a trouble-ticketing system.

The Citadel botnet is not just used for bank theft. In August, the FBI warned about criminals using the Citadel Trojan for ransomware attacks, where a victim’s system freezes unless they pay money.

BYOD Paranoia?

While bad passwords and targeted attacks will be problems for companies and their employees, businesses should also look to their Websites. About three-quarters of all attacks also used a Web exploit to gain access to sensitive data, Verizon’s Baker said.

Mobile malware, however, continues to pose a minimal threat, at least in the United States, he said. While companies are worried about employees bringing compromised devices inside the network, so far that threat has not materialized, said Baker.

“Consumers are very rapidly adopting their mobile devices,” he said. “Enterprises are going to be a bit more risk-adverse than the typical consumer, however.”

Are you a security pro? Try our quiz!

Originally published on eWeek.

Robert Lemos

Robert Lemos covers cyber security for TechWeekEurope and eWeek

Recent Posts

CMA Secures Google Commitment To Tackle Fake Reviews

British competition watchdog secures undertaking from Google to tackle fake reviews, as Amazon probe continues

43 mins ago

Trump Signs AI ‘Free From Idealogical Bias’ Executive Order

After earlier revoking Biden's AI safety executive order, President Trump signs new executive order to…

3 hours ago

OpenAI’s ‘Operator’ Agent Automates Online Tasks

OpenAI launches AI agent called 'Operator' to automatically fill out forms, make restaurant reservations, book…

22 hours ago

Pakistan’s Parliament Passes Bill For Strict Control On Social Media

Bill passed to give Pakistani government sweeping controls on social media, but critics argue it…

23 hours ago

Indian Tribunal Suspends Meta’s Data Sharing Ban

After Meta had warned that India's data sharing ban could collapse WhatsApp's business model, tribunal…

1 day ago

UK’s CMA Begins Probe Into Apple, Google Mobile Ecosystems

British regulator confirms investigation of Apple and Google's domination of app stores, operating systems, and…

1 day ago