Greater Use of the Cloud Leads to Weaker Passwords

It is already a reality, we are working more and more using the cloud. Many of you have recently used any of these services such as Google Drive, OneDrive or Dropbox, for example, because there are many that can be used today, both personally and professionally. One of the consequences of the increased use of the cloud is that it causes us to use weaker passwords.

One factor that we must take into account is that we are all human and can make mistakes. Every time we work, with more and more passwords, and maintaining order and security is costing us more every day. This is because more and more passwords are being used to access our cloud services, emails, social networks and other online services. The increase in having more and more accounts with different passwords, causes us to use weaker keys, generally, to remember them easily.

Weaker Passwords

Sometimes the problem is that the ones we generate are too weak. On other occasions, the cause is that we do not renew them periodically as we should, or in many places we always use the same one.

Software and our network our first line of defense

Let’s start with the software, a skilled cybercriminal could take advantage of your security holes. In this sense, a slow or no patching provides that attacker with vulnerabilities to exploit.

At this time we mean that the operating system must have the latest security patches installed. In addition, not only that operating system must be updated, but also the programs to the latest version. Nor should we forget that our antivirus has the definitions of its virus list up to date and our firewall is properly updated.

Also, the lack of segmentation of our network can allow unrestricted lateral movement. In this sense, we must configure the firewall of our router if it brings it, and only open the ports that we need.

Finally, especially with the use of laptops, we must be very careful when we connect to a public WiFi. In this sense, we must establish that this network is public, so that it does not consider our team as one of the members of that network. And by the way, if we use a VPN service so that our connections are encrypted, much better.

Passwords are our main point of weakness

In an age where we have so many accounts, files, and cloud services, it’s making passwords weaker.

A report from the security firm Rapid7 published on August 26 confirms this situation. In penetration tests to verify network security, they found that passwords continue to top the list of major flaws. Thanks to these weak passwords, attackers use them to compromise the security of systems.

In this sense, passwords are still the main weakness exploited by hackers when they carry out their attacks. Thus, the collection of credentials and passwords constitutes one of its main forms of penetration in foreign networks.
Currently, in 2020, we are witnessing a change in the way we work. The rise of remote work has turned attackers’ eyes on virtual private networks (VPNs) and cloud services.
The data collected in the reports shows us that the penetration tests carried out last year, focused on the theft of credentials as the best way to gain access to the cloud infrastructure.

Penetration techniques to obtain passwords and trust in people

Now we are going to talk about the ” Under the Hoodie” report . The main techniques of the pentesters to obtain the passwords of the different users of the organization, are the following:

  1. Password Spraying .
  2. Offline password cracking.
  3. Man-in-the-middle attacks.

The Password Spraying technique could be considered the best technique for external attackers. This attack technique that takes advantage of the lack of interest or knowledge of users when creating a password. Instead of creating one as robust and complex as possible, it ends up being a simple enumeration (123456789) or the word “password” itself.

Many companies continue to rely on their workers to select good passwords and not reuse them for all services. Relying on the human factor entails its risks, since not all expectations are always met. In that sense, to avoid problems, Tod Beardsley, director of research at Rapid7, says that not enough companies have implemented multi-factor authentication.

La Dark Web muestra malas contraseñas

Passwords are still a constant problem for businesses and consumers today. In fact, cybercriminals are constantly focusing on collecting our credentials.

In a Rapid7 report, 206 interactions were made during the previous 12 months to June 2020. From here, these conclusions were obtained:

  1. Businesses continue to leave their network and systems open to exploit credentials.
  2. A quarter of external interactions result in credentials being accessed.
  3. 7% find password policies weak.
  4. 6% allow the enumeration of users.

In a world increasingly focused on remote work and telecommuting, the importance of good practices in the use and administration of our credentials and passwords emerges. But we must also add a software update and network segmentation as we discussed at the beginning.

Another interesting piece of information from the Rapid7 report to highlight is that the third most successful strategy for cybercriminals is to exploit unpatched software and then move laterally through a network.

The techniques used by both attackers and pentesters to extend their compromise to other machines on a network are based on the use of:

  • The Windows Management Instrumentation (WMI) service.
  • PsExec, a Telnet-like tool for remote access to Windows.
  • Remote Desktop Protocol (RDP).

Also, we have the WannaCry and NotPetya ransomware attacks that spread rapidly through compromised networks between 2017 and 2018.

How to create a strong password

Without a doubt, our first line of defense against cybercriminals is to have a strong password . In this article we have a complete tutorial on how to create a strong password , something essential to protect our accounts. If we want to build a good password, it must contain uppercase, lowercase, numbers, symbols and have a minimum of 12 characters.

Also an important factor is we must change our passwords periodically . To finish with this section, other things that we should not do is use the same password for everything, and avoid using the date of birth and other key dates.

Using the cloud leads to weaker passwords

One way to establish defenses and test them for weaknesses is through penetration testing. In them, a security company tests its client’s defenses. These tests are more focused on the physical, but also use electronic measures to defeat the defenses of banks and technology companies.

As we have seen previously, poor password security is the biggest problem. However, inconsistent and lag patches are still a big problem as well. In this sense, companies are taking more than 90 days to patch half of the critical systems on the Internet.

We also have to talk about the worms, they focus on the implemented EternalBlue exploits. The real reason these worms are so effective is that they use the same sophisticated techniques for lateral movement as real attackers and pentesters. According to the Rapid 7 report, when recovering and reusing passwords on compromised systems, attackers can very frequently switch from one machine to another in search of their final targets.

Therefore, the increase in the use of the cloud causes weaker passwords and that we have to handle a greater number of passwords every time.