What lesson can you learn from a successful attack

In the closing decade, the enemy has made countless attacks. It has taken over the personal data of millions of people, what we call PII, Personal Identifiable Information.

Thousands of companies – like yours – have had to face the consequences of their unpreparedness to face attacks. I’ll say this for the umpteenth time: “super-protection” is not enough; by itself it is not enough to repel an attack.

I have helped you several times to reflect on the consequences that an attack can have on your company. Let’s see if you remember the main ones:

  • direct costs, to fix things that the enemy has blown up
  • direct costs, to rebuild what you and your workforce have not been able to put back in place
  • investments in new defence tools (in most cases, more “super-protection”: which is like picking up soup with a fork)
  • all sorts of legal expenses: from compensation to damaged third parties who sued, to the Privacy Authority imposing a fine on you
  • broken reputation, established customers who abandon you, new customers who prefer working with your competitors

I should think that after a blow like this, you learned the lesson – if you ever actually did feel the “blow”, because in most cases you may be keeping your head well stuck in the sand and think, “nothing ever happened to me so this thing doesn’t concern me. ”

Sweet dreams to you.

A useful lesson to learn

However, maybe you are smarter than others, and you have learned the lesson. You may even be one of the very few who learn from other people’s mistakes – and avoid making the same mistakes. Good for you.

There is one particular mistake, which is consistently behind many attacks, especially the ones we call “ATO”, Account Take-Over, that is, the theft of credentials.

What is the mistake? Easy said, the mistake is keeping using username and password to identify and authenticate people.

If you barely listen to the news about these attacks, you will have heard several times that the enemy has worked its way into the one system or the other, and has stolen, sometimes one hundred million, some other five hundred million user id-password pairs.

You may also have wondered: what good does it do to him? surely after hearing that passwords have been stolen on some system, the same system’s users will rush to change their password.

This is not the case, as I have personally verified so many times in the war I’ve been fighting for thirty years, and continue to fight, against an enemy who is capable of reinventing himself almost every day, while you keep relying on solutions, that are twenty years old.

But then you’re surprised, when the enemy tears you to pieces.

The fact that escapes you, perhaps because you don’t think enough about it, is that people keep using the same id and the same password on multiple different systems. Don’t act disbelieving, because you do the same, and I’m ready to bet you do.

So if some gang of criminals swiped three hundred million passwords from a popular site, all they have to do is try these same id-password pairs on a few other equally popular sites.

Again I can hear you think: “Try them one by one? just think of how long it takes! It will never get them anywhere!”

You forget what I told you several times about the one thousand five hundred billion dollars, and the GDP of Russia. You forget that they have unlimited funds, and in this case it shows: in the underground of the illegal Web there are systems available, which use botnets to automate attacks, making thousands of attempts per second with stolen passwords.

The result is that some 8% of passwords stolen in a single incident, can be successfully used on some other site.

If eight percent seems small to you, calculate how much is 8% of five hundred million stolen passwords: forty million stolen identities are used successfully on other sites.

What identities are we talking about? These are credentials used to access other sites, which can be anything from a supermarket loyalty program to an administrative paperwork site.

“So I should care”?

If you’ve had the patience to read me this far, you’re probably wondering where I am heading.

It’s very plain. The point I want to make is that we are in 2020, but we still authenticate ourselves with a user ID  and a password, exactly as we did when I started with computers almost fifty years ago.

Fifty years ago we had punched cards, a 90 megabyte disk was considered “huge”, there was no Internet, no cloud, no smartphones, nothing.

In this time we invented these, and many other good things, but we still use IDs and passwords, like we did fifty years ago.

My first computer teacher showed me how to prepare my card deck and feed it into the card reader. “Delete this thing here with your pen, it’s your password, if someone sees it, they could pinch it, and charge you with their use of computer time.”

That’s where we stayed.

Isn’t it time we changed a bit?

In my facebook group we talk about this, and other interesting things.

Keep me on this blog, or in the group https://www.facebook.com/groups/toriasecuresystems/

Leave a Comment

Your email address will not be published. Required fields are marked *

Per entrare nella caserma inserisci la tua email e la password che ti è stata inviata via email.