The business world has a password problem—starting with the fact that the No. 1 computer password employed by business users is, wait for it: “Password1”.() Unfortunately, that’s just the most cringe-worthy example of bad enterprise security cited by Trustwave in its recently released Global Security Report for 2012.
Why “Password1”? Because “it satisfies the default Microsoft Active Directory complexity setting,” the IT security research firm noted. In other words, it’s got a capitalized letter, a number, and the requisite number of characters to qualify under basic password security settings.
The password problem is just one of the security issues businesses are running up against in an increasingly hostile cyber-world, according to Trustwave. Other key findings related to hacking incidents and intrusion investigations at companies researched by Trustwave include:
*• Customer records remained a valuable target for attackers, making up 89 percent of breached data investigated.*
*• For the second year, the food and beverage industry made up the highest percentage of investigations at nearly 44 percent.*
*• Industries with franchise models are the new cyber targets: more than a third of 2011 investigations occurred in a franchise business.*
*• In 76 percent of incident response investigations, a third party responsible for system support, development and/or maintenance of business environments introduced the security deficiencies.*
*• Law enforcement detected more breaches in 2011—up from 7 percent in 2010 to 33 percent in 2011.*
*• Data harvesting techniques continued to target data “intransit” within victim environments showing up in 62.5 percent of 2011 investigations.*
*• Anti-virus detected less than 12 percent of the targeted malware samples collected during 2011 investigations.*
*• For Web-based attacks, SQL injection remains the number one attack method for the fourth year in a row.*
In addition to detailing the issues above, Trustwave elaborates at length on password issues in business IT environments. Users “are finding creative ways to override” corporate IT policies on passwords, according to the report.
These risk-increasing workarounds include setting usernames as passwords, making simple, often numerically progressive (and thus predictable) changes to passwords, and opting for the simplest possible variations to meet complexity requirements, “such as capitalizing the first letter and adding an exclamation point to the end” of the password.
A big problem for business users is that IT policy requiring that passwords be complex and changed frequently—not to mention environments that necessitate several different passwords—is making it more difficult to commit those passwords to memory.
Hence the workarounds users employ, Trustwave notes, while many business users write down their passwords where they can be discovered—even on the very computers they’re meant to protect.
And even if a company has a good password policy that’s adhered to by its employees, that isn’t the end of it. Trustwave warned in the report that keystroke logging software is relatively easy for hackers to deploy and social engineering techniques for getting employees to reveal how to access IT assets remains a big problem.