Attacks/Breaches
4/3/2017
11:00 AM
Dawn Kawamoto
Dawn Kawamoto
News
50%
50%

More than Half of Security Pros Rarely Change their Social Network Passwords

Survey finds IT security professionals don't practice what they preach at work when it comes to their social network passwords.

Some security professionals apparently find it tough to maintain safe password practices outside of work, with 53% percent acknowledging that they either haven't changed their social network passwords in more than a year - or at all, according to a report released today by security firm Thycotic.

According to the survey of nearly 300 security professionals conducted at the RSA Conference in San Francisco in February, 33% of security pros say they have not changed their social network passwords in more than one year, and 20% have never changed their passwords. And on top of that, nearly 30% of survey participants rely on birthdays, addresses, pet names, and children names for their social network passwords, the survey found.

These practices run counter to the industry's often touted mantra of the need to frequently change passwords and make them complex as possible. Needless to say, failure to engage in these practices can potentially lead to cybercriminals not only infiltrating the social networks of security pros but also possibly social-engineering or phishing their way into their work accounts.

Although 45% of survey respondents believe that at least half of company-related cyberattacks involve privileged passwords, Joseph Carson, Thycotic's chief security scientist, tells Dark Reading he personally believes the figure is closer to 63% based on his digital forensics research and ethical hacking.

And of that 63% figure of all breaches involving privileged passwords, Carson estimates 30% come from IT administrators' passwords and 10% from someone with some responsibility in security.

"Although 10% may not seem like a high figure, the biggest cost to a company financially will be from this 10% because of the privileges they hold," Carson says. "The difference between a security breach and a security catastrophe comes down to the level of authorization that the person had."

Do What I Say, Not as I Do

To understand why security professionals don't always practice what they preach when it comes to protecting passwords outside of work requires some insight into the particular challenges they face.

Typically, security pros are aware of the potential dangers of single sign-on passwords and will have a separate password for each account they hold, both work-related and personal. In Carson's case, he has over 400 personal and work-related accounts where he uses a separate password.

In order to help him manage the hundreds of passwords, Carson says he uses password management tools like password vaults. But the vast majority of his fellow IT security professionals do not use such tools. He noted in a benchmark survey taken over a year ago with more than 1,000 security professionals that only 10% to 20% of survey participants indicated they used a password vault or other password management tools.

As a result, in some ways, it may not be so surprising that security professionals find it hard to maintain the same level of vigilance with their personal accounts as they perform with work-related accounts, he says.

"There are many known cases of data breaches from compromised credentials and passwords from security professionals resulting from malware and phishing scams delivered via social networks," Carson says.

Morey Haber, vice president of technology at security firm BeyondTrust, says he is not surprised by the findings in Thycotic's RSA survey.

"Most social media accounts require best practices for password complexity but falter when it comes to other security disciplines. For example, they fail to expire passwords after 90 days, require a reset, and allow browsers to ‘Remember Me’ for cached authentications for an infinite duration," Haber says. "Since these additional security controls are what most people rely on to reset passwords on a periodic basis, I can only assume the transparent approach makes even the best security professionals lax for social media account password changes. I can only hope they follow at least best practices for password reuse, and each social media account has a different password in case one is compromised."

He says while it’s rare for a breach of a security professional's account to be attributed as the primary attack vector, the likelihood of their account being compromised due to Pass-the-Hash or other hacking techniques is higher if they log into a compromised system, access from an unsecured remote location, or have legacy accounts that have never had their passwords changed. "The longer a password goes stale, the more likely it will be compromised," Haber says.

Ironically, 25% of the Thycotic survey respondents say that they will change their password at work only when the system alerts them. Such an attitude may attribute to the more than 3 billion user credentials and passwords that were stolen in 2016, according to the Thycotic and Cybersecurity Ventures' Password report.

Related Content:

 

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
4/7/2017 | 1:23:49 PM
Red Herring
This is a red herring issue, I strongly suspect.

Talk to most die-hard security pros -- the really good ones, and the ones who do nothing OTHER than cybersecurity for a living -- and their use of social networks is minimal (if not non-existent).  Moreover, they put minimal -- if any -- true PII on those social networks.  So their risk is already quite small.

Moreover, it is becoming increasingly the viewpoint of the top InfoSec pros and punditry that changing passwords frequently is NOT a best practice -- and can actually be detrimental.

The study may be headline grabbing, but I am unconcerned.
AndrewfOP
50%
50%
AndrewfOP,
User Rank: Strategist
4/4/2017 | 1:13:36 PM
Problematic Password Practice Advice
Clearly, if security pros can't follow their own advice, it just means the advice itself was problematic.  Secure IT policy should be clear and easy to follow, otherwise IT/Security team is obviously not doing, or not able to do its job.  One account with periodic password change is difficult enough.  Keeping good tracks of multiple accounts as with most of office working environment is practically impossible. 

Single sign-on/ password vaults, or one single password for all accounts, essentially presents the same security weak point.  The only way to maintain the good security should be user behavior tracking and analysis: any excessive access entries outside of users' normal work environment, excessive access outside normal work hours or excessive amount of access entries are potential breaches to look out for.

Continued reliance on difficult to follow password practices would only weaken IT security in the long run regardless of any potential technology that could replace passwords.
lakers85
50%
50%
lakers85,
User Rank: Strategist
4/3/2017 | 12:42:39 PM
Password Vaults
Any recomendations on Password Vaults? What if they are breached? Who watches the watchers?
Breezcar
50%
50%
Breezcar,
User Rank: Apprentice
4/3/2017 | 11:14:58 AM
I agree
I should change more often also
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.