And in unprotected documents.
Lots of passwords. Lots of documents. Lots of easy access.
No wonder the attackers got away with so much data.
At first, some said that attack had help from an insider.
That insider was a unprotected, easily found trove of passwords. Read about it here.
And Sony employees were allow to use easy passwords like “skateboard94” for Outlook and Novell systems (see item #7 here).
One seldom-mentioned risk of this policy is that administrators will also use this password scheme instead of a complex password, like they are supposed to–because they can. Very few companies put their personal admin accounts in a separate container (e.g., a separate OU in Active Directory) and apply a stricter password policy to that container.
Not the Worst
The Sony attack and results are bad. Really bad. But that’s not the worst part.
The worst part is that MANY other large companies, also household names, are not much better in some areas.
A Fortune 500 company that I worked at within the last 6 months also uses “skateboard94” and similar passwords for all systems.
I know because I was assigned such a password upon arrival AND saw the signed/approved risk assessment that allows the practice to continue.
When you have that kind of a password policy, you don’t need to find password lists. Most of the passwords in this company would be easy to crack.
This particular company uses this password policy because some of its key systems cannot handle complex passwords. So instead of requiring complex passwords everywhere else but these couple systems, they allow all passwords to be weak.
The reason I was given was to ensure single signon and a good user experience.
It also ensures a good attacker experience.
They will get attacked and compromised (if they aren’t already compromised, but don’t know it).
IT Audit and Security Considerations
(My new blogging friends at risk3sixty.com use this heading at the end of some posts, and I like it.)
If your audit or security group is not discussing the Sony attack and whether your company has similar issues, you might want to raise the banner.
And specifically look for passwords stored in clear text in files (and code).
You should also revisit your password complexity policy and any signoffs saying that non-complex passwords are okay. When you get resistance to this, ask:
- Do you think Sony regrets that policy now?
- Do you think their internal audit/security team regrets not standing up to management?
Let’s give management another opportunity to make the call.
If we’ve learned anything from the Sony hack, it’s that one of the emails that you WANT TO BE FOUND in your company’s data dump is that management was told this was a bad policy.
And that audit and security disagreed strongly with that policy.