An enterprise can have anywhere from hundreds to thousands of account names and passwords. Many of these accounts often have privileged access to applications, databases, networks and operating systems. While not all of them are always critical to the enterprise, there are numerous accounts that, if abused, can cause serious disruptions enterprisewide.
Previous studies have shown that the number of people who require administrative access to a system for maintenance purposes, or for completing tasks such as patching and upgrading, is often far greater than the number that managers know about or track. Nevertheless, many companies allow users and administrators to apply easy passwords or even default passwords to protect access to such accounts.
When multifactor authentication is used, the measures often involve relatively easy-to-crack knowledge-based authentication (KBA) mechanisms where a user is prompted for an answer to a security question, such as a first pet's name or the name of a favorite movie.
A report released by Verizon last month showed that attacks exploiting weak passwords are still endemic in the retail and hospitality industries. Attackers can still go to a vendor's site, get a client list and "just hit those [clients] with the default or guessable username-password combination," Verizon noted in its report. "These are relatively easy attacks that require little in-depth knowledge or creativity."
The tendency by many people to use the same password for multiple accounts is another huge issue, said John Pescatore, a Gartner analyst.
"A lot of Anonymous' recent success has been in attacks where they have obtained users' passwords to external services and then found the same passwords in use at sensitive internal applications or in email systems," Pescatore said. "What I think we are seeing is really what I like to call 'the curse of the reusable password.' "
One of the most important measures companies can take to ramp up their security is to raise the bar for passwords and authentication mechanisms, he said. "Similar to how you can't shift from 'Park' to 'Drive' without putting your foot on the brake, there ought to be 'safety interlocks' in any piece of software that make it very hard to shift into Drive without changing the default password," he said.