Password mismanagement still at the heart of security issues
While many government employees reuse credentials that have been compromised and put online, one expert warned MFA is not the “silver bullet” solution.
Government employees use the same, sometimes weak, passwords to access their work and personal accounts, even as thousands of credentials have been compromised and put online, according to one recent study.
Meanwhile, a separate report found what researchers described as a “not my job” attitude toward cybersecurity among some government workers in the United States, who admit mismanaging their passwords and don’t feel comfortable reporting potential security mistakes.
Researchers at threat intelligence company SpyCloud found high password reuse among government employees both in the United States and internationally. The report revealed that 61% of government users with more than one password exposed in the last year reused those passwords in multiple places, across their government work and personal accounts.
The most common exposed passwords associated with government emails remain some of the simplest to guess, the report said: “123456,” “12345678” and “password.” Cybersecurity experts have repeatedly warned that the most basic vulnerabilities like easy-to-guess passwords pose the greatest threats.
Trevor Hilligoss, director of security research at SpyCloud, said hackers’ ability to steal personal information and potentially access sensitive government systems should raise concerns about how well employees protect their digital personas.
“The way that I look at it, our online identities are in many ways very similar to a fingerprint, or a photograph,” he said. “What's scary is, it's much harder to walk into somebody's house and steal their TV than it is to drop a phishing email that's got some info stealer side-loaded to it. Then all of a sudden, you have somebody's entire digital persona in text format.”
Separate research from cybersecurity software company Ivanti had similar findings about the pervasiveness of poor cyber hygiene among public sector workers. More than 30% of government employees in the United States said they had used the same work password for more than a year.
And while researchers called on governments to move toward zero trust architecture to protect and manage employees’ identities, Ivanti recognized in its report that more advanced authentication could feel “cumbersome” to employees who then resort to “shadow IT” to bypass it.
As governments and organizations increasingly require multifactor authentication to protect themselves as part of their zero trust journey, Hilligoss warned that MFA is “not a silver bullet” as bad actors will always find ways around it. Hackers steal session cookies to get around MFA as they look to find “chinks in the armor” of organizations’ cyber defenses, he said.
“MFA is great, fantastic, you're going to knock out a lot of the low-hanging fruit in terms of threat actors with MFA,” Hilligoss said. “But that sophisticated threat actor, whether that's a nation-state we're talking about, or just a criminal that's quite sophisticated, they're going to have ways of bypassing that.”
SpyCloud researchers also found that devices infected with malware accounted for nearly 74% of stolen government credentials, which were then put online on the dark web, internet forums and on messaging platforms like Telegram. Government workers in the United States and European Union were more often the targets of malware as hacking public sector agencies in those geographic areas tends to be more profitable for attackers, Hilligoss said.
Hilligoss acknowledged the challenge of defending a large government organization against attackers who just need to “find one gap.” Once attackers discover that opening, “there are very obvious and, in some cases, easy ways to really widen that privilege and move laterally within the organization,” he said.
The Ivanti report highlighted what it described as a “not my job” attitude among some government workers toward cybersecurity, which researchers warned risks compromising security. Of government employees surveyed in the United States, 19% said they believe their actions do not impact their organization’s ability to stay safe from cyberattacks.
Almost a third of government employees said they do not feel safe reporting a security mistake they have made at work to their cybersecurity team, while 21% said they do not care if their organization gets hacked.
To combat this worrying trend, Ivanti called for cybersecurity to be a “shared responsibility with all employees” and for them to be held more accountable as individuals. Ivanti Chief Product Officer Dr. Srinivas Mukkamala told reporters that government organizations should have more robust training for employees and change the agency culture to show that everyone is responsible for cybersecurity.
To ignore those fundamentals would be “malpractice,” he said, and boosting cybersecurity awareness is a better strategy than buying new technologies.
“We're guilty of shiny object syndrome,” he said. “I think our problem is really the basics. We've got to start looking at training, bringing awareness and ensuring we're maintaining proper cyber hygiene.”