Cyber News Roundup: Power, Passwords, PII…What Trips Us Up in Cybersecurity
Note: McKenzie Worldwide has a strong cybersecurity practice. Here is a curated news roundup we produce for Cyber Oregon, a statewide initiative we helped launch and support on an ongoing basis. Drop us a line if you want to learn how we can help move your initiatives forward.
One of the biggest concerns for the energy sector is a grand scale cyberattack shutting down our power grids and our cities. Power networks, considered critical infrastructure by the U.S. Government, have long been a target for hackers, but successful attacks are rare, according to Zack Whittaker in his TechCrunch article. The Department of Energy confirmed that a cyber event took place in March, involving an energy company that provides service to Los Angeles, California, Salt Lake County in Utah, and Converse County in Wyoming. A denial-of-service (DDoS) attack was launched, which involves overwhelming computer systems with information in a bid to take them down.
While this incident did not impact power generation or outages, it brings to light the fact that the energy sector continues to be a big target for attacks. According to a CNBC article, “The fact that such an easily preventable attack succeeded against a system serving such a large electrical distribution area is cause for concern, especially because energy is one of the U.S. government’s most important ‘critical infrastructure’ sectors, making these utilities subject to the strongest protections.”
Are we doing enough to secure PII?
Another security fundamental in question is if companies are doing enough to secure personally identifiable information (PII). According to an interview with Frank Abagnale, the renowned security expert behind Catch Me If You Can, “There’s no doubt in my mind that the username and password is an outdated technology that has long since served its purpose. User credentials remain the single biggest factor for security breaches, and our approach to deal with this has been to add more layers of complexity (one-time passcodes, knowledge-based questions) that have most users frustrated and resentful.” In its blog, IBM recommends the following password best practices for enterprises:
- Ensure all passwords contain at least 12 characters.
- Randomly generate all passwords (a password manager can be a big help here).
- Require all passwords to be secret and unique between sites and applications.
- Update passwords on a regular basis.
- Consider an external password audit to uncover and strengthen weak passwords.
Passwords: Yea or Nay?
May 2, 2019 marked World Password day. According to his Forbes article, author Tony Bradley writes, “The prevailing logic when it comes to password security is that everyone needs to have passwords that are complex—long jumbles of random characters that don’t even attempt to emulate an actual word—and that every password for every account must be unique. That is a very high bar to ask people to meet.” Shahrokh Shahidzadeh, CEO at Acceptto, points out that there’s a good chance your passwords are already compromised and users should operate under that assumption. “Acknowledging that all credentials have already been compromised, even those that have not yet been created, combined with the weakness of existing user identity and access controls in place, will drive a transformative shift in cybersecurity,” says Shahidzadeh. Regarding alternatives to passwords, Mark B. Cooper, president and founder of PKI Solutions states, “We are set to see an explosion of two-factor authentication technologies. Devices from Tesla (Drive PIN) to banking systems are incorporating two-factor solutions that are streamlined for their users and customers.”
In an interview with Microsoft’s top cybersecurity executive, Brett Arsenault, CNBC’s Kate Fazzini writes that email-based and password-based hacking underlie everything from the simplest frauds to the most complex, multi-faceted hacking campaigns. “We all sort of declared years ago that identity would be our new perimeter. People are very focused on taking advantage of identity, it’s become a classic: hackers don’t break in, they log in. I see that as a huge, huge thing for us to work on,” states Arsenault.
Microsoft is one of the few companies looking to eliminate passwords entirely. Instead of passwords, Microsoft employees use a variety of other options, including Windows Hello and the Authenticator app, which provide other alternatives for logging in, like facial recognition and fingerprints.
Human error is still a top cybersecurity concern
Less headline grabbing, but equally troublesome for potential cyberattacks and data breaches are humans, and human error. Writes Alison DeNisco Rayonne in her TechRepublic article, human error remains the top cybersecurity concern for both C-suite executives and policymakers according to the newest report from Oracle. The report states that professionals must invest more in employees — via training and hiring — than in security-advancing technologies, such as new software, infrastructure, artificial intelligence (AI), and machine learning (ML), even though these technologies have the ability to significantly minimize or eliminate human error entirely.