Interesting Result of a Security Training
Recently, we ran a security training at the office, these being strongly encouraged by the various laws that govern our data. In the course of getting prepared for the training, I wanted to spend some time on what the organization actually saw in terms of penetration attempts.
By and large, we are very lucky, despite a large number of attempts on our Terminal Server - we've had only 4 accounts compromised in the last year, all of which were caught within an hour of being compromised. We do see a large number of attempts - about 700 an hour. So, we had our statistic. The number surprised me (I had been expecting maybe 200-300 attempts), so I wanted to do a bit more digging.
For our training, it was easy to say that a password policy helps, and embracing secure passwords radically lowered the likelihood of being hacked. All well known and discussed a thousand times before.
For our technical staff, there was a big lesson that did not make it into the general training. Usernames matter as well. We saw three main forms of attacks in the logs: brute force guesses at both username and password (ironically enough, the hardest to get in and the only successful penetration we've experienced), guesses at accounts holding payment information (username pos, etc.), and attempts on the Administrator account. I want to take a moment to talk about each three and the lessons my team and I took away from this information.
As is often the case, short usernames are easier to get to in a brute force attack, but each successful attack hit accounts named after common first names. In every small to medium organizations I've worked with, login accounts are generally the first name. This is a mistake. There were no attacks in multiple weeks that targeted truly random usernames, so a simple first initial and last name username (or even better first name.last name) would have completely mitigated those break ins. Admittedly those that were hacked into had passwords that embraced only the letter of the complexity requirements and not the spirit, but an IT department should be aware of that reality and plan accordingly.
Point of Sale Accounts
A full third of observed attacks focused on accounts like pos or Point of Sale Vendor names. A Point of Sale system should never use an account like this: a combination of the last names of the various leads in an install or something not obviously related to the system itself. A penetration on one of these systems could be catastrophic for any organization, as it challenges the trust of anyone doing business with the organization.
If I ever needed a reminder to rename administrator accounts, this would be it. But, the account should be renamed to something completely unrelated to the word administrator. We had hundreds of attacks on administrateur, admin, admnisitrator, admin1, and others.
We spend so much time lecturing users on how passwords matter and develop password policies. This is generally time well spent, although at some point, we can stop expecting the user to remember their passwords and then need to worry about HOW they are remembering it. We need to start spending more time on the usernames as well. You can have the most secure key in the world, but if you insist on stamping the address of what it opens on the top of it, that place is practically guaranteed to be broken into.