Last month the French TV network, TV5Monde, had 11 of its stations’ signals disrupted by an Islamist group. Its websites and social media pages were also defaced, but the biggest immediate impact was loss of advertising revenue during the blackout.
And what security failure led to this embarrassing and costly security breach? One source reported that the network’s highest-level password was “azerty12345,” the French-keyboard equivalent of “qwerty12345”, making it easy for attackers to guess.
But this story gets better (or worse, depending on your perspective). While reporting on their own incident, they actually filmed a staffer in their offices with user names and passwords written down and visible in the background. Then they aired that footage for all the world to see.
It’s the security equivalent of an “own goal” in soccer.
Not just a French problem
Lest you think that this form of security self-sabotage is uniquely Gallic, last week, a BBC documentary inadvertently exposed passwords used at a British rail network’s control center. In one part of the televised segment, taped to the top of a monitor displaying track controls was the user name and password. In this case, it was quickly recognized and no security incident was reported, but the impact could have been far more devastating if trains had collided.
A crew filming a “top secret” Super Bowl security center in February 2014 exposed the WiFi network’s credentials. The list goes on.
How do we stop handing attackers our credentials?
One way would be to stop allowing TV crews to film inside of private areas. Human nature being what it is, though, we will likely continue to want to show off our offices and control centers.
Clearly, an obvious solution is that users should be dissuaded from displaying their credentials on stickers, banners, white boards and sticky notes as well. But putting the responsibility entirely on users is a fool’s errand. “I told you so,” brings no satisfaction when intellectual data has been stolen or on the heels of a catastrophic accident.
Whose responsibility is it?
We like to say that security is everyone’s responsibility, and there is truth to that. Users are understandably at an impasse, though, when we ask them to use unique, complex passwords for every application, and to rotate them every 90 days without repetition. This makes for good security policy, while boosting the sales of Post-It Notes – in reality, this is security-driven self-sabotage.
Security teams must bear equal, if not more responsibility, for reducing the risk of credential fatigue leading to inadvertent exposure.
Reducing reliance on passwords
It should be no surprise that single-sign on (SSO) is an important part of reducing this risk, given the maturity of SSO technology. SSO reduces the number of unique passwords that users have to remember, implements far more complex passwords than users typically employ and rotates them automatically according to policy.
The challenge with SSO is that it has traditionally been limited to corporate web applications, and to a lesser degree, desktop applications. But in the example of TV5Monde, their social media accounts were also exposed. It begs the question, how are you offering SSO to cloud and social accounts? Or mobile apps?
The topic of SSO may seem passé, but we can thank these recent gaffes for breathing new life into it. SSO has to expand to meet the demands of today’s cloud, social and mobile realities. Don’t say I didn’t tell you SSO.