This question may sound like a new twist for a current television game show, but it’s actually a very relevant question. When a network is hacked, it is not usually because of sophisticated techniques that are able to overcome all of the technical controls. Most of the time it is a lack of good cyber hygiene.
The Colonial Pipeline hack is a perfect example. The Associated Press reported that an audit of Colonial’s cybersecurity found “Atrocious information management practices and a patchwork of poorly connected and secured systems”, which led the consultant who delivered the report to say “We found glaring deficiencies and big problems – I mean an 8th grader could have hacked into that system.”
As a result, the hackers were able to steal an estimated 100 gigabytes of sensitive data and the company paid nearly $5M in ransom to recover the data needed to get the pipeline back in business as quickly as possible. While U.S. authorities went after the hackers and were able to seize $2.3M of the bitcoin, that’s still a loss of about $2M that is likely not covered by a cyber insurer, not to mention costs for remediation, legal expenses and forensics.
In Colonial’s case, all it took was one password, which was used on their legacy Virtual Private Network (VPN) that did not have Multi-Factor Authentication (MFA) in place as safeguard – a common best practice. How do hackers get passwords? The most common way is to trick users into responding to a phishing email or phone call that asks them to put in their login and password on a fake website that is made to look like a site that they regularly go to, such as the company portal or Dropbox, even an Office 365 login screen. Credentials can also be exposed when staff uses their company email and the same password to sign up for online tools or access websites and those sites get hacked.