The New York Times reported yesterday that the FBI is actively investigating the front office of the St. Louis Cardinals for illegally accessing a rival team’s computer system. While this must be the strangest sports scandal since Deflategate, it is also the most high profile case of “high tech” corporate espionage that doesn’t involve a nation state actor.
Per the NYT, “the intrusion did not appear to be sophisticated” according to law enforcement officials. The Astros executive whose credentials were compromised previously worked for the Cardinals. Cardinals staff allegedly used his old password to get into a new system that he built in Houston.
This incident provides a number of lessons learned. The most obvious being to never commit a federal crime from your home computer unless you are interested in taking an all-inclusive vacation at the nearest federal detention center. Here are 3 more you should think about:
1. NEVER REUSE A PASSWORD
If you use the same password more than once and it gets compromised, the damage can be substantially worse. Let’s imagine a scenario where a hacker gets access to one of your accounts. That’s bad but at least it is contained to that website or application.
Now let’s say that your password is the same on every other system you use. Exploiting passwords stolen from one site against others is a very common practice amongst cyber criminals. Now your bank, online brokerage, social media accounts, luggage, etc. are compromised too.
Now let’s imagine a worse scenario. One of your employees just had their accounts broken into and they are now busy picking up the pieces. According to a 2014 study, “one in five Americans reuses the same username and password across their personal and business accounts”. That same study revealed that “73% of US Full-time workers admit to reusing the same batch of passwords online”. You probably are not feeling lucky right now.
2. ALWAYS CHANGE THE DEFAULT CREDENTIALS
According to media accounts, the database built for the Astros was designed by the same executive and was substantially similar to that of the Cardinals. While the credentials used to exploit this system were the executive’s old passwords, since they were known outside of the organization, this is analogous to leaving the vendor’s default password configured.
What’s the last piece of equipment you bought for your IT department? A quick Google search will reveal the vendor’s username and password to anyone with an internet connection. If you put it online and never changed that password, you are taking an enormous risk. According to a 2013 Verizon study “about 90 percent of successful breaches analyzed by Verizon started with a weak or default password, or a stolen and reused credential”. Changing those defaults is common sense.
The same goes for those logon passwords the IT department gives you. Do you really think that they haven’t used the same “P@ssw0rd2015” for the last 20 people who asked for a reset?
3. BE AWARE OF INSIDER THREATS
While many data breaches come from outside, insiders can be just as dangerous. People who know you and your systems probably understand their weaknesses. In the baseball hacking scandal, it was allegedly paranoid and vengeful ex-colleagues who broke the system. In a more famous case, it was an employee motivated by political views who leaked sensitive data.
Insider threats also include outside parties that steal credentials held by privileged individuals like your IT administrators and executives. Making sure that they are aware of how to protect their credentials is critical. The days of CEOs having passwords written on post-it notes must stop. Ensuring compliance with your IT policies and procedures is arguably more important for privileged users than it is for rank and file employees because their access to sensitive data is often greater.
The best defenses against insider threats are common sense best practices. That includes a logical separation of duties and insisting that network activity is logged and audited. Fewer than 60% of organizations are doing this today but it has been identified as a key behavior in quickly identifying malicious activity.
They Are Called “Best Practices” For a Reason
Jumping back to the baseball hacking scandal, the Houston Astros appear to be the second dumbest team in baseball, rivaled only by the team that “hacked” them, the St. Louis Cardinals. As Deadspin so blithely pointed out, “What makes the St. Louis Cardinals hacking scandal really great, aside from the fact that it involves the St. Louis Cardinals, is that it could not have happened if everyone involved hadn’t acted as stupidly as possible.”
If you’re reading this and aren’t sure about your organization’s IT security practices, maybe now is the time to start asking questions and reduce your risk exposure to avoidable problems.
Not sure where to get started? SAI can help.
Wondering what to do if you find yourself having to deal with a data breach? Standby for our next post from SAI’s CTO Josh Crone.