Compared to the hundreds of high priorities faced by state and local governments, addressing credential security and password reuse doesn’t look like much of a priority on paper. But the current situation is untenable.
If we want to give credit where credit is due, the attack on Colonial Pipeline – and the company’s subsequent multi-million dollar payout – forced a lot of people to wake up and admit that ransomware is a serious problem.
Ransomware is not new, but the last couple of years have seen a sharp rise in attacks targeting critical infrastructure and public services. As a resident of Baltimore county in 2019 unable to pay my water bill, I’ve felt the effects firsthand. In addition to Baltimore and the Pipeline, dozens of government agencies and a city’s water supply have been attacked, among many others. Whereas certain sectors like media, telecom, tech and financial services have dealt with ransomware and other targeted attacks for years, government agencies, infrastructure and manufacturing are increasingly targeted as well. This presents a potentially deadly situation as they not only provide critical services for the public, but are among the most woefully unprepared.
Local governments arguably have the fewest resources and capabilities to prevent and respond to ransomware. And yet, they oversee water utilities, airports, schools, healthcare facilities, and other public services. As the pandemic raged last year, at least 2,354 U.S.-based governments, healthcare facilities, and schools were victims of ransomware. These attacks disrupted medical treatment, forced ambulances to be rerouted, and disabled public transportation.
The Credential Exposure Problem
For any organization lacking the resources and solutions to protect themselves, it can feel impossible to get ahead of ransomware. A 2020 survey of state CISOs found that 70% listed ransomware as a leading concern while noting funding challenges and lack of confidence in localities’ abilities to protect state information. Again, Colonial Pipeline offers a prime example of how even the most under-funded localities can begin to understand the root cause of these attacks and how to get in front of them.
We know the Colonial Pipeline ransomware attack started with a single compromised password, one that a criminal most likely found in a batch of stolen credentials from another breach, which then enabled the criminals to access an employee’s VPN account that wasn’t protected by MFA. The use of stolen credentials to penetrate networks and install ransomware is, simply put, the easiest path for criminals. The fact that poor password habits are leading to massively disruptive, costly and life-threatening attacks is terrifying.
SpyCloud observed a 60% password reuse rate among users exposed in data breaches last year. In addition, our research found over 76% of Fortune 1000 and FTSE 100 employees are reusing passwords across work and personal accounts. When it comes to government employees, SpyCloud research shows they are using the same passwords between their.gov accounts and personal accounts at a rate of 87%.
The government’s supply chain is similarly affected by the password reuse problem: our analysis shows that more than 1 million pairs of emails and passwords for corporate accounts at the 27 largest companies in the defense industrial base are in the hands of cybercriminals. And 79% of those employees are reusing passwords across multiple exposed accounts. Securing these companies in the defense supply chain from cyberattacks is critical to protecting controlled unclassified information that resides on industry systems and networks.
Lest anyone think that reused, compromised credentials won’t affect them because they require multi-factor authentication, I hope they’ll think again. When stolen credentials aren’t enough, malware is the criminals’ weapon of choice. Information stealers send victims’ private data to an attacker, including cookies / session data that allow MFA to be bypassed. This kind of malware is available for just $150.
The federal government has only recently started to address ransomware as a threat to our nation. Unfortunately, cybercrime wasn’t much of a priority when the Justice Department laid out its $500 million grant program. Worse yet, FEMA indicates that in 2020, only 2% of Department of Homeland Security preparedness grants were used for cybersecurity. That’s not a great trend.
Compared to the hundreds of high priorities faced by state and local governments, addressing credential security and password reuse doesn’t look like much of a priority on paper. But the current situation is untenable. The fact that a lack of ransomware preparedness hasn’t resulted in more deaths is astonishing. The ransomware recovery process is costly and time-consuming, averaging nearly $2M per incident for organizations that do not pay the ransom. As Colonial Pipeline proved, many under-funded agencies providing critical services or public goods don’t often have the luxury of stalling. Considering the current situation, it’s fair to say that bolstering credential security and preventing password reuse is now a matter of national security.
That’s the reason I joined SpyCloud. With a background in government service myself, I believe good information makes great intelligence. SpyCloud gives visibility into risks relating to authentication like nothing else, with data that’s actionable and remediation that’s automated. Now is the time to start stopping adversaries where they find the most success.