They say you shouldn't judge a book by its cover, but is the security posture of an organization indicative of its risk exposure to cybercrime? The following article outlines the challenges faced by government agencies as they are routinely targeted by cyber attackers.

(https://www.cbc.ca/news/canada/british-columbia/bc-government-cyberattack-state-actor-1.7200735)

While operational security is hard, a keen eye will pause on this seemingly innocuous turn of the phrase:

"Workers told to change passwords"

Given the vast numbers of articles routinely reporting cyber incidents, it's easy to blink and miss the outdated security advice and its associated implications. For instance, vague reports of state-sponsored attacks are nothing new, but the steps taken to remediate the situation can tell a lot about an organization or agency's risk maturity.

Based on the above quote, one could derive 3 quick - albeit inconclusive - conclusions:

  • What passes for security "best practices" these days instructs system administrators to "force a change if there is evidence of compromise". That is, not allow users to change their passwords when they get around to it..
  • 29 years after the invention of multifactor authentication companies and government agencies still depend on single factor technologies.
  • 8 years after NIST indicated that regular password changes are no longer recommended as an effective security control, it is still considered a "best practice" by many, who routinely force users to think of new passwords every few months.

Despite strong indication that state cyber actors are routinely poking around government systems, the public is still not presented with evidence to substantiate efforts at attributing attacks to specific countries or regimes, preferring instead to let the media speculate about the identities of the usual suspects.

[If you enjoyed this blog post, you might also like its sister blog: www.BadPrivacy.com]