What happens if your passwords are stolen? Never mind how.
Let’s assume somehow with “magic” your passwords are stolen. Now what?
It is useful to make this risk assessment exercises to see what can happen in your network.
This is why one does not want to give more access than absolutely necessary.
If the administrator password is stolen it has different ramifications of course.
Of course I am talking about something worse than the default password that should have been changed as in a report that CNN¹ had about default passwords. Apparently 90% of the credit card readers had a manufacturer default password which is easily obtainable on the Internet.
So let’s assume it is not a default password that was stolen, and it is not a technician’s password(which could also be an administrator).
If passwords are easily hacked or guessed the network is at great risk.
Lifehacker has a good blogpost about “How I’d hack Your Weak Passwords”²
Hopefully we are not talking about combinations of Rock Paper and Scissors
How you decide your Password policy makes a big difference as to how the attacker may guess and attack.
How would they know what your policy is?
Well this is the key, “if ” the hacker has a command line on your network, they can find out a lot of information. Even details as to size and potential complexity of password policy:
with the “net accounts” command
The whole key for the hacker is to get a breach and a command line. Once that happens more and more information will be found, until a userid that has a lot of capabilities is stolen.
So again now that the hacker is on your network (somehow – let’s not worry about that), then the passwords you have are susceptible to attacks.
If you think there is 0% chance of this occurring you are wrong.
I’m trying to raise awareness of potential security breaches and elevations of privilege that hackers will use to gain more information until they achieve their objective – command and control.
Also found a good article on credentials hacks (passwords for usernames)at SC magazine³ – Nir Polak discusses how in some cases the system admins can tell when a username is being used from VPN access remotely and that should raise flags in some cases. We should make it a habit to create situations when we call the user, and find out what is happening. If the user is really not in the remote location then cut access. (updated 12/9)
to discuss what can be done in your environment
including setting up security policies, reviewing your machine policies (active directory) and making sure that administrator group access is not allowed by no more than necessary. (updated 02/15/2017)