Trustwave’s Best Practices for Protecting Against Mother of all Data Breaches

The discovery of what has been dubbed the Mother of all Data Breaches (MOAB), reportedly containing 12TB or 26 billion records representing 3,800 separate data breaches, should remind everyone of the need to maintain strong passwords and change default credentials.

The hoard contained user data from some of the world's best known brands, including Twitter (now X), LinkedIn, Zynga, and Adobe, along with records of various government organizations in the US, Brazil, Germany, Philippines, and Turkey, according to CyberNews. It's not known who or what group collected the data, but it's believed to be comprised of a combination of previously and newly stolen records.

Despite likely containing a great deal of older information, MOAB presents a massive threat to the general public and the breached organizations. This threat exists primarily because too many individuals not only never change their passwords but often reuse them across multiple accounts.

At the same time, MOAB’s revelation is an excellent reminder to organizations of the importance of changing admin credentials on devices within their networks.

Devising Strong Passwords isn't Difficult 

Sure, going into an account and altering a password can be a bit time-consuming, but coming up with an effective, easy-to-remember password is simple. To make the task even easier, here are some top tips from the elite Trustwave SpiderLabs team to ensure their organization has a strong password security posture:

1. Add Complexity to Your Passwords
   Length does matter. Passwords with eight characters can be cracked within a day using brute-force techniques. Opt for a minimum of 10 characters for increased security. Mix it up by incorporating symbols, numbers, and a combination of uppercase and lowercase letters to make your password more resilient against hacking attempts.

2. Embrace Passphrases
   Easy to Remember, Hard to Crack: Utilize phrases that are memorable to you but challenging for others to guess. For instance, "GoodLuckGuessingThisPassword" provides both strength and memorability.

3. Regularly Change Your Passwords
   Doing so helps one stay ahead of threats. It's a solid practice to change passwords every 60 to 90 days, especially for sensitive accounts. Avoid using the same password across multiple platforms to mitigate risks.

4. Salt and Hash for Added Security
   IT administrators should use unique, random "salts" when "hashing" stored passwords. This involves combining a piece of random data with each password before calculating the hash.

5. Implement Strong Password Policies
   An organization's password policies should consider contextual elements, such as company identifiers, products, or local references. Tailor policies to enhance security without sacrificing usability.

6. Conduct Password Audits
   Identify weak links by regularly auditing staff passwords to pinpoint vulnerabilities within your organization. Threat actors often target non-tech-savvy users, making it crucial to address potential soft spots.

7. Explore Two-Factor Authentication (2FA)
   MFA effectively creates a double layer of defense. Supplement passwords with 2FA to add an extra layer of verification. If a password is compromised, the second factor acts as a formidable defense.

Unchanged Admin Credentials are an Unlocked Door

One of the easiest paths into an organization is through an Internet of Things (IoT) or connected device that retains the admin credentials set at the factory. These credentials are often well-known and available to threat actors via the dark web.

While the MOAB data dump may or may not contain such credentials, the possibility certainly exists and is a good reminder that there are other methods threat actors use to gain credentials.

Let's take a quick refresher course:

• Phishing attacks typically involve sending an email or message that appears to be from a legitimate source. The email requests the user enter their login credentials into a site the threat group controls thus giving them the credentials or open what is likely a malicious attachment that could host credential stealing malware.

To protect against phishing attacks, always be cautious of emails or messages that ask you to open attachments, follow web links, or enter your login credentials.

• Social engineering involves using psychological manipulation to trick users into divulging sensitive information. A cybercriminal may call a user and pretend to be from IT. They will ask for a screen share and use the access to install keylogging software or other malware designed to harvest credentials.

To protect yourself from social engineering attacks, you should always be cautious of requests for sensitive information, particularly if they are unsolicited. It would be best if you were also wary of any request to gain access to your computer without verifying the request through authorized channels.

• Credential Stuffing is a type of cyberattack where attackers use a large database of compromised login credentials, such as the MOAB cache, containing usernames and passwords. The technique involves the automated input of these credentials into login pages to gain access to a user's account. This technique is made possible by the widespread use of weak or reused passwords across multiple online accounts.
• A brute force attack tries to crack a password by guessing every possible combination until it finds the correct one. To prevent brute force attacks, users should ensure that their passwords are strong and complex, with a mix of uppercase and lowercase letters, numbers, and special characters. Organizations should also implement policies that require regular password changes and limit the number of failed login attempts.

How Trustwave Can Help

Organizations that lack the in-house ability to handle these tasks required to maintain security should consider partnering with a company with such expertise. A Managed Security Service (MSS) provider like Trustwave, with our Managed Detection and Response (MDR) solution, may provide the answer. 

Without the right expertise, organizations won't get the value out of these technologies that they desire. Likewise, a traditionally managed security service provider (MSSP) that focuses on monitoring logs and alerts is missing a large part of the picture and can generate many false positives and low-value work for their customers.

Click the Consulting and Professional Services image to get started down the path to great cybersecurity.