The Office of Inspector General of the U.S. Department of the Interior (DOI OIG) has identified bad password management and enforcement practices at the Department of the Interior that are placing critical IT systems at risk. These basic password errors are all too common in the healthcare industry and make it far too easy for malicious actors to gain initial access to networks for ransomware attacks and other nefarious purposes.
An inspection was conducted of the password complexity requirements of the department to determine if its password management and enforcement controls were effective and would likely prevent malicious actors from using brute force tactics to gain unauthorized access to accounts. The DOI OIG identified several password management weaknesses and many weak passwords. 4.75% of accounts were secured using variants of ‘password’, which could be cracked instantly by a malicious actor. Password-1234 was being used to protect 478 unique, unrelated accounts, with 5 of the 10 most reused passwords including the word password and the number sequence 1234.
While the DOI had implemented minimum requirements for password complexity, these rules were out of date and no longer fit for purpose. There were also many instances of users setting passwords that met those requirements but were still incredibly weak, such as P@s$w0rd and Changeme$12345. There were no time limits set on passwords, which meant even moderately complex passwords were vulnerable to brute force attacks. Further, when accounts were no longer used, they were not disabled in a timely manner, which placed a further 6,000 accounts at risk.
Attempts were made by DOI OIG to crack passwords and within the first 90 minutes of testing, 16% of DOI passwords had been correctly guessed. Over the entire test of 85,944 department passwords, 18,174 (21%) were cracked, including 288 accounts with elevated privileges and 362 accounts of senior government employees. In addition to these password management failures, the DOI had not consistently implemented multi-factor authentication. The DOI OIG analysis revealed 89% of high-value assents did not have multi-factor authentication enabled despite multi-factor authentication being a requirement for 15 years. Further, when asked to produce documentation of which accounts had multi-factor authentication enabled, a list could not be produced.
The DOI OIG pointed out that the ransomware attack on Colonial Pipeline in 2021, which resulted in the shutdown of the fuel pipeline to the Eastern Seaboard of the United States causing massive disruption to almost half of the country’s fuel supply, occurred as a result of a single password being compromised. The password management failures identified by DOI OIG are all too prevalent across federal, state, and local governments and public and private organizations.
The DOI OIG made several recommendations for improving password management and enforcement, including tracking MFA, ensuring it is applied for all accounts, setting new minimum requirements for password complexity in line with the latest password recommendations of the National Institute of Standards and Technology (NIST SP 800–63), implementing controls to monitor, limit, and prevent the use of commonly used, expected, or compromised passphrases and passwords, and ensuring inactive accounts are disabled promptly.
The post Password Management Howlers Identified at U.S. Department of the Interior appeared first on HIPAA Journal.