news
Hackers able to guess 60% of passwords,
Rapid7 research finds
total of 73% of breaches
now involve stolen
passwords, more than
half of which (60%) are able to be
cracked by hackers through simple
guesswork, a new nine-month
penetration testing study by Rapid7
has found.
A
Despite the huge amount of user
training about the importance of
strong unique passwords, Rapid7
penetration testers were able to
crack 60% of passwords by trying
known defaults, variations of the
word ‘password’, the current season
and year, and easily guessable
organisation-specific passwords. The single biggest method for obtaining
user credentials is by offline password
hacking with a hash file.
This outcome is the result of 180
penetration testing engagements
the company has done for a variety
of organisations over a nine-month
period between mid-September 2018
and the end of May 2019. This method involves taking a list of
password hashes and working out what
passwords generate those hashes, while
challenge-response authentication traffic
and /etc/shadow password storage
techniques were also reported that
DIGITAL SHADOWS ANNOUNCES UPDATE
TO SEARCHLIGHT PLATFORM
igital Shadows, a leader in
digital risk protection, has
announced significant updates
to its SearchLight platform which will
enable organisations to make faster and
better decisions regarding security risks
associated with Digital Transformation.
D
SearchLight’s new risk engine enables
security teams to better prioritise
and assess external digital risks. For
impersonating domains and marked
document alerts, SearchLight immediately
identifies key risk factors and assesses
the risk posed using a method aligned
to the FAIR model – incorporating asset
value, risk likelihood and scenario-based
impact assessments.
tools to take action. Digital Shadows
‘playbooks’, based on the NIST
computer security incident handling
guide, provide step by step advice to
triage, evaluate and mitigate risks.
As an example, on average Digital
Shadows customers receive 290
domain impersonations per year. In
these circumstances, customers will
include eavesdropping on password
authentication or seeking a user’s
password in an encrypted format
alongside what it can access.
Rapid7’s penetration testers noted
that a large proportion of cracked
passwords obtained via this method
would’ve been guessable given
more time.
immediately be advised of whether the
domain is hosting content, view full
screenshots, source code and details of
its DNS and MX records including a full
history of WHOIS registration.
SearchLight will automatically include
context provided by Google Safe
Browsing and Webroot as industry-
leading sources for context.
Alongside these changes, Digital
Shadows is unveiling new collection
techniques, including automated asset
discovery and image searching.
In addition to risk scoring, security
teams are now also provided with the
www.intelligentciso.com
|
Issue 16
13