Intelligent CISO Issue 16 | Page 13

news Hackers able to guess 60% of passwords, Rapid7 research finds total of 73% of breaches now involve stolen passwords, more than half of which (60%) are able to be cracked by hackers through simple guesswork, a new nine-month penetration testing study by Rapid7 has found. A Despite the huge amount of user training about the importance of strong unique passwords, Rapid7 penetration testers were able to crack 60% of passwords by trying known defaults, variations of the word ‘password’, the current season and year, and easily guessable organisation-specific passwords. The single biggest method for obtaining user credentials is by offline password hacking with a hash file. This outcome is the result of 180 penetration testing engagements the company has done for a variety of organisations over a nine-month period between mid-September 2018 and the end of May 2019. This method involves taking a list of password hashes and working out what passwords generate those hashes, while challenge-response authentication traffic and /etc/shadow password storage techniques were also reported that DIGITAL SHADOWS ANNOUNCES UPDATE TO SEARCHLIGHT PLATFORM igital Shadows, a leader in digital risk protection, has announced significant updates to its SearchLight platform which will enable organisations to make faster and better decisions regarding security risks associated with Digital Transformation. D SearchLight’s new risk engine enables security teams to better prioritise and assess external digital risks. For impersonating domains and marked document alerts, SearchLight immediately identifies key risk factors and assesses the risk posed using a method aligned to the FAIR model – incorporating asset value, risk likelihood and scenario-based impact assessments. tools to take action. Digital Shadows ‘playbooks’, based on the NIST computer security incident handling guide, provide step by step advice to triage, evaluate and mitigate risks. As an example, on average Digital Shadows customers receive 290 domain impersonations per year. In these circumstances, customers will include eavesdropping on password authentication or seeking a user’s password in an encrypted format alongside what it can access. Rapid7’s penetration testers noted that a large proportion of cracked passwords obtained via this method would’ve been guessable given more time. immediately be advised of whether the domain is hosting content, view full screenshots, source code and details of its DNS and MX records including a full history of WHOIS registration. SearchLight will automatically include context provided by Google Safe Browsing and Webroot as industry- leading sources for context. Alongside these changes, Digital Shadows is unveiling new collection techniques, including automated asset discovery and image searching. In addition to risk scoring, security teams are now also provided with the www.intelligentciso.com | Issue 16 13