Protecting Higher Education Against Common Cyber Attacks Exploiting User Passwords

Dr. Mark D. Webster, Chief Information Security Officer, East Carolina University

Dr. Mark D. Webster, Chief Information Security Officer, East Carolina University

Are your university’s credentials for sale on the dark web? Earlier this year in late May, the Federal Bureau of Investigation issued an alert informing academic partners about the serious problem of university credentials being offered for sale at cyber criminal marketplaces. Compromised credentials often lead directly to cyber attacks against both individual users and affiliated organizations, and such attacks continue to increase against higher education institutions.

A common password attack typically used by cyber adversaries involves credential stuffing, the leveraging of lists of known compromised usernames and passwords, which often have been exposed through large third-party data breaches. The RockYou2021 password compilation posted online last year is estimated to have contained 8.4 billion entries (Mikalauskas, 2021). Credential stuffing involves attackers attempting compromised credentials on other systems to see if individuals have been reusing their passwords. Reusing passwords places both the individual and the institution at risk, and it’s important for universities to emphasize in oursecurity awareness training that reusing passwords is both bad practice and against institutional policy. To help protect against credential stuffing tactics, an effective enterprise safeguard is to enable technical controls to compare user passwords against global banned password lists associated with cyber breaches. Organizations such as REN-ISAC, a trust community that serves higher education, provides information to institutions pertaining to user credentials that have appeared in data breaches or credential dumps. It’s recommended that universities regularly obtain such lists and notify affected users and require them to change passwords.

Many organizations still maintain password strength policies stipulating a minimum password length of eight characters. If your institution has such an old school password policy, the likelihood is that user credentials for your institution are compromised. While security recommendations from Microsoft and others seem to be shifting in some more recent revised guidelines, at the time of the writing of this piece, even Microsoft still retains in several of their knowledge base articles that old school language concerned with maintaining an eight-character minimum length requirement. I’m here to tell you that’s really a very bad idea.

The fact of the matter is that from an institutional perspective, such a password policy is potentially an Achilles heel, and almost guarantees that your institution is vulnerable to password spraying tactics. On the one hand, organizations point to how their authentication systems are programmed to prevent brute force attacks against an individual user account by locking out the account after a few attempts of entering the wrong password. On the other hand, the problem is password spraying can easily be employed against a large group of users. Unless your institution has implemented something like Azure AD Password Protection to eliminate the use of easily guessed passwords, I'd bet that during the new academic year, you’ll have multiple users with a SeasonYear formatted poor password like "Fall2022” or "Fall2022!” or something like it. The bad guys know this too. Most organizations have a formal convention for email addresses, and so after attackers collect a list of usernames, all that’s necessary to gain access to your network is to try an easily guessed password against the list of accounts (spraying theeasily guessed password against a volume of accounts).

Perhaps the most important safeguard to protect user credentials is to employ Multi-Factor-Authentication (MFA), which has been statistically proven to significantly reduce the risk of account compromise. However, even where MFA has been implemented, the important thing for your institution to consider is whether all your sensitive IT systems and data are behind MFA protections. Are there any exceptions? If so, such cases may indicate there’s a higher risk in your environment of password spraying being used successfully against you in a cyber attack.

There are inherent weaknesses in the old school password policy of an eight character minimum besides being vulnerable to password spraying. Passwords are normally stored through a system generated hash created through an algorithm that creates a corresponding unique value. The massively destructive ransomware attack that hit the Costa Rican government networks earlier this year included the criminals using security tools to collect, compromise, and exploit the password hashes for government user accounts. Security researchers have demonstrated (Hive Systems, 2022) that on average, if an attacker is able to obtain password hashes, they can compromise through brute force an eight character password made up of numbers, upper, and lower case letters in only 7 minutes. Research shows that password strength is highly dependent on the number of characters; reduce such a password to seven characters, it can be cracked in 7 seconds, increase it to 15 characters, and it will take 46 million years. From such empirical research we can only conclude that organizations, especially we universities who are facing sophisticated cyber adversaries, must move aggressively to require stronger requirements in our password policies.

From my interactions with colleagues within higher education, I believe most institutions are doing a good job in reaching out to faculty, staff, and students about the importance of cyber security awareness, including risks related to phishing. However, I’d argue that if your institution isn’t conducting simulated phishing campaigns, you may not have a true picture of the susceptibility of your user community to fall for phishing attacks. Regularly conducting such simulated phishing will serve to provide metrics on your click rate over time. Combining such campaigns with just in time remedial phishing training will serve to better educate your users and empower them to stay cyber secure.

The trend of higher education institutions facing more sophisticated cyber adversaries, even criminal syndicates and state sponsored attackers, is unfortunately likely to continue to increase. As attackers ramp up their attacks against universities in terms of frequency, scope, and tactics, it’s crucial that we move more aggressively to reconsider our security policies, technical controls, and security awareness education efforts. Let's work together to do more to protect higher education against common cyber attacks attempting to exploit the credentials of our users.

Microsoft