As the Chief Information Security Officer (CISO) at Green Star Bank in Michigan, you have become aware of a recent security beach incident. An employee who works remotely from home fell for a spear phishing email that installed malware on her bank-supplied laptop. As a result, the attacker was able to remotely observe the employee initiating bank transactions, and soon used the employee’s bank employee credentials to login and initiate transfers to an off shore bank account. The bank officer who provided secondary approval for the transfers failed to detect or question the fraudulent transfers and the bank suffered a $1.2m loss. Before detection, the attacker scanned the bank’s systems and created alternative logins in order to maintain access in the future.
As a result of this event, you have contracted with an outside company to perform a thorough penetration test of the bank’s operations. In addition, the pen testing company suggested that the testing include a test of employee passwords for common weaknesses, but especially for sport or seasonal themes. The existing bank password policy requires that passwords conform to the policy. Current password guidelines are…
- Length of 8-12, must contain upper and lower case, numbers and symbols
- Contain no part of user’s name
- Not be identical to the previous ten (10) passwords.
- Passwords expire after 90 days
- Passwords may not be transmitted to another person
During the pen testing, the testers crafted password testing scripts that use passwords based on local football teams, seasons of the year, and holidays. Staying below the login failure lockout threshold of 5 attempts, the testers brute force tested these passwords against employee login credentials. They discovered a significant number of employees with passwords based on words such as “Wolverines” “UM Rules” “State” “Spartans” “Summer” “Beach” “Fall” “Thanksgiving” and “Christmas”. The pen testers described these passwords as representative of a larger problem that is difficult to stop with the existing password policy guidelines.
Your job, as CISO, is to craft potential security procedures to mitigate against weak passwords and remote employees’ susceptibility to phishing and social engineering attacks. Be sure to fully describe your recommendations and how each will solve a problem described herein.