According to the Verizon Data Breach Investigations Report, 80% of successful data breaches are due to the use of compromised passwords, and while password best practices are widely understood, people are still taking considerable risks and continue to use weak passwords to secure their accounts and fail to follow password best practices.

Common poor password practices include setting passwords that are easy to remember, including dictionary words, memorable dates, and personal information that is easily obtained from social media sites. Passwords are often reused on multiple platforms, which means if a password is guessed or otherwise obtained, all accounts that are protected with that password are at risk. Password reuse on multiple sites is exploited in credential stuffing attacks, where the username and password obtained in a data breach on one platform are used to try to access accounts on unrelated platforms. Passwords are often reused for business and personal accounts, and even when unique passwords are set for each account, they are often just variations of the same password.

A recent survey of 8,000 individuals in the United States, United Kingdom, France, and Germany by Keeper Security showed just how common it is for people to take shortcuts with password security and by doing so put their personal and work accounts at risk.  Almost three-fourths of respondents to the survey admitted to not following industry-recommended password practices, with only 25% of respondents saying they set strong, unique passwords for all of their accounts. 34% of respondents said they use variations of the same password for multiple accounts, and 30% said they set simple passwords for their accounts that are easy to remember, even though they are also easy to guess.

Even individuals who claimed to have a good understanding of password best practices and thought their passwords were well managed still failed to practice good password hygiene. 44% of individuals who thought their passwords were well managed used variations of the same password for different accounts. Overall, 64% of respondents admitted to using weak passwords or variations of the same password for their accounts. More than one-third of respondents said they feel overwhelmed about taking action to improve cybersecurity and 10% of respondents admitted to neglecting password management entirely.

With 80% of data breaches stemming from compromised credentials, and one in five respondents admitting that at least one of their passwords was known to have been compromised in a data breach and was available on the dark web, it is clear that poor password practices are not just a hypothetical risk. They are commonly exploited by threat actors to gain access to accounts and sensitive data.

While more than half (51%) of respondents said they thought cybersecurity was easy to understand, around half of those individuals still practiced poor password practices, suggesting a significant number of individuals either overestimate their knowledge of cybersecurity or are willfully taking risks with passwords. 41% of respondents said they find cybersecurity difficult to understand, but 32% admitted to still taking steps to protect themselves – more than the 25% of people who claim to have a good understanding of cybersecurity and take steps to protect themselves. The survey suggests that individuals who feel overwhelmed by cybersecurity tend to practice poor password hygiene and that the more an individual knows about cybersecurity, the more likely they are to feel overwhelmed.

Training tends to try to hammer home the message that it is vital to create a strong, unique password for each account, yet fails to provide individuals with the tools they need to adopt good password practices in a manageable way. Since most people have huge numbers of accounts to secure, they need to remember dozens or hundreds of unique passwords, and that simply isn’t possible without taking shortcuts. The simple solution is to provide a password manager that can be used to generate strong and unique passwords, store them securely, and auto-fill them when they are needed or implement a single-sign-on solution that only requires users to set one strong and unique password.

Since it is difficult to eliminate poor password practices entirely, multifactor authentication should also be implemented to ensure that if a password is guessed or otherwise obtained, by itself it will not grant access. The HHS’ Office for Civil Rights recently stressed the importance of multifactor authentication in its June Cybersecurity Newsletter.

The post 75% of Users Admit Taking Risks with Passwords appeared first on HIPAA Journal.

On June 12, 2023, Fortinet disclosed a critical remote code execution vulnerability in its FortiOS firmware. The heap buffer overflow issue was assigned a CVSS v3 base score of 9.8 out of 10 and could be remotely exploited on Fortinet firewalls that have the SSL VPN interface exposed to the Internet.

Last month, Fortinet warned that the vulnerability – CVE-2023-27997 – had already been exploited in limited attacks, so immediate patching was strongly recommended. Fortinet fixed the vulnerability in firmware versions 6.0.17, 6.2.15, 6.4.13, 7.0.12, and 7.2.5 and urged all users to update the firmware as soon as possible to prevent exploitation. A workaround was also recommended for users that are unable to immediately update the firmware, which involves disabling the SSL VPN.

It has now been a month since the firmware updates were released and patching appears to have been slow. Cybersecurity firm Bishop Fox reports that more than 300,000 FortiGate firewall appliances remain vulnerable and have yet to have the firmware updated. Bishop Fox conducted a Shodan scan to identify FortiGate firewalls that had an exposed SSL VPN interface. The researchers identified 489,337 appliances with an exposed SSL VPN interface and only 153,414 of those appliances had been updated to a version of the firmware not vulnerable to the CVE-2023-27997 flaw. Bishop Fox researchers then used an exploit to demonstrate the seriousness of the vulnerability. The exploit “smashes the heap, connects back to an attacker-controlled server, downloads a BusyBox binary and opens an interactive shell,” said the researchers.

The researchers also discovered that many of the FortiGate appliances were running FortiOS version 6, for which support was withdrawn in September 2022. CVE-2023-27997 is not the only critical vulnerability to affect FortiOS 6. Several other critical flaws have been identified in that version of the firmware, some of which have proof-of-concept (PoC) exploit code in the public domain.

All organizations that use FortiGate firewalls should check the firmware version and upgrade immediately if a vulnerable version is being used or apply the workaround. If the vulnerability is exploited, a threat actor could gain full control of the firewall, remotely execute malicious code, steal sensitive data, and gain the network access they require to conduct ransomware attacks.

The post More Than 300,000 Fortinet Firewalls Still Vulnerable to Critical FortiOS RCE Vulnerability appeared first on HIPAA Journal.