Clarksons' breach again shows need to eliminate passwords
Clarksons' breach again shows need to eliminate passwords

The global shipping firm Clarksons reported that it has suffered a cybersecurity breach which it, and outside security firms, believe was caused when a lone user account was hacked, again bringing to the forefront the need to move past the legacy username and password for logging in to a critical system.

With basic login credentials again being the reason for a major breach, cybersecurity firms are reiterating the need to move beyond passwords to a more secure technology.

The UK-based company, which had $413.7 million in revenue in 2016, said the account in question has been disabled and additional security measures have been put in place. In a public statement the company said there is a chance the person or group that perpetrated the incident will release some confidential data in the near future. This has led to the belief that the company has refused to pay a ransom in order to hush up the breach.

“The description of the means by which a hacker or group of hackers gained access to Clarksons' systems makes me think that the attack may not have exploited a software vulnerability, but rather that a legitimate account holder had their login credentials compromised,” Graham Cluley wrote for ESET.

The massive breach Uber suffered earlier this month was also traced back to a pilfered set of login credentials used by Uber software engineers that were then used to access an infrastructure account that handled computing tasks for the company.

“If I were getting a startup off the ground, I would go passwordless without a second thought. However, it is a difficult endeavor for many organizations, as many have spent decades building up enormous databases of credentials. Some of these may involve legacy systems, making them very difficult to just ‘turn off'”, said Stephen Cox, Chief Security Architect at SecureAuth.

Cox suggested that large firms, like Clarksons, start small implementing multifactor authentication or another passwordless methodology in a small sector of their business and then expanding outward.

“Clever companies will adopt security systems that are habit-based. For example, a system recognizes the user based on factors such as behavior patterns, typing speed, and websites typically visited. We are breaking ground on these technologies now, and they will soon be commonplace,” AlertSec CEO Ebba Blitz suggested.

Corey Williams, Centrify's senior director of products and marketing, told SC Media that while the fact that Uber attempted to cover up the breach by making a payout to the attackers, the true heart of the story is the attack was preventable.

“Unfortunately, companies continue to rely on a system of trust. Trust that a simple username and password is enough to know who is accessing their network and systems. Trust that perimeter security has eliminated all of the bad actors within the network. A simple password is simply not enough. The time has come to no longer trust in too-easily stolen passwords for ensuring that users are who they say they are,” he said.

Jim Libersky, owner of The Barrier Group and Barrier 1, told SC Media that a layered approach is always needed to protect cyber assets in case the attacker is able to make an initial entry.

"The key to cyber protection requires checks and balances in the process. In the case of password cracking, someone didn't just type in the correct password out of the blue. They were scanning and trying different combinations. That is unless it was an inside job or they had inside help. If they do get past that there should be other behavioral activity that would show up and thus caught. That can be testing various protocols. Inside scanning of network topology and etc." he said.