professional "hackers" gain system access with kind act

Finally, the company should have enforced a strong password policy that would have prevented our heroes from finding dozens of accounts with “winter2023!” as the password.
Making employees change passwords every 90 days encourages this.

A clipboard and reflective vest is one of the best social engineering disguises. Helping shovel snow and offering free cigarettes helps as well.
 
Making employees change passwords every 90 days encourages this.

A clipboard and reflective vest is one of the best social engineering disguises. Helping shovel snow and offering free cigarettes helps as well.
So the password ends up as Winter2024! Then Winter2025!

Even better is assuming passwords are vulnerable and using 2FA.
 
Making employees change passwords every 90 days encourages this.

A clipboard and reflective vest is one of the best social engineering disguises. Helping shovel snow and offering free cigarettes helps as well.

NIST SP 800-63B states mandatory password change requirements are no longer recommended outside of breaches unless you handle PII information. The issue is because the mandatory password changes cause users to resort to incredibly simple passwords or variants of easy passwords.

In our previous downtown office, we had a couple unscrupulous fellows let themselves through the lobby "security" and into our office suite. Some employees caught them before anything got stolen. Now the new building lets nobody through unless you have a badge or explicit visitor invite.
 
Back
Top Bottom