December 8, 2022
Even cybersecurity professionals need to improve their security posture. That's the lesson from the RSA Conference in February, where the security operations center (SOC) run by Cisco and NetWitness captured 55,525 cleartext passwords from 2,210 unique accounts, the companies stated in a report released last week. In one case investigated by the SOC, a chief information…

Even cybersecurity professionals need to improve their security posture.

That’s the lesson from the RSA Conference in February, where the security operations center (SOC) run by Cisco and NetWitness captured 55,525 cleartext passwords from 2,210 unique accounts, the companies stated in a report released last week. In one case investigated by the SOC, a chief information security officer had a misconfigured email client that sent passwords and text in the clear, including sensitive documents such as their payment for a professional certification.

While the number of cleartext passwords is an improvement compared with the 96,361 passwords exposed in 2020 and the more than 100,000 sent in the clear in 2019, there is still room for improvement, says Jessica Bair Oppenheimer, director of technical alliances at Cisco Secure.

“As the RSA Conference is mostly attended by cybersecurity professionals and supporting roles within the security industry, we generally consider the demographic to represent more of a ‘best-case’ level of security awareness,” she says. “Somewhat shockingly, unencrypted email is still being used in 2022.”

The annual report presents a view into network usage among a security-focused group of users. Cisco and NetWitness emphasized that the wireless network at the RSA Conference is not configured in the most secure way, but configured to be monitored for educational purposes. For that reason, the network has a flat architecture, allowing any device to contact any other device on the network. Host isolation, which allow devices a route to the internet but not to other devices on the network, would be more secure but less interesting.

User Credentials at Risk

At approximately 19,900 attendees, the 2022 RSA Conference only had about half the number of people as the previous conference in 2020, but about the same number of users on the network, the report stated.

The major issue was failure to use encryption for the authentication step when using email and other popular applications. Nearly 20% of all data passed through the network in the clear, the report stated.

“Encrypting traffic does not necessarily make one more secure, but it does stop individuals from giving away their credentials, and organizations from giving away corporate asset information in the clear,” the report stated.

Yet the situation isn’t as bad as it could be. Because the wireless network includes traffic from the show floor, many of the usernames and passwords are likely from demo systems and environments, the report stated. Moreover, most of the cleartext usernames and passwords — almost 80% — were actually leaked by devices using the older version of the Simple Network Management Protocol (SNMP). Versions 1 and 2 of the protocol are considered insecure, while SNMP v3 adds significant security capabilities.

“This is not necessarily a high-fidelity threat,” the report stated. “[H]owever, it does leak information about the device as well as the organization it’s trying to communicate with.”

In addition to the continued use of plaintext usernames and passwords, the SOC found that the number of online applications continues to grow rapidly, suggesting that the attendees are increasingly relying on mobile devices to get work done. The SOC, for example, captured unencrypted video camera traffic connecting to home security systems on port 80 and the unencrypted data used for setting up voice-over-IP calls.

CISO Mistake

For the most part, the unencrypted traffic is likely from small-business users, the companies stated in the report. “It is difficult to send email in cleartext these days, and analyzing these incidents found similarities,” the report stated. “Most of this traffic was to and from hosted domains. This means email services on domains that are family names or small businesses.”

Yet in one case, a chief information security officer had misconfigured their email client and ultimately exposed their email username and password by sending the data in the clear. The SOC discovered the issue when it found a receipt for a CISSP payment sent in the clear from an Android-based email client.

“The discovery sparked an investigation that confirmed dozens of emails from and to the person were downloaded across the open network in the unsecure protocol,” the report stated.

Companies should verify that the technologies used by employees have created end-to-end encrypted connections and should apply zero-trust principles to check — at appropriate times — that the encryption is still being applied.

“We’ve found applications and websites that authenticate encrypted and then pass the data without encryption across the open networks,” Cisco Secure’s Oppenheimer says. “Alternatively, some will pass unencrypted credentials across open networks and then encrypt the data. Both scenarios are less than ideal.”

Virtual private networks are not a panacea but can strengthen the security of unencrypted applications. Finally, organizations should use cybersecurity and awareness training to educate their hybrid workers in how to be secure when working from remote locations.

Source