If facility managers stress only one New Year’s resolution for building occupants and staff in 2020, it should be to use stronger passwords. The recent SolarWinds cyberattack, which included the California Department of State Hospitals among its victims, is a sobering reminder that this simple step is crucial for IT security.

An alert from the Cybersecurity and Infrastructure Security Agency (CISA) says perpetrators of the widespread, intelligence-gathering campaign used common hacker techniques to get through passwords in addition to more sophisticated methods, according to NextGov. Initial access in some cases was obtained by password guessing, password spraying, and inappropriately secured administrative credentials accessible via external remote access services.

For example, one way hackers were able to gain unauthorized access to government systems was via the IT management company SolarWinds. They injected malware into an update the company distributed to thousands of its customers which then established a command and control pathway to an external server.

The targeting of passwords directly was one of these other initial access vectors, CISA said. SolarWinds itself reportedly used a password for its update server that anyone could guess. CISA referred organizations to the National Security Agency’s cybersecurity advisory on detecting abuse of authentication systems. That agency has also recommended using strong passwords to defend against suspected Russian hackers using such tactics. 

Click here to read the article.