I belong to a few business networking groups and I’m frequently asked – “Who is your ideal customer?”  Normally, I answer that question in generic terms but I was recently at a presentation given by a local HR benefits provider and my answer to that question changed the following week. 

As is typical with business networking groups, business cards are swapped and if you hand me a business card, odds are pretty good that I’m going to do some passive reconnaissance.  Not wanting to dig too deep, I just scratched the surface but when asked the following week -- “Who is your ideal customer?”, I replied -- My ideal customer is XYZ Benefits from last week.  They are a 40 person company who deals in personally identifiable information (PII).  They were proud of a most recent accomplishment:  5,000 subscribes to a large medical benefits provider.  To me, that translates to 5,000 social security numbers which makes them a solid target for malicious actors.  When I asked one of their representatives when they last had cybersecurity awareness training, this person couldn’t remember. 

As I searched for email addresses on the web, I found breach data with seven usernames and passwords, three of which are confirmed active employees on their website About page.  One of the credentials belonged to a person holding a C-level position. 

When looking at the password, it was a word that I think is unique to that person followed by 2015.  Let’s say that word is:  “Taylor”. 

Some possible conclusions can now be made:

1.  This person married Taylor in 2015.
2.  This person gave birth to Taylor in 2015.
3.  This person went to the Taylor Swift concert in 2015.

Perhaps the number means less than what I think and it just represents the current year.  For example, a password setup today would end up being:  Taylor2020

If I were an attacker, I would generate a wordlist in this specific order to avoid a lockout policy:

Taylor2015
Taylor2020
Taylor2019
Taylor2018
Taylor2017
Taylor2016

If I were to attempt to credential stuff various sites, I like my odds of finding an account for takeover. 

How do we address this issue?  Well, we give this talk at a local business networking group and we explain that predictable behavior can get us into trouble.  If we become unpredictable, we can reduce the attack surface. 

That was my five minute introduction and I think I got some people’s attention.  It's one thing to stand up, introduce myself, and say we provide cybersecurity solutions but ears perk up when you talk specifically about offensive hacking techniques with relatable examples.