Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

Why Better Password Hygiene Should Be Part of Your New Year’s Resolutions

Organizations Must Assume That Bad Actors Are Already in Their Networks

Organizations Must Assume That Bad Actors Are Already in Their Networks

The world has been faced with numerous life lessons in 2020, but it’s clear that millions of people still haven’t learned one of the most basic when it comes to security. A new report from NordPass has revealed that millions of people still haven’t broken the habit of using easy-to-remember, but easy-to-hack passwords. Of the 200 most common passwords, ‘123456’ took the number one spot again, but unfortunately for the more than two million people using it, it can be broken in less than a second. Other popular passwords included ‘iloveyou’ and the ever-so-creative ‘password’. When it comes to breaches, all roads still lead to identity. Hackers don’t hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s critical that everyone put password hygiene at the top of their New Year’s resolutions list. 

Despite all the new technologies, strategies, and artificial intelligence being employed by security experts and threat actors alike, one thing remains constant: the human element. As humans we’re fallible — a fact that threat actors frequently exploit when launching phishing and social engineering campaigns to establish a foothold in their victim’s IT environment.

The reality is that many breaches can be prevented by some of the most basic cyber hygiene practices. Yet most organizations continue to invest the largest chunk of their security budget on protecting the network perimeter rather than focusing on establishing key identity-related security controls. In fact, a recent study by the Identity Defined Security Alliance (IDSA) reveals credential-based data breaches are both ubiquitous (94% of survey respondents experienced an identity-related attack) and highly preventable (99%).

Today’s economic climate exacerbates these cyber risks and the impact of the COVID-19 epidemic has led to an acceleration in digital transformation and technical change that will further stress-test organizations’ identity and access management practices. This creates new challenges in minimizing access-related risks across traditional datacenters, cloud, and DevOps environments. So, what can be done to minimize credential-based data breaches

Consumers and businesses alike must abandon static passwords and recognize that multi-factor authentication (MFA) is the lowest hanging fruit for protecting against compromised credentials. This approach requires an extra step to verify an identity beyond a username and password using something the user knows (such as a text code), something they have (such as a smartphone), or something they are (such as a face or fingerprint scan).

Individuals should use password managers. A password manager is an easy way to ensure employees are using complex passwords. Some solutions will also advise the user if one of the passwords has potentially been compromised in a data breach and prompt them to change it immediately.

For enterprises, less is more. Instead of pouring more money into a shotgun approach to security, organizations should pursue a strategy oriented on purchasing the highest reward tools. Since privileged access is now a leading attack vector, that is where the smart money should be going. If we assume hackers are already in the network, does it make sense to spend more money hardening the perimeter, or rather on restricting movement inside the network?

Advertisement. Scroll to continue reading.

The existence of privileged access carries significant risk, and even with privileged access management (PAM) tools in place, the residual risk of users with standing privileges remains high. In turn, organizations must adopt a “Zero Trust” approach. Zero Trust means trusting no one – not even known users or devices – until they have been verified and validated. An identity-centric security approach based on Zero Trust principles re-establishes trust, and then grants just-in-time least privilege access based on verifying who is requesting access, the context of the request, and the risk of the access environment.

Ultimately, organizations must assume that bad actors are already in their networks. And consumers must realize they’re constant targets. In 2021, companies across all industries should consider moving to a Zero Trust approach, powered by additional security measures such as MFA and zero standing privileges, to stay ahead of the security curve and leave passwords behind for good.

Related: The (Re-)Emergence of Zero Trust

RelatedNIST’s Zero Trust Taxonomy Introduces Components, Threats and Migration Routes

Written By

Dr. Torsten George is an internationally recognized IT security expert, author, and speaker with nearly 30 years of experience in the global IT security community. He regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege for Dummies book. Torsten has held executive level positions with Absolute Software, Centrify (now Delinea), RiskSense (acquired by Ivanti), RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Funding/M&A

The private equity firm merges the newly acquired ForgeRock with Ping Identity, combining two of the biggest names in enterprise IAM market.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...