Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

Another World Password Day Has Passed and Little Has Changed

Six weeks ago, we celebrated World Password Day. Yet, unfortunately, not much has changed since last year. Cyber breaches are bigger and worse than ever. Hardly a week goes by without headlines about some new devastating cyber-attack. In fact, a CyberEdge report (PDF) found that a stunning 77 percent of surveyed organizations had suffered a breach over the past year. 

Six weeks ago, we celebrated World Password Day. Yet, unfortunately, not much has changed since last year. Cyber breaches are bigger and worse than ever. Hardly a week goes by without headlines about some new devastating cyber-attack. In fact, a CyberEdge report (PDF) found that a stunning 77 percent of surveyed organizations had suffered a breach over the past year. 

And, when it comes to breaches, all roads still lead to identity. Hackers don’t hack in anymore—they log in using weak, default, stolen, or otherwise compromised credentials. Several studies have found that privileged credential abuse is involved in the majority of breaches, and many organizations are not taking basic steps to prevent it. 

Shockingly, 52% of respondents to a Centrify survey said they do not have a password vault, and 21% still have not implemented multi-factor authentication (MFA) for privileged administrative access. Privileged credentials provide cyber adversaries with the “keys to the kingdom” and perfect cover for their data exfiltration efforts.

The reality is that many breaches can be prevented by some of the most basic privileged access management (PAM) tactics and solutions, coupled with a Zero Trust approach. Yet most organization are investing the largest chunk of their security budget on protecting the network perimeter rather than focusing on security controls which can address the leading attack vector: privileged access abuse.

This is a big mistake. Organizations need to make privileged access management a top priority. Gartner has listed PAM on its Top 10 Security Projects for the past two years for good reason. 

Here are three best practices for preventing identity-based compromises:

Go Beyond Passwords

Static passwords are no longer enough, especially for sensitive enterprise systems and data. There is no way to determine if the user accessing data is the valid user or just someone who bought a compromised password from the 21 million that were revealed in the recent Collections #1 breach. Thus, static passwords can no longer be trusted. Organizations need to realize that MFA is the lowest hanging fruit for protecting against compromised credentials.

Advertisement. Scroll to continue reading.

Less is More

Gartner estimates that global spending on cyber security will hit $137 million annually in 2019, yet the breaches keep on coming. That’s probably because a large percentage of that money is being funneled into solutions that don’t address high priority security threats and the expanding attack surface of digital enterprises. Hackers, for their part, are shifting their tactics and targeting the path of least resistance: namely, identity. They realize that it only takes one person still using “123456” as their password to ransack an organization. 

Companies of all sizes, across all industries must get more strategic about how and where they allocate their security dollars. Instead of pouring more money into a shotgun approach to security, organizations need a more focused strategy oriented on purchasing the highest reward tools. Since privileged access is now a leading attack vector, that is where the smart money should be going. If we assume hackers are already in the network, does it make sense to spend more money hardening the perimeter, or rather on restricting movement inside the network?

Trust Zero Trust

Zero Trust means trusting no one – not even known users or devices – until they have been verified and validated. Zero Trust Privilege helps enterprises grant least privilege access based on verifying who is requesting access, the context of the request, and the risk level of the access environment. Accounts with access to sensitive data should be given the ‘least amount of privilege’ and only for the period of time it is needed, then it should be revoked. A Zero Trust Privilege model ensures all access to services must be authenticated, authorized, and encrypted. This approach can help companies avoid becoming the next breach poster child, as well as the brand damage, customer loss, and value degradation that typically comes with it.


Organizations must assume that bad actors are in their networks already. Before next year’s World Password Day anniversary, companies across all industries should consider moving to a Zero Trust approach, powered by additional security measures such as multi-factor authentication (MFA), to stay ahead of the security curve and leave passwords behind for good.

Written By

Dr. Torsten George is an internationally recognized IT security expert, author, and speaker with nearly 30 years of experience in the global IT security community. He regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege for Dummies book. Torsten has held executive level positions with Absolute Software, Centrify (now Delinea), RiskSense (acquired by Ivanti), RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Funding/M&A

The private equity firm merges the newly acquired ForgeRock with Ping Identity, combining two of the biggest names in enterprise IAM market.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...