Security Experts:

The Enduring Password Conundrum

Earlier this month, the State of California made headlines by passing legislation that will require hardware manufacturers to implement unique hardcoded passwords for every connected device they produce and force users to change it upon first use. The bill, which takes effect in January 2020, renewed the debate surrounding our continued reliance on passwords as the primary method for access control and authentication. 

Since the introduction of username and password authentication, the threatscape has changed dramatically. Today’s infrastructures are borderless, sensitive data often resides in the cloud, and workers are accessing enterprise resources from anywhere and everywhere. This evolution has made many legacy controls obsolete, particularly passwords, whose effectiveness has been questioned for years. 

Since 81 percent of hacking-related breaches leverage either stolen, default, or weak passwords, the California ban on default passwords for connected devices (a.k.a. Internet of Things) is a step in the right direction. Eliminating the same easy-to-guess password from millions of devices will remove a common attack vector and reduce the risk of Denial of Service attacks, spam campaigns, and other malicious assaults that exploit hijacked devices. However, the use of weak default passwords extends beyond connected devices. As a result, this legislation is only addressing a small subset of use cases. 

Password Security

In addition, default password exploits make up just a small percentage of the overall number of identity-based cyber-attacks. A more common tactic used by cyber criminals and state-sponsored attackers is credential harvesting. Instead of using software programs that guess weak passwords, bad actors actively target individual users using social engineering techniques, malware, digital scammers, or any combination of these to steal credentials. Account compromise attacks can bypass the most hardened security perimeters by exploiting the weakest link in an organization’s defenses -- users.

Instead of relying solely on passwords, security professionals should consider implementing a Zero Trust approach to identity and access management based on the following best practices:

• Use Multi-Factor Authentication

Since multi-factor authentication requires several elements for identity verification (something you know, something you have, and something you are), it’s one of the best ways to prevent unauthorized users from accessing sensitive data and moving laterally within the network. It should be standard practice for all organizations.

• Vault Passwords 

The first step toward protecting access to critical account passwords is bringing them under management of a password vault, where an organization’s server, cloud, DevOps, and network device passwords and/or secrets are securely stored and managed. Passwords are rotated after each use, preventing bad actors from reusing them if they become compromised.

• Grant Access to Resources, Not Networks

Unlike a Virtual Private Network that gives users global access to the entire network, privileged access management solutions can be used to limit access to assets on a per-resource basis. These proxy-based technologies give an organization’s privileged internal IT admins access to as much of infrastructure as necessary, while limiting access for other users to only the servers and network hardware their role requires. In combination with access zones, this security practice significantly reduces the risk of lateral attacks.

• Grant Least Privilege

According to Forrester, 80 percent of hacking-related breaches involve the misuse of privileged credentials. Zero Trust measures should be used to establish granular, role-based access controls via access zones to limit lateral movement and provide just-in-time privilege to applications and resources. For example, if an outsourced IT provider is contracted to maintain an Oracle database, their access should be limited to this single resource. For advanced security, controls can be placed on the range of commands they can perform. Should additional privileges be required, these can be requested via a workflow ticket. The approval of the ticket would grant immediate, but temporary privilege to run additional commands on the database.

• Risk-Based Access Control

Risk-based access uses machine learning to define and enforce access policy, based on user behavior. Through a combination of analytics, machine learning, user profiles, and policy enforcement, access decisions can be made in real time, to ease low-risk access, step up authentication when risk is higher, or block access entirely. Risk-based access control is often used in combination with multi-factor authentication. The use of artificial intelligence offers the most promise for helping the industry move away from usernames and passwords. 

• Audit Everything

Capturing and documenting a record of all actions performed is not only essential for forensic analysis and root cause detection but can also be used for threat hunting via SIEM or even CASB integrations.

Usernames and passwords are here to stay for the foreseeable future. While the new California legislation is a good first step in addressing identity-based cyber-attacks, organizations should supplement their existing security practices to reduce the risk of account compromise attacks that exploit harvested credentials to breach enterprise resources.

view counter
Torsten George is currently a security evangelist at Centrify. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He has more than 20 years of global information security experience and is a frequent speaker on cyber security and risk management strategies. Torsten regularly provides commentary and publishes articles on data breaches, incident response best practices, and cyber security strategies in media outlets. He has held executive level positions with RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).