Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

The Enduring Password Conundrum

Earlier this month, the State of California made headlines by passing legislation that will require hardware manufacturers to implement unique hardcoded passwords for every connected device they produce and force users to change it upon first use.

Earlier this month, the State of California made headlines by passing legislation that will require hardware manufacturers to implement unique hardcoded passwords for every connected device they produce and force users to change it upon first use. The bill, which takes effect in January 2020, renewed the debate surrounding our continued reliance on passwords as the primary method for access control and authentication. 

Since the introduction of username and password authentication, the threatscape has changed dramatically. Today’s infrastructures are borderless, sensitive data often resides in the cloud, and workers are accessing enterprise resources from anywhere and everywhere. This evolution has made many legacy controls obsolete, particularly passwords, whose effectiveness has been questioned for years. 

Since 81 percent of hacking-related breaches leverage either stolen, default, or weak passwords, the California ban on default passwords for connected devices (a.k.a. Internet of Things) is a step in the right direction. Eliminating the same easy-to-guess password from millions of devices will remove a common attack vector and reduce the risk of Denial of Service attacks, spam campaigns, and other malicious assaults that exploit hijacked devices. However, the use of weak default passwords extends beyond connected devices. As a result, this legislation is only addressing a small subset of use cases. 

Password Security

In addition, default password exploits make up just a small percentage of the overall number of identity-based cyber-attacks. A more common tactic used by cyber criminals and state-sponsored attackers is credential harvesting. Instead of using software programs that guess weak passwords, bad actors actively target individual users using social engineering techniques, malware, digital scammers, or any combination of these to steal credentials. Account compromise attacks can bypass the most hardened security perimeters by exploiting the weakest link in an organization’s defenses — users.

Instead of relying solely on passwords, security professionals should consider implementing a Zero Trust approach to identity and access management based on the following best practices:

• Use Multi-Factor Authentication

Since multi-factor authentication requires several elements for identity verification (something you know, something you have, and something you are), it’s one of the best ways to prevent unauthorized users from accessing sensitive data and moving laterally within the network. It should be standard practice for all organizations.

• Vault Passwords 

Advertisement. Scroll to continue reading.

The first step toward protecting access to critical account passwords is bringing them under management of a password vault, where an organization’s server, cloud, DevOps, and network device passwords and/or secrets are securely stored and managed. Passwords are rotated after each use, preventing bad actors from reusing them if they become compromised.

• Grant Access to Resources, Not Networks

Unlike a Virtual Private Network that gives users global access to the entire network, privileged access management solutions can be used to limit access to assets on a per-resource basis. These proxy-based technologies give an organization’s privileged internal IT admins access to as much of infrastructure as necessary, while limiting access for other users to only the servers and network hardware their role requires. In combination with access zones, this security practice significantly reduces the risk of lateral attacks.

• Grant Least Privilege

According to Forrester, 80 percent of hacking-related breaches involve the misuse of privileged credentials. Zero Trust measures should be used to establish granular, role-based access controls via access zones to limit lateral movement and provide just-in-time privilege to applications and resources. For example, if an outsourced IT provider is contracted to maintain an Oracle database, their access should be limited to this single resource. For advanced security, controls can be placed on the range of commands they can perform. Should additional privileges be required, these can be requested via a workflow ticket. The approval of the ticket would grant immediate, but temporary privilege to run additional commands on the database.

• Risk-Based Access Control

Risk-based access uses machine learning to define and enforce access policy, based on user behavior. Through a combination of analytics, machine learning, user profiles, and policy enforcement, access decisions can be made in real time, to ease low-risk access, step up authentication when risk is higher, or block access entirely. Risk-based access control is often used in combination with multi-factor authentication. The use of artificial intelligence offers the most promise for helping the industry move away from usernames and passwords. 

• Audit Everything

Capturing and documenting a record of all actions performed is not only essential for forensic analysis and root cause detection but can also be used for threat hunting via SIEM or even CASB integrations.

Usernames and passwords are here to stay for the foreseeable future. While the new California legislation is a good first step in addressing identity-based cyber-attacks, organizations should supplement their existing security practices to reduce the risk of account compromise attacks that exploit harvested credentials to breach enterprise resources.

Written By

Dr. Torsten George is an internationally recognized IT security expert, author, and speaker with nearly 30 years of experience in the global IT security community. He regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege for Dummies book. Torsten has held executive level positions with Absolute Software, Centrify (now Delinea), RiskSense (acquired by Ivanti), RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Funding/M&A

The private equity firm merges the newly acquired ForgeRock with Ping Identity, combining two of the biggest names in enterprise IAM market.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...