Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

The Human Element and Beyond: Why Static Passwords Aren’t Enough

Static Passwords Are No Longer Enough to Secure Systems

Static Passwords Are No Longer Enough to Secure Systems

While there have been varying views about the decision to host RSA Conference 2020 in San Francisco despite the onset of Coronavirus infections, which has evolved into the COVID-19 pandemic, one thing organizers got right this year was the theme: The Human Element.

This year marks the first time since 1995 that the conference’s theme matched cyber security realities and was not solely driven by marketing hype. When it comes to breaches, all roads still lead to the human element. In fact, hackers don’t hack in anymore — they log in using weak, default, stolen, or otherwise compromised credentials. Forrester estimates that 80 percent of security breaches involve compromised privileged credentials. It seems obvious, imposing better controls over the human element should lead to significant improvements in data breach prevention.

Despite all the new technologies, strategies, and artificial intelligence being employed by security experts and threat actors alike, one thing remains constant: the human element. As humans we’re fallible — a fact that threat actors frequently exploit when launching phishing and social engineering campaigns to establish a foothold in their victim’s IT environment. Yet most organizations continue to invest the largest chunk of their security budget on protecting the network perimeter rather than focusing on security controls which can protect against the leading attack vector: privileged access abuse. 

This is a big mistake. PAM has been on the Gartner Top 10 Security Projects list for the past two years for good reasons. Organizations should make privileged access management (PAM) a top priority, and here are three best practices for doing so… 

Go Beyond Passwords

Static passwords are no longer enough, especially for sensitive enterprise systems and data. Since they lack the ability to verify whether the user accessing data is authentic or just someone who bought a compromised password from the 21 million that were revealed in last year’s Collections #1 database of exposed data? We simply can’t trust static passwords anymore. Organizations need to realize that multi-factor authentication (MFA) is the lowest hanging fruit for protecting against compromised credentials.

Less is More

Advertisement. Scroll to continue reading.

Gartner estimates that global spending on cybersecurity will hit $131 million annually in 2020, yet the breaches keep on coming. That’s probably because a large proportion of these investments are being funneled toward solutions that don’t address modern security problems or protect the ever-growing attack surface of perimeter-less enterprises. Hackers, for their part, are shifting their tactics and targeting the path of least resistance: namely, identity. They realize that it only takes one person still using “123456” as their password to ransack an organization. 

Companies of all sizes, across all industries must get more strategic about how and where they allocate their security dollars. Instead of spending more money on every security technology under the sun, they should be laser-focused on purchasing the right tools. And since privileged access is now a major attack vector, that is where the smart money should be going. If we assume hackers are already in the network, are we better off spending more money hardening the perimeter, or restricting movement inside of it? 

Identity-Centric Security based on Zero Trust Principles 

Zero Trust means trusting no one – not even known users or devices – until they have been verified and validated. An Identity-Centric Security approach helps enterprises re-establish trust by enforcing least privilege access, on a real-time basis based on verifying who is requesting access, the context of the request, and the risk of the access environment. 

Identity-Centric Security

For systems to enforce an authoritative security policy, each must have a securely established unique identity with the authoritative security management platform (e.g., Microsoft Active Directory). It is no longer acceptable in today’s threatscape to allow management systems to use anonymous access accounts or injected credentials such as vaulted, shared super user accounts, since they cannot be strongly verified for security operations.

Another important thing to consider is that today identities include not just people but workloads, services, and machines. This is especially true in DevOps and cloud environments, where task automation plays a dominant role. Properly verifying the “who” before authorizing access by any “entity” requires querying enterprise identity repositories for authentication and entitlements. 

Meanwhile, all accounts that have access to sensitive data should only be granted ‘least privilege’ and only for the period of time when it is needed, then that access should be revoked. This “zero standing privilege” stance ensures all access to services must be authenticated, authorized, and encrypted. 

Conclusion

In reality, many breaches can be prevented by implementing basic steps, as outlined in “Phishing Attacks: Best Practices for Not Taking the Bait”. These essential measures range from security awareness training and multi-factor authentication (MFA) to applying Identity-Centric Security tactics and measures based on Zero Trust principles. They can enable organizations to stay ahead of the security curve and leave static passwords behind for good.

Written By

Dr. Torsten George is an internationally recognized IT security expert, author, and speaker with nearly 30 years of experience in the global IT security community. He regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege for Dummies book. Torsten has held executive level positions with Absolute Software, Centrify (now Delinea), RiskSense (acquired by Ivanti), RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Funding/M&A

The private equity firm merges the newly acquired ForgeRock with Ping Identity, combining two of the biggest names in enterprise IAM market.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...