Organizations Must Assume That Bad Actors Are Already in Their Networks
The world has been faced with numerous life lessons in 2020, but it’s clear that millions of people still haven’t learned one of the most basic when it comes to security. A new report from NordPass has revealed that millions of people still haven’t broken the habit of using easy-to-remember, but easy-to-hack passwords. Of the 200 most common passwords, ‘123456’ took the number one spot again, but unfortunately for the more than two million people using it, it can be broken in less than a second. Other popular passwords included ‘iloveyou’ and the ever-so-creative ‘password’. When it comes to breaches, all roads still lead to identity. Hackers don’t hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s critical that everyone put password hygiene at the top of their New Year’s resolutions list.
Despite all the new technologies, strategies, and artificial intelligence being employed by security experts and threat actors alike, one thing remains constant: the human element. As humans we’re fallible — a fact that threat actors frequently exploit when launching phishing and social engineering campaigns to establish a foothold in their victim’s IT environment.
The reality is that many breaches can be prevented by some of the most basic cyber hygiene practices. Yet most organizations continue to invest the largest chunk of their security budget on protecting the network perimeter rather than focusing on establishing key identity-related security controls. In fact, a recent study by the Identity Defined Security Alliance (IDSA) reveals credential-based data breaches are both ubiquitous (94% of survey respondents experienced an identity-related attack) and highly preventable (99%).
Today’s economic climate exacerbates these cyber risks and the impact of the COVID-19 epidemic has led to an acceleration in digital transformation and technical change that will further stress-test organizations’ identity and access management practices. This creates new challenges in minimizing access-related risks across traditional datacenters, cloud, and DevOps environments. So, what can be done to minimize credential-based data breaches
Consumers and businesses alike must abandon static passwords and recognize that multi-factor authentication (MFA) is the lowest hanging fruit for protecting against compromised credentials. This approach requires an extra step to verify an identity beyond a username and password using something the user knows (such as a text code), something they have (such as a smartphone), or something they are (such as a face or fingerprint scan).
Individuals should use password managers. A password manager is an easy way to ensure employees are using complex passwords. Some solutions will also advise the user if one of the passwords has potentially been compromised in a data breach and prompt them to change it immediately.
For enterprises, less is more. Instead of pouring more money into a shotgun approach to security, organizations should pursue a strategy oriented on purchasing the highest reward tools. Since privileged access is now a leading attack vector, that is where the smart money should be going. If we assume hackers are already in the network, does it make sense to spend more money hardening the perimeter, or rather on restricting movement inside the network?
The existence of privileged access carries significant risk, and even with privileged access management (PAM) tools in place, the residual risk of users with standing privileges remains high. In turn, organizations must adopt a “Zero Trust” approach. Zero Trust means trusting no one – not even known users or devices – until they have been verified and validated. An identity-centric security approach based on Zero Trust principles re-establishes trust, and then grants just-in-time least privilege access based on verifying who is requesting access, the context of the request, and the risk of the access environment.
Ultimately, organizations must assume that bad actors are already in their networks. And consumers must realize they’re constant targets. In 2021, companies across all industries should consider moving to a Zero Trust approach, powered by additional security measures such as MFA and zero standing privileges, to stay ahead of the security curve and leave passwords behind for good.
Related: The (Re-)Emergence of Zero Trust
Related: NIST’s Zero Trust Taxonomy Introduces Components, Threats and Migration Routes