Passwords are a cornerstone method in IT for securing access to data. However, a recent survey from Lieberman Software revealed that over three-quarters (77%) of IT professionals believe passwords are failing IT security.
The study, which looked at the attitudes of nearly 200 cybersecurity professionals, also found that 53% of those surveyed thought that modern hacking tools could easily break passwords within their organizations. Given the IT audience that was surveyed, these results really tap into the mindset of the IT security industry – and perhaps it is time for a rethink about the way in which passwords are handled within organizations.
Criminals are automating
The internet is huge, therefore, cyber-criminals use automation to help them capitalize and save time on mundane tasks like brute-forcing user credentials. In fact, a long, boring but potentially rewarding task like that is what computers are built for.
Criminals can take advantage of a computer’s ability to execute mind-numbing tasks and ultimately they can monetize the laziness of people choosing weak passwords. All it takes is a little bit of code and a lot of bad intentions; contrary to primitive connotations in its name, a brute force attack is actually pretty clever.
The reason these attacks are successful is because someone much smarter forged the path. Someone figured out how to automate these cyber-attacks. Someone found the vulnerabilities to exploit. Someone did all the smart work up front and it’s that smart part that stings because more often than not, it’s the automation process and the persistence that will beat organizations’ defences.
So why can’t we?
If brute force attacks are being automated to try millions of passwords in seconds, but people only change their passwords once in a blue moon, what chance do they have? We need to combat this by also automating password rotation.
Administrative passwords are essentially the keys to the kingdom within any given organization. Even if one is compromised, it can then be exploited by clever hackers to gain access to other areas of the network. Shockingly, the same survey found that 10% of respondents never updated their administrative passwords.
Admittedly, it’s difficult for IT staff to keep track of all their admin passwords, but this gets even more complicated when you’re expected to know every place where the credentials are used – and what might break when they’re updated. However, because of the sensitive systems that these credentials protect, frequent privileged password changes are essential for good security.
So what if organizations could react with an automated defense? If they take control of privileged account management, it greatly reduces the attacker’s surface for compromise and eliminates lateral movement in the event that a brute force attack is successful and they manage to get in the system.
This is neither rocket science, nor is it original. After one of the major data breaches of last year - top 3 by notoriety - many consultants were parachuted in and they sat and stared at tons of screens, drank lots of caffeine, and after 36 hours concluded that all the privileged credentials should be changed. Now imagine if that was an automated response; that would have happened the moment a breach was detected.
By simply rotating credentials at the point in time of an active attack as a response, it would cut off the attacker’s access to the privilege needed to succeed, without effecting legitimate users who were already going through a process to gain access on demand. The key is that since the legitimate users wouldn’t have access to always-on privilege in that scenario anyway, the only ones feeling the pain of the automated response are the bad guys.
Once the power to control rights and privileges is sorted, the solution should then hook up to other security systems to make sure everything is working in a healthy, closed loop process. If analytics and logging solutions are looking at all the security event data to find patterns, then surely all the data about whom has legitimate privilege is equally as important. That leads to simple correlations - like an action that takes place using a privileged identity that was not currently checked out to any authorized user is suspicious.
If solutions are detecting malware and other incidents as they happen, it can automate a privileged response in near real-time with no operational impact. Of course, organizations have to get the technology wired up to make it possible. But once that is all in place, it’s easy to push a button as an automated response, knowing you have the tools and the talent all lined up.
If attackers are successfully breaching organizations through using automated attacks such as brute forcing systems, organizations need to respond in kind and this will be the trick to making automation an ally instead of an enemy.