Security Experts:

The Human Element and Beyond: Why Static Passwords Aren't Enough

Static Passwords Are No Longer Enough to Secure Systems

While there have been varying views about the decision to host RSA Conference 2020 in San Francisco despite the onset of Coronavirus infections, which has evolved into the COVID-19 pandemic, one thing organizers got right this year was the theme: The Human Element.

This year marks the first time since 1995 that the conference’s theme matched cyber security realities and was not solely driven by marketing hype. When it comes to breaches, all roads still lead to the human element. In fact, hackers don’t hack in anymore — they log in using weak, default, stolen, or otherwise compromised credentials. Forrester estimates that 80 percent of security breaches involve compromised privileged credentials. It seems obvious, imposing better controls over the human element should lead to significant improvements in data breach prevention.

Despite all the new technologies, strategies, and artificial intelligence being employed by security experts and threat actors alike, one thing remains constant: the human element. As humans we’re fallible — a fact that threat actors frequently exploit when launching phishing and social engineering campaigns to establish a foothold in their victim’s IT environment. Yet most organizations continue to invest the largest chunk of their security budget on protecting the network perimeter rather than focusing on security controls which can protect against the leading attack vector: privileged access abuse. 

This is a big mistake. PAM has been on the Gartner Top 10 Security Projects list for the past two years for good reasons. Organizations should make privileged access management (PAM) a top priority, and here are three best practices for doing so... 

Go Beyond Passwords

Static passwords are no longer enough, especially for sensitive enterprise systems and data. Since they lack the ability to verify whether the user accessing data is authentic or just someone who bought a compromised password from the 21 million that were revealed in last year’s Collections #1 database of exposed data? We simply can’t trust static passwords anymore. Organizations need to realize that multi-factor authentication (MFA) is the lowest hanging fruit for protecting against compromised credentials.

Less is More

Gartner estimates that global spending on cybersecurity will hit $131 million annually in 2020, yet the breaches keep on coming. That’s probably because a large proportion of these investments are being funneled toward solutions that don’t address modern security problems or protect the ever-growing attack surface of perimeter-less enterprises. Hackers, for their part, are shifting their tactics and targeting the path of least resistance: namely, identity. They realize that it only takes one person still using “123456” as their password to ransack an organization. 

Companies of all sizes, across all industries must get more strategic about how and where they allocate their security dollars. Instead of spending more money on every security technology under the sun, they should be laser-focused on purchasing the right tools. And since privileged access is now a major attack vector, that is where the smart money should be going. If we assume hackers are already in the network, are we better off spending more money hardening the perimeter, or restricting movement inside of it? 

Identity-Centric Security based on Zero Trust Principles 

Zero Trust means trusting no one – not even known users or devices – until they have been verified and validated. An Identity-Centric Security approach helps enterprises re-establish trust by enforcing least privilege access, on a real-time basis based on verifying who is requesting access, the context of the request, and the risk of the access environment. 

Identity-Centric Security

For systems to enforce an authoritative security policy, each must have a securely established unique identity with the authoritative security management platform (e.g., Microsoft Active Directory). It is no longer acceptable in today’s threatscape to allow management systems to use anonymous access accounts or injected credentials such as vaulted, shared super user accounts, since they cannot be strongly verified for security operations.

Another important thing to consider is that today identities include not just people but workloads, services, and machines. This is especially true in DevOps and cloud environments, where task automation plays a dominant role. Properly verifying the “who” before authorizing access by any “entity” requires querying enterprise identity repositories for authentication and entitlements. 

Meanwhile, all accounts that have access to sensitive data should only be granted ‘least privilege’ and only for the period of time when it is needed, then that access should be revoked. This “zero standing privilege” stance ensures all access to services must be authenticated, authorized, and encrypted. 

Conclusion

In reality, many breaches can be prevented by implementing basic steps, as outlined in “Phishing Attacks: Best Practices for Not Taking the Bait”. These essential measures range from security awareness training and multi-factor authentication (MFA) to applying Identity-Centric Security tactics and measures based on Zero Trust principles. They can enable organizations to stay ahead of the security curve and leave static passwords behind for good.

view counter
Torsten George is currently a security evangelist at Centrify. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He has more than 20 years of global information security experience and is a frequent speaker on cyber security and risk management strategies. Torsten regularly provides commentary and publishes articles on data breaches, incident response best practices, and cyber security strategies in media outlets. He has held executive level positions with RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).