Posted by Tim Femister on Apr 30, 2019 10:00:00 AM
Our national Cybersecurity Practice engages in thousands of customer conversations each year, and a few themes consistently emerge as primary concerns. The information security industry is plagued with confusion, complexity, and challenge, to the point that 30% of enterprises worth over $25 billion report that they do not have an overall information security strategy—and that number is substantially worse for the typical organization. Keep in mind that this simply refers to an information security strategy. It does not factor in the ability to implement that strategy, or whether the strategy is comprehensive or effective. Worse, most organizations overestimate their cyber preparedness, and factors like the global workforce shortage, security start-up sprawl, and cloud confusion are stymieing the effective implementation of information security strategies.
In this blog series, we’re going to focus on some of the key fundamentals of modernizing information security controls.
Modernizing Application Access
Modernizing the way in which we securely access applications is arguably the biggest net change in the industry, and it also has the greatest impact on end users. It wasn’t long ago when banks and highly sensitive environments were using tokens to support authentication. Everyone else used a traditional username and password, with little to no standards for password sophistication. In fact, most organizations still operate under this legacy standard, which has seen almost no change in the past 15+ years. During this same time period, the hacking industry has undergone a major revolution. This leaves several key vulnerable areas within the enterprise that hackers can fully exploit.
Employees repeat passwords. Over and over.
The email and password someone uses for professional (and sometimes, personal) sites, like LinkedIn, might just be the same email and password (or structure) they use for their corporate email. The problem with this practice? LinkedIn had a major breach in 2012 where it lost 167 million account credentials. Those account credentials are flowing through the cyber underworld and are actively being put to use against organizations globally.
Unfortunately, this is not just a one-off LinkedIn issue. Business-related sites are now high-value targets, and hackers have the sole goal of obtaining your email and password combo in hopes of gaining access to a corporate inbox. Furthermore, companies like LinkedIn have very aggressive information security measures, whereas a local trade association likely has little to none. We generally don’t hear about the latter breaches due to their limited size and, more importantly, because it’s likely that no one even knew they occurred—but that doesn’t mean they aren’t occurring. In fact, credential reuse is reported to account for 81% of hacking-related breaches.
Passwords are generally personal, common, or both.
It’s also problematic that our ability – or perhaps willingness – to remember complex, differentiated passwords is quite limited. At the bottom of the password ingenuity pool, a large percentage of users still utilize Top 50 Passwords that are now well-known and well-documented through the data sets from leaked breaches (like LinkedIn’s). The easiest to guess password of all, 123456, is estimated to be used by 3% of people. Simple math tells us that if we try 123456 on a hundred accounts, then we’re more than likely to get a hit. Multiply that to a hundred thousand accounts and the law of large numbers tells us that we’ll be pretty close to that 3% mark. This facilitates an attack method known as password spraying, where common passwords are attempted at large scale against an organization. Factor in social media and the ability for complete strangers to learn about someone’s hobbies, interests, and family at any given moment, and it’s no surprise that this method has become quite effective.
Passwords are all powerful.
If you want to protect a system, use a password, right? Everything has a password, and everything relies on passwords to ensure security. Need to transfer money? Just enter your password. Need to delete your entire cloud infrastructure? Once again, just enter your password. Even our latest-generation phones, with fancy biometrics or facial recognition, rely upon a single password. Simply restart your phone and you’ll be asked for a numeric password, not your fingerprint or facial ID. Want to take a guess at how many people still use 123456, 111111, 121212, or 258025? Everyone uses passwords to protect their systems, but few have a system to protect their passwords—and therein lies the problem.
Take Action: Modernize Application Access
Let’s look at some simple actions that you can take to start securing your application access.
First and foremost, employ and enforce a modern multiple factor authentication (MFA) solution across all publicly accessible systems, especially email. Even if a password was leaked or easily guessed, an MFA solution will prompt a second layer of authentication in the form of a push to a simple MFA app on a smartphone (with other options available). The user can either confirm or deny access. If confirmed, the user continues to their application and spent no more than two seconds affirming their identity. If denied, an administrator will be able to see that an illegitimate login was attempted. Many, many successful attacks could have been thwarted by simply having a robust MFA solution. The 2018 State Department breach is a prime example.
There are many available MFA solutions today. Duo (recently acquired by Cisco) is leading the charge, and it is a pinnacle example of a modern MFA solution that’s highly effective, insignificantly intrusive, and easy to deploy and manage.
Next, it’s vital to instill a culture of cyber awareness within your organization, as a strong human firewall is the best firewall you can have. Users should understand the risks that exist and be empowered to employ complex, differentiated passwords and maintain a mature cyber hygiene. Many organizations fail to make a robust password manager available to all employees, which is a big miss. In both our personal and professional lives, we utilize a great deal of systems, services, and solutions that require a password. A leading password manager takes the burden off of the user to create and remember 25+ differentiated passwords.
Finally, you don’t know what you don’t know. Account Takeover (ATO) Prevention solutions, which have recently emerged and gained a lot of support in the industry, provide critical intelligence by identifying users whose credentials may have been compromised on the dark web. Leveraging this as an early warning system helps you maintain a level playing field with those who wish to use that information to gain illegitimate access to your systems. SpyCloud is a great example of an ATO Prevention solution that we strongly advocate, as customers ranging from midsize enterprises to Fortune 100 companies have found great success with it.
Why Cybersecurity is the
Number 2 Concern for U.S. CEOs
In this ConvergeOne webcast, you will learn:
- How to reduce CEO concerns about cybersecurity
- Where other companies are making in-roads in the global battle against cybercrime and electronic attacks
- Why it is getting harder to gain and keep trust in a digital world
- How managing risk can enable competitive advantage
- How developing technological and organizational resilience has risen in importance in the past two years
- Five tips you can begin using today to improve their posture