David Higgins, Senior Director at CyberArk’s Field Technology Office explains why strong passwords aren’t enough to stop identity based cyberattacks.
In a world where anything can be bought and delivered online, it would be naïve to assume that stolen credentials couldn’t. A Remote Desktop Protocol (RDP) can be bought for less than $10, which makes it all too easy for attackers to gain that initial intrusion – as RDP is just the network protocol used to connect to a Windows server. And with a stack of passwords at their disposal, it’s pretty easy for any attacker to launch a credential stuffing or brute force attack. Should that fail, the latest phishing techniques have a great chance of success instead. That this is not defeatist, but realistic: knowing that passwords and IT training simply aren’t enough will enable IT teams to better prepare for when those attacks come to test defences.
Over the course of our working lives we’ve been taught that a strong password is crucial to keeping us protected, so it feels counterintuitive to hear the contrary. But it’s time to address the facts: strong passwords simply aren’t enough.
When everything has a password, it’s impossible for workers to keep up
Now that the majority of businesses run almost wholly digitally, the average staff member needs to access more than 30 applications and accounts at work (and approximately 55 others at home). Requiring a multitude of logins with multiple complex passwords isn’t realistic. After all, we’ve all been guilty of ‘updating’ our password from Password1 to Password2 just to satisfy the IT department. Or employees who have actually managed to have a variety of passwords do so by storing them on their browser, making them just as vulnerable without realising.
While IT teams used to be the target for attackers, with their uniquely privileged access to critical systems and data, the modern reality is that 52% of an organisation’s workforce has direct access to sensitive corporate data. In turn, this has created the possibility for anyone to be a ‘privileged user’ – likely with fewer protections in place than someone in the IT team.
Digital credentials aren’t only reserved for human workers
Ghost workers? Almost. Machine and bot identities are prolific, outnumbering human identities by a factor of 45x. Of these machine identities, 68% have access to sensitive corporate data and assets. As organisations accelerate to hybrid or multi-cloud environments, there are even more gaps (read: human and machine identities) that attackers can compromise and use as entry points.
A dangerous weight on IT professionals’ shoulders
Risky IT practices are on the rise; time and tech pressures, the digital transformation and the drive towards automation are all stacking up on the shoulders of IT teams. Business leaders need to recognise the importance of the team keeping their business safe so that risky practices like embedding credentials or overprovisioning cloud permissions are eradicated. As excessive cloud permissions pile up with every new IT or transformation initiative, risk exposure grows and cybersecurity debt accumulates.
In addition, pressures on tech teams to constantly operate and deploy faster has also led to more embedded credentials and access keys in code. These credentials are rarely (if ever) changed and often left exposed. When powerful credentials for enterprise security systems are embedded into scripts, the result can be disastrous, as demonstrated in the recent Uber breach.
Until we reach a passwordless future
Although passwords clearly aren’t fit for purpose anymore, the world simply isn’t ready to go totally passwordless yet. This technology is in its nascent phase and relies on modern platforms to integrate with– although there are promising advances being made. The tech we currently rely on, like password managers, weren’t built to manage the tens of thousands of identities that many enterprises have, nor designed to manage them across the environment in the way we need.
Implementing a defence-in-depth identity security framework can help bridge the gap while we wait for the tech to catch up with our needs. By creating strong password policies that work in a Zero Trust framework, organisations can ensure that they are securing any and every identity, human or machine. Ensuring that identities only have access to the privileged access that they need, while implementing continuous threat monitoring, means that organisations are ready for when – not if – a password or credential is compromised.
Read the latest edition of PCR’s monthly magazine below:
Like this content? Sign up for the free PCR Daily Digest email service to get the latest tech news straight to your inbox. You can also follow PCR on Twitter and Facebook.