Passwords are not treated as critical to security
Considering the cyber world we live in, it’s time to ask whether passwords can still be considered a reliable security component – and if so, how should they be used? Look no further than Major League Baseball (MLB) where the St. Louis Cardinals allegedly hacked into the database of rival team the Houston Astros. Law enforcement officials believe the Cardinals were able to easily access the Astros’ database by using a master list of passwords that was created by Jeff Luhnow, and continued to be used after Lunhow left his position with the Cardinals to become general manager of the Astros in 2011.
This incident serves as another reminder that too many organizations – of varying sizes and across industries – continue to rely on stale, outdated passwords and inadequate password management procedures. For example, users continue to use the same passwords across multiple sites despite persistent cautioning to change this practice.
A steady drumbeat of high visibility security breaches caused by insecure passwords continuously demonstrate the fallibility of inadequate password management. Passwords continue to be a critical part of security policy in most organizations, which is why it’s confounding that many employees are still allowed to set their own passwords for corporate assets. If we are honest with ourselves and aware of human limitations, we shouldn’t rely on human users to choose a properly complex password for our most sensitive accounts.
Employees are not expected to manage other key security processes such as installing antivirus, monitoring updates and reviewing vulnerability reports – yet passwords are okay for employees to own? Does this mean credentials are not a critical piece of the security strategy?
Some passwords are far more valuable than others, such as those for privileged accounts. These accounts are the most powerful in any organization – and are exploited by external attackers to carry out advanced attacks. Following a recent spate of cyber attacks on retailers, on organizations like Sony Pictures and Sands and on a growing number of healthcare organizations, the main focus has been on finding out who carried out the attacks and what their motivations were. Yet this attribution question doesn’t really help organizations with preventing the next breach.
In examining how these cyber attacks were carried out, we can clearly see that all of them had a common characteristic–the exploitation of privileged accounts. For this reason, privileged credentials need to be considered a critical security matter rather than simply another password for employees to manage.
So what can be done to mitigate the risk of similar attacks? Here are some steps organizations can take to better protect privileged credentials:
Utilize an automated credential management solution to manage passwords so that users don’t even know them.
The best policy for organizations is to simply not allow employees to set passwords to begin with. Using a dedicated credential management solution can prevent users from ever knowing the passwords while still giving them the immediate access that business requires.
Using this type of automated solution does more than just take the onus of coming up with difficult to crack passwords off the shoulders of your employees — it eliminates the need to type a password at all, helping to make privileged credentials safe and protected.
Implement a Next Generation Jump Server to prevent credentials from residing on endpoint machines.
It’s not a secret that the majority of data stolen during sophisticated cyber attacks came from servers. One way to proactively mitigate the impact of these data breaches is to attain separation between sensitive and non-sensitive assets within the network. There are several limitations to traditional jump servers, however, since they ignore the impact of the privileged connection.
Unlike homegrown jump servers that still require a privileged credential to access target systems, a new class of Next Generation Jump Servers can effectively be deployed to merge isolation, control and monitoring into a single solution to truly protect an organization’s sensitive business information. Such solutions prevent the privileged passwords from residing on the potentially compromised user endpoints, thus significantly increasing the overall security of the network.
Change passwords more frequently – even better, use one-time generated passwords.
Using a credentials management system that can generate random, complex and unique passwords and replace the passwords according to organization policy is one of the best ways to stop an attacker. If a hacker was able to get their hands on a password, the use of one-time passwords that expire after a single use would make that password obsolete. This system, once again, takes the responsibility off the employee.
Track who is using privileged access, when they’re using it and from where by recording activity with analytics-based security practices and tools.
By implementing analytics-based security practices and tools, organizations can monitor privileged account activity to learn what constitutes “normal” privileged behavior of the network. Anomalies that may indicate malicious activity can then be detected much sooner.
Over the past few years, the drawbacks of password use have become clear. But one of the most important takeaways should be that not all users are created equal. Users with privileged access can do a lot more damage than average users.
If an external attacker is able to tap the power of these privileged user credentials they can do significant damage, as we’ve seen time and time again. It’s time organizations begin treating passwords as a critical piece of their security strategy. They must take the responsibility of passwords off the shoulders of their employees and implement tools that will protect their privileged credentials, thereby mitigating network breaches and unauthorized lateral movement throughout those networks.