Identity theft is one of the world’s fastest growing crimes, but adding strong authentication to your password can prevent it. Today is World Password Day, and here are some of the comments Help Net Security received from the infosec community.
David Mount, Director, Security Solutions Consulting EMEA at Micro Focus
This year’s World Password Day is particularly pertinent as it marks almost a year to the day of the General Data Protection Regulation (GDPR) coming into force. As organisations look to become compliant with the impending regulation, which will introduce new accountability obligations for businesses, it’s a fitting time to question the ongoing suitability of passwords. They remain the most common method of authentication in use today – however, they are easy to steal and security strategies usually place too much emphasis on users sticking to good password hygiene.
We shouldn’t rush to condemn passwords. They’re easy to use, simple to deploy, and relatively cheap to manage. Yet with major data breaches constantly being reported and billions of compromised log-in details for sale on the dark web, CIOs may need to consider looking for more effective ways for employees and partners to securely prove who they are without relying solely on passwords.
Standards such as FIDO-Universal 2 Factor simplify the extension of multi-factor authentication to partners and consumers. IT departments should ensure the most appropriate levels of authentication are applied, depending on the sensitivity of the asset or resource being protected. This could be tokens and smartphones or biometrics and behavioural indicators – or even a blend of these measures.
CIOs should consider these alternative multi-factor methods in order to secure the organisation’s sensitive information, and remember that a one-size-fits-all solution to information security doesn’t exist. Whatever the answer is for each particular security scenario, simply relying on a user to devise (and remember) a sufficiently secure password is fundamentally flawed.
Richard Anstey, CTO EMEA at Synchronoss
Passwords clearly still have a role to play in securing data because they are relatively cheap to provision and manage, and do a satisfactory job of protecting data. For the highest value data, it’s a good idea to supplement passwords with incremental authentication methods, such as a physical or soft token. Where once these would have been expensive to distribute and manage – think about the cost of delivering or replacing physical tokens for a start – modern solutions can operate on users’ smartphones, which provide higher levels of security at lower cost.
The bottom line is that with the rapidly changing work patterns arising from cloud and BYOD, the perimeter which once existed around an organisation’s network has become blurred, or could be said to have disappeared entirely. This means that businesses need to keep a very firm handle on identity while implementing frictionless security processes for the employee. As an example, authentication could be based on a unique username plus a multiple choice question about some personal information, and/or a QR code read by an approved smartphone waved in front of the login screen. Smartphones are increasingly being used for context-based authentication, such as location, and we are likely to see this type of method become more widespread in future.
Simply telling or even forcing employees to use strong passwords could even be counter-intuitive as it creates a false sense of security. When dealing with very sensitive information, such as intellectual property or personal information, IT should consider additional security controls, such as information rights management. Security is about knowing what the danger is and how to deploy the appropriate level of protection. For the most sensitive data, encryption remains a cost-effective and relatively simple solution. If data is sufficiently encrypted and the keys are well protected, this can exempt companies from the mandatory data breach reporting clause in the upcoming GDPR, potentially also avoiding intense reputational damage and significant fines.
Andre Stewart, VP EMEA at Netskope
The recent spate of massive data breaches hitting the headlines shows that all too frequently, companies still view cybersecurity as an afterthought. World Password Day acts as a useful reminder that data security should be a key priority for businesses, particularly with only just over 12 months to go until the GDPR comes into effect.
Faced with an ever expanding threat landscape, CIOs and CISOs must force organisations to place appropriate emphasis on safeguarding data and securing customer privacy. This includes ensuring that staff have the appropriate tools to carry out their jobs securely and making responsibilities clear to every single employee. Educating employees on basic password hygiene is a key step. One potential downside of passwords is that when the same log-in credentials are used for multiple cloud services, massive breaches elsewhere can expose credentials used to access corporate services – putting sensitive enterprise data at risk.
IT departments also need resources to actively monitor for any compromised usernames and passwords which are also being used to access company resources. If credentials previously stolen through a data breach are found to still be in use, companies should lock down those accounts and ensure users amend their login credentials so that data is sufficiently protected. Organisations should also be attentive to any anomalous activity which could indicate an unauthorised login attempt – but to spot anomalies, companies need to know what normal looks like and this means consistent monitoring to build up a picture of standard activity. Taking steps to strengthen the company’s security posture in this way ensures that IT won’t get caught out by cyber criminals making the most of leaked passwords to get their hands on further sensitive data.
Anurag Kahol, CTO at Bitglass
Last year, our security team leaked a fake profile onto the Dark Web to show just how quickly phished credentials can spread. Within a month, the fake employee’s credentials had been viewed over 1,400 times and there were multiple successful login attempts into the phished account. The number of large-scale data breaches and the fact that users regularly re-use passwords is a real issue for businesses today.
Against this background, static passwords simply cannot provide effective corporate protection. Businesses are now turning to a range of dynamic authentication methods that can analyse baseline user activity to detect potential intrusions, suspicious behaviours, and anomalous actions. It is essential that this approach to user authentication can extend to all cloud applications too. For example, if a user logs into Office 365 from the UK and then shortly after logs into Salesforce from Germany, this should be flagged as anomalous activity. The IT teams should be notified and the user should be asked to re-authenticate.