Are your passwords an open invitation to cybercriminals? Even if you believe your organization has adequate access management policies in place, you may be surprised at the weak, default, and repeated passwords lurking in places throughout your company's network.
The 2016 Verizon Data Breach Investigations Report (DBIR) found that 63% of confirmed security incidents involved "weak, default, or stolen passwords." Stolen passwords, which can result from phishing attacks, were significantly more common than brute-forcing, but both affect organizations of all sizes.
Join us as we take a look at the various aspects of password security best practices and ways both surprising and unsurprising vulnerabilities could harm your organization.
Are You Guilty of These Common Password Mistakes?
IT security pros can't truly be held responsible for poor password management practices among employees. Right?
Actually, many security experts would beg to differ. As security leadership, your role is to provide employees with the right tools, knowledge, and policy to guide better access management. You can't fully control whether an accounting employee just slightly modifies a password at required interval changes, but you can ensure he/she knows better.
When it comes to understanding who is responsible for access governance, the answer is "everyone." IT needs to take charge as the subject matter experts and work closely with other leadership to develop a systemic approach to rewarding employees, or holding them accountable, for security behaviors.
Password sharing is among the most frustrating phenomenon to security professionals. When defined most broadly, this can encompass a slew of poor behaviors that are generally executed by non-IT employees:
- Shared system credentials
- Providing passwords to direct managers
- Handing account access to coworkers
- Physically recording passwords on paper or digital documents
Before you assume you're innocent, think carefully. Even IT administrators can be guilty of department or team-wide credential sharing for the sake of convenience or rarely-used legacy systems.
Simply put, if the tools and policies do not support unique credentials for every single user in your enterprise, they may need to be revised. Not only does password-sharing open doors to theft by internal and external agents, it can make forensics incredibly difficult should an incident occur.
Meeting the Bare Security Minimum
Their list of common offenders included:
Optimally, your organization's systems/policies would prohibit users from carrying these habits into the workplace. But what about employees who squeak by and meet only the letter of the law when it comes to credential creation and changes?
Consider the password "B@tm0n!23". It meets the basic criteria established by Active Directory and other policy-based administration systems by containing a minimum of 8 characters, an uppercase letter, numbers, and special characters. If you're using typical policy-based AD administration, you probably require password changes every 30-90 days.
But is it truly secure?
In fact, it could be incredibly unsecure if any of the following factors are taken into account:
- It's used for several user accounts (including an employee's personal accounts)
- It's not truly changed, just slightly modified to "B@tm0n!24" at your periodic, required password changes
- It remains unchanged for extended periods of time, due to gaps in policy-based administration
While getting your employees to meet the minimum requirements for password security may seem like a win, security pros are wise to go the extra mile and educate their users on why "B@tm0n!23" isn't truly infallible and how to do better.
Weak Two-Factor Authentication
Two-factor authentication has become an increasingly common way for IT teams to improve access security. By verifying a user's identity with something they "have" (an SMS), something they know, or other criteria, you can significantly strengthen pure passcodes.
While two-factor authentication is certainly more secure than single-factor authentication, it's not perfect. The most recent NIST guidelines released in July 2016 actually discourage the sole use of SMS-based authentication, encouraging organizations to consider biometrics and "rate limit throttling," or locking out accounts after successive failures.
Individual risk tolerance can vary, and highly-sophisticated forms of multi-factor authentication are not reasonable for many organization's budgets. However, IT pros should consider whether their existing authentication mechanisms are helpful or a risk. In some cases, where a phone call to an IT department may be all that's required to reset a password, you could find your authentication requirements are completely insufficient.
Not Using Pass Phrases
One of the most effective ways to simply improve your access governance, organization-wide, could be to abandon passwords in favor of pass phrases. The Business Standard noted that a passphrase of 16-64 characters could beat out a shorter counterpart in cracking difficulty, even if an employee is just using a line of poetry.
There are obviously some risks in this approach, particularly if an employee's solution to a new, 32-character password requirement is to type out the names of their children in succession. However, from the perspective of simplicity in policy-based administration, upping your character count requirements could reduce the risks of your credentials being brute-forced.
Are Passwords Infallible?
The media is filled with reports of high-profile data breaches that originated from poor password management policies. In some cases, the mistakes were egregious and administrative accounts were left wide open with a password of "admin1234." In many other cases, even strong passwords failed due to successful phishing attacks or employee error.
It's wise for IT security professionals to recognize a few key truths: better access governance is a company-wide responsibility and passwords aren't perfect. They probably never will be, because humans make mistakes.
The solution is to double-down on avoiding many of the most common password mistakes that can leave your company totally vulnerable and to establish mechanisms to detect stolen or brute-forced credentials as soon as possible.
CimTrak offers advanced, real-time file integrity monitoring across an enterprise, allowing administrators to immediately detect unauthorized access, suspicious credential elevations, and other early warning signs of a data breach. With our sophisticated, agent-based monitoring tools, you gain the unique ability to remediate changes resulting from password theft as soon as they occur.
To learn more about how CimTrak supports compliance and security objectives, download the definitive guide to file integrity monitoring today.
October 20, 2016