Insecurity Complex: Best Practices for Combatting the Persistent Unsecure Password Problem in 2021

Even as cybercriminals are becoming more sophisticated and, according to Gartner (News - Alert), spending ten times more time attacking organizations than organizations are spending protecting themselves, the mother of all vectors for entry into critical infrastructure and systems is still through compromised credentials, including unsecure passwords.

Organizations in 2020 were victimized by a wide range of threats and exploits, most notably phishing attacks that penetrated corporate defenses, targeted email attacks launched from compromised accounts, theft or attempted theft of sensitive or confidential information, including reported incidents associated with COVID-19 vaccine science. 

As if the multiple challenges we saw last year were not enough, the SolarWinds (News - Alert) mega attack further highlighted the risks associated with incomplete protections.

Threats are becoming more sophisticated, as well-financed operations continue to develop improved variants of malware and social engineering attacks, and the damage to the reputations alone of some of the most prestigious agencies and enterprises in the world is not going in the right direction; in fact, fears are growing worse for many organizations.

Decision-makers are most concerned about endpoints getting infected with malware through email or web browsing, user credentials being stolen through phishing, and senior executives’ credentials being stolen through spearphishing.

What are some of the “new best practices” CIOs and CISOs should seriously consider as they attempt to bolster their security defenses in this new year? These can include conducting thorough audits of the current security/compliance environment, establishing detailed policies, implementing those policies, communicating clearly and regularly (including security awareness training), and deploying stronger, more automated security software to address the most persistent problem: unsecure passwords.

We caught up with Mohie Ahmed, Solutions Architect at Ironsphere, a US-based Privileged Access Management firm, to find out what they encountered in 2020 and what their large enterprise clients are looking for in the New Year.

“It’s important to note that account takeover-based and related types of attacks constitute a major source of risk,” Ahmed said, “and with intelligent, automated, real-time systems, there is no longer a need to simply worry about these unsecure passwords but to systematically create and dynamically change passwords for those who have the most privileged access. Last year, and continuing into this year, our emphasis has been on adding new levels of security for cloud-based applications, which have grown exponentially with the move to remote working.”            

Ahmed said investing in automation that replaces weak, unsecure passwords with automatically generated and changed complex passwords (in the background) “has a tremendous ROI. A successful breach of cloud-based data can expose customers to regulatory fines, other financial penalties, loss of customer confidence, and declining competitive market position, among other consequences. It’s important to look at password management across all infrastructure and applications, including cloud-delivered services.”

Mohie Ahmed also explained that while password policies can work, many IT leaders simply cannot risk trusting end-users to comply. “Without adequate training, many users will not be sufficiently skeptical of potential threats, particularly if these are delivered through social media channels, web advertising, or text messaging that are implicitly assumed to be less suspect than email or the web,” he said. “Employees and contractors, most of whom are now working from home, making the challenge of securing infrastructure and systems with a remote workforce even harder, are busy and focused on productivity, so may lapse when it comes to following policies. IT teams are doing a service for end-users when they help automate password hygiene, which today is more possible and affordable than ever.”

“Better password management tools go along with best practices when it comes to risk management and corporate governance,” Ahmed said. “Every organization needs detailed and thorough policies and procedures for protecting sensitive data and other assets, including acceptable use policies for every communication, collaboration, and file-sharing tools that will be used, both company-issued and personal smartphones, computers, applications, and services. A fulsome cybersecurity posture will always include guidance and policies on how employees should handle and share sensitive and confidential data, including encrypting and classifying this data, as well as the tools they can use to send and store this information. Password-management best practices, including password requirements, frequency of password changes, how passwords are stored, and so forth is a big part of this – the good news is we now have sophisticated tools that are easy to implement, transparent to end-users, and super helpful to the IT teams charged with day-to-day monitoring, management, and compliance.”