Enterprises rely on passwords almost to a fault, and users reuse passwords out of necessity, but these practices need to change. Major password breaches and the long list of challenges to password security have drawn significant attention to the inadequacy of depending on password-based security alone. As multifactor authentication and other improvements have become more common and easy to use, additional attention should be directed toward replacing passwords. Even when faced with the rapidly rising risk from continuing to use passwords, enterprises have been slow to deploy replacements.
This tip will explore the risks from major password breaches and enterprise responses aimed at protecting their resources.
Risks from password breaches
The risks from insecure passwords have been known since at least 1979, and this threat has recently evolved into major password breaches, such as the one at LinkedIn and many other companies. These breaches affect end users beyond requiring them to change just one password. Standard password guidance is to use a unique password for each account, but this is practically impossible for end users to actually follow. Hopefully, end users, including third parties and contractors, didn't reuse their LinkedIn account credentials for sensitive systems. However, given the difficulties of remembering passwords, it is likely those credentials had been reused elsewhere, which then required users to make multiple password changes. The risk enterprises face is a user may reuse their enterprise credentials, and their enterprise account could become compromised. Given the difficulties with passwords, it may be rational for users to reject standard password advice.
A similar risk is present in an enterprise's customer accounts. A customer might have reused a password at your enterprise, which could result in more compromised customer accounts for your help desk to support. In addition to changing passwords, these account compromises might even result in fraudulent activities, such as orders or financial transactions made using compromised accounts that would need to be cleaned up. These fraudulent activities could also take the form of a more organized, rapid attack to cash out accounts. Fraudulent activities might have a significant, negative effect on an individual.
Enterprise responses to protect enterprise resources
While it might seem odd for an enterprise to respond to password breaches at other companies, it is a necessary precaution to protect enterprise accounts. It may seem like a good response to require your users to change their passwords more frequently to protect against compromised accounts, but this discounts the effect on end users and will only fuel their discontent. Focusing these efforts and managing the effect on end users is critical to successfully improving account security.
An enterprise might want to focus first on making secure password usage easier for end users and to improve account protection. These improvements could include using single sign-on (SSO), federated identities, password managers and even multifactor authentication (MFA). SSO and federations reduce the number of passwords a user must manage; password managers help users securely manage passwords that meet the various password security requirements -- it should be noted, however, vulnerabilities have recently been discovered in a couple password managers; and MFA can be used to strongly protect these accounts. Deploying MFA broadly is the most secure option, but it's not a panacea. And, in many scenarios, it requires more resources and change by end users than just using a password, so additional time might be needed, during which the other options can be deployed as part of a coordinated plan to manage the risk.
Regardless of when the improvements are deployed, accounts must be monitored across all systems to identify suspicious behavior indicating possible compromised accounts, and security teams should have incident-response plans in place for responding to different types of password breaches. As part of determining which improvements to make, enterprises should also assess the changing risk from external password breaches to prioritize the improvements within their security program, as well as look at how customers use passwords, to determine which of the improvements should be deployed to improve the protection of customer accounts. The security controls that reduce the most risk at the lowest overall cost should be prioritized as improvements to be made first. Informing users and management of this risk assessment may help users and management understand why the improvements are necessary to protect themselves and the enterprise.
As enterprises move to more cloud systems and externally managed systems, and improve the core security in their environment, attackers will continue to aim at easy targets -- the users -- to gain access to enterprise resources, systems and networks. Given the increasing importance of account security, enterprises need to devote significant resources to ensure the security of their accounts, and perform risk assessments to determine if their current security controls need to be updated in response to the changes in risk from password breaches.
Read about the security breach at cloud-based analytics firm Datadog
Find out what influences the cost of a data breach
Learn from the Dropbox breach that exposed 68 million user credentials