More and more cyber criminals use automation to save time on mundane tasks like brute-forcing credentials. In fact, a boring (but potentially rewarding) task like that is what computers are built for.
Criminals can take advantage of a computer’s ability to execute mind-numbing tasks and monetize the neglectfulness of people choosing weak passwords. All it takes is a little bit of code and a lot of bad intentions. Contrary to primitive connotations in its name, a brute force attack is actually pretty clever.
The reason these attacks are successful is because someone much smarter forged the path. Someone figured out how to automate these cyber attacks. Someone found the vulnerabilities to exploit. Someone did all the smart work up front. It’s that smart part that stings because, more often than not, it’s the automation process and the persistence that beats an organization’s defenses.
If automated brute force attacks try millions of passwords in seconds, but people only change their passwords once in a blue moon, what chance do they have? We need to combat this with automated security – specifically automated password rotation.
Administrative passwords are the keys to the IT kingdom within a given organization. If a clever hacker manages to compromise just one of these passwords he can then gain access to other areas of the network. A Lieberman Software survey revealed that 77% of IT professionals believe passwords are failing IT security.
The study surveyed nearly 200 cyber security professionals. It found that 53% of those surveyed thought that modern hacking tools could easily break passwords within their organizations. Given the IT audience that was surveyed, these results tap into the mindset of the IT security industry. Perhaps it is time to rethink the way in which passwords are handled.
Shockingly, the same survey found that 10% of respondents never update their administrative passwords. Admittedly, it’s difficult for IT staff to keep track of all their administrator passwords. But it gets even more complicated when they’re expected to know every place where the credentials are used – and what might break when those credentials are updated. However, because of the sensitive systems that these credentials protect, frequent password changes are essential for good security.
So what if organizations could react to cyber attacks with automated security? If they could take control of their privileged accounts it would reduce the attacker’s surface for compromise. And it would eliminate lateral movement in the event a brute force attack is successful and the attacker gets in the system.
Rotating credentials at the point of an active attack cuts off the attacker’s access to the privilege needed to succeed. And it would do so without affecting legitimate users who were already going through a process to gain access on demand.
Once the power to control rights and privileges is sorted out, the solution should hook up to other security systems to make sure everything is working in a closed loop process. If analytics and logging solutions are looking at all the security event data to find patterns, then surely all the data about who has legitimate access is just as important. That leads to simple correlations. For example, an action that takes place using a privileged identity that was not checked out to any authorized user is suspicious.
If attackers are breaching organizations through automated attacks, organizations need to respond in kind. And this will be the trick to making automation an ally instead of an enemy.