The goal of any security program is to stop or mitigate a threat. To resolve the administrative credentials security threat, you must regularly change the administrator passwords. And then make each password unique.
What’s trending in the cyber security industry? Identity Week sat down recently with Jonathan Sander, VP of Product Strategy at Lieberman Software and veteran cyber security expert, to discuss insider attacks, password security, and lessons learned from major data breaches.
If you have passwords, and you know you do, you’re going to have to face Ch-ch-ch-ch-Changes. Don’t let it be too scary.
People using the same passwords for multiple accounts is a problem. People writing passwords down or user fatigue with password management as an excuse to justify weak passwords are big issues. Simple passwords get cracked more easily, and when people reuse passwords a hack on your favorite dog food delivery service means they have a password that exposes corporate data.
Changing user passwords on a regular basis has long been a basic – and well known – tenet of IT security. But when it comes to password security, privileged passwords (admin, root and such) are often overlooked.
Many of these breached companies passed their regulatory compliance audits and invested heavily in conventional perimeter security tools – like firewalls – without success. Spear phishing, zero days and other advanced threats were able to defeat their perimeter security.
When you use phrases like “brute force” and “simple attacks” it may seem that the bad guys are pretty dumb. Many of them are. They pick up the tools they find and point them in the right directions. Their only original thought is to attack someplace new.
Passwords should never be stored online. Refrain from using the same password for personal and corporate accounts. Use a passphrase on passwords for remote users. Decline the “Remember Password” prompt box of web browsers, regardless if you’re using a private or shared computer.
The iCloud hack was a two part attack. The first part was obtaining the email addresses (Apple IDs) of the targets. The second part was understanding that the iCloud service had a flow that allowed an unlimited number of bad password attempts without lockout or alerting.
In general, the truth is this – passwords are neither obsolete nor impractical. However, credential management has evolved to a process that takes passwords out of the hands of IT administrators.