26% of remote workers have experienced a cyber attack personally, while 45% of employers have asked their employees to use their personal devices for work since the start of the pandemic, according to a Microsoft research.
The study surveyed 500 employees and 200 business decision makers in September 2020 about remote working, digital security behaviours, and the worries they now face.
The accelerated transition to homeworking is placing pressure on organizations to support the unavoidable blending of personal and professional lives more than ever before.
However, this naturally creates new risks, including the increased risk of cyber attacks. This was reflected in the research which showed that only 17% of remote workers currently believe that the software and technology provided has done enough to protect their data.
This could be in some way due to the pace at which employers had to transition to remote working environments, with 36% of employers admitting they have spent the past few months putting in place the security, privacy, and workplace procedures required for today’s remote working world.
Remote workers’ information protection concerns
76% of workers were surprised with how well they had adapted to remote working. However, one in five employees feel their data is more vulnerable when working from home due to the absence of regular IT supports.
The research points to some potentially dangerous cybersecurity issues amongst remote workers:
- Personal emails: 30% of workers still use personal email accounts to share confidential work materials.
- Poor password hygiene: One third of workers use the same password to log into work and personal devices.
- Unregulated access: 43% face/navigate no security restrictions when accessing work-related documents and materials remotely.
Employers’ security management concerns
One of the most concerning findings is that organizations are potentially side-stepping their own security procedures in the name of expediency:
- Reactive approach: One third of employers acknowledge they are exposed since they had to make remote-working decisions and transitions so quickly.
- Lack of devices: 45% of employers have had to ask their employees to use their personal devices for work purposes since the start of the pandemic.
- No remote BYOD policies: 42% of employers are yet to secure those remote employee’s personal devices.
Furthermore, 41% of employers acknowledge it has become increasingly difficult to remain GDPR compliant because of the pandemic.
The report identified an escalation in both the level and sophistication of attacks. For example:
- Over 13bn malicious and suspicious mails were blocked, out of which more than 1bn were URLs set up for the explicit purpose of phishing credential attacks in 2019.
- Ransomware is the most common reason behind Microsoft’s incident response engagements from October 2019 through July 2020.
- The most common attack techniques used by nation-state actors in the past year are reconnaissance, credential harvesting, malware, and VPN exploits.
- IoT threats are constantly expanding and evolving. The first half of 2020 saw an approximate 35% increase in total attack volume compared to the second half of 2019.
Des Ryan, Solutions Director for Microsoft Ireland, said: “Cyber hackers are opportunistic, skilled, and relentless. They have become adept at evolving their techniques to increase success rates, whether by experimenting with different phishing lures, adjusting the types of attacks they execute or finding new ways to hide their work.
“While our physical work locations may have changed, our responsibilities in protecting organizational data and complying to data regulations have not. Now is the time to address this with an increased investment in cybersecurity, secure devices, tighter policies, increased support, and education for employees so they can play an important role in not only protecting themselves but also their organizations.”
Cloud-based services and hybrid working
When asked about the future, 58% believe they will have a hybrid workforce in future as more staff work from home more of the time and others are in the office.
57% felt more positive about using cloud-based services, including productivity tools.
Remote priorities: Training, support and investment
However, the research shows that Irish organizations understand there is a gap with 41% admitting they are behind the curve when it comes to having the right digital services and technologies in place to deal with new working realities.
As a result of the move to remote working, employers are focused on investment in digital security. The research found:
- 38% of organizations have already increased the level and detail of cybersecurity training for staff who are working from home.
- A further 52% will prioritise investing in training in 2021.
- 44% of workers would also welcome alternatives to passwords, with biometric verification (fingerprint or facial recognition) being the most popular options.
As the number of data breaches shows no signs of decreasing, the clamor to replace passwords with biometric authentication continues to grow. Biometrics are becoming widely incorporated to secure organizations from unauthorized access and the growing appeal of these security solutions is expected to create a market worth $41.8 billion by 2023, according to MarketsandMarkets.
Password reuse is the fundamental reason why data breaches continue to happen. In recent years biometrics have increasingly been lauded as a superior authentication solution to passwords. However, biometrics are not immune from problems and once you look under the hood, they bring their own set of challenges.
There are several flaws, including one with potentially fatal implications, that organizations can’t and shouldn’t ignore when exploring biometric authentication. These include:
1. Biometrics are forever
This is the Achilles heel: once a biometric is exposed/compromised, you can’t replace it. There is no way to refresh or update your fingerprint, your retina, or your face. Therefore, if a user’s biometric information is exposed, then any account using this authentication method is at risk, and there is no way to reverse the damage.
Biometrics are on display, leaving them open to potential exploitation. For example, facial information can be obtained online or through a photo of someone, unlike passwords, which remain private unless stolen. With a detailed enough representation of a biometric marker, it’s possible to spoof it and, with the rise of deep-fake technology, it will become even easier to spoof biometrics.
As biometrics are forever, it’s vital that organizations make it as difficult as possible for hackers to crack the algorithm if there is a breach. They can do it by using a strong hashing algorithm and not storing any data in plain text.
2. Device/service limitations
Despite the ubiquity of devices with biometric scanners and the number of apps that support biometric authentication, many devices can’t incorporate the technology. While biometrics are commonplace in smart devices, this is not the case with many desktop or laptop computers, which still don’t include biometric readers. Also, when it comes to signing into websites via a browser, the use of biometric authentication is currently extremely limited. Therefore, until every device and browser is compatible, relying solely on biometric authentication is not even a possibility.
The most widespread consumer-oriented biometric authentication approaches (Apple’s TouchID/FaceID and the Android equivalents) are essentially client-side only – acting as a key that unlocks a locally stored set of authentication credentials for the target application or service.
While this approach works well for this use case and has the advantage of not storing sensitive biometric signatures on servers, it precludes the possibility of having this be the only authentication mechanism (i.e., if I try to access the service from a different device, I’ll have to re-authenticate using credentials such as a username and password before I can re-enable biometric authentication, assuming the new device even supports it). To truly have a biometric-first (or biometric-only) authentication approach, you need a different model – one where the biometric signature is stored server-side.
3. Spoofing threats
Another concern with biometric authentication systems is that the scanner devices have shown they are susceptible to spoofing. Hackers have succeeded in making scanners recognize fingerprints by using casts, molds, or otherwise replicas of valid user fingerprints or faces. Although liveness detection has come a long way, it is still far from perfect. Until spoof detection becomes more sophisticated, this risk will remain.
4. Biometric changes
The possibility of changes to users’ biometrics (injury to or loss of a fingerprint for instance, or a disfiguring injury to the face) is another potential issue, especially in the case where biometric authentication is the only authentication method in use and there is no fallback available.
If a breach happens due to biometric authentication, once a cybercriminal gains access, they can then change the logins for these accounts and lock the legitimate user out of their account. This puts the onus on organizations to alert users to take immediate action to mitigate the risk. If there is a breach, both enterprises and users should immediately turn off biometrics on their devices and revert back to the default, usually passwords or passcodes.
Adopting a layered approach to authentication
Rather than searching for a magic bullet for authentication, organizations need to embrace a layered approach to security. In the physical world, you would never rely solely on one solution and in the digital world, you should adopt the same philosophy. In addition to this layered approach, organizations should focus on hardening every element to shore up their digital defenses.
The simplicity and convenience of biometrics will ensure that it continues to be an appealing option for both enterprises and users. However, relying solely on biometric authentication is a high-risk strategy due to the limitations outlined above. Instead, organizations should deploy biometrics selectively as part of the overall identity management strategy, but they must include other security elements to mitigate the potential risks. It’s clear that, despite the buzz, 2021 will not be the year that biometrics replace passwords.
Love them or loathe them, passwords will remain a fixture in our digital lives.
They are often the target of many attackers who search for them like gold. Some can be easily found, while others can be more difficult to come by. However, inevitably, they can certainly be the weakest link in the security for your entire organization. What is this highly desirable, often stolen, and targeted resource? Passwords. Specifically, Active Directory passwords.
Most enterprise organizations use Microsoft Active Directory (AD) as their centralized identity and access management solution. The standard AD username and password provide users access to any number of systems, including email, file shares, windows desktops, terminal servers, SharePoint, and many other systems integrated with Active Directory.
End-users often use dangerous, easy to remember passwords for their user accounts, even with Active Directory password policies in place. Finding risky passwords in your environment is more important than you might think. Why is that? How can password security in your organization be bolstered?
Why finding risky passwords is important
Ransomware attacks and data breaches are continuously making news headlines. There is often a common thread among data breach events or ransomware attacks – stolen or weak credentials. Take note of the following:
- Kaspersky – “The vast majority of data breaches are caused by stolen or weak credentials. If malicious criminals have your username and password combination, they have an open door into your network.”
- Verizon 2020 DBIR – “Over 80% of breaches within Hacking involve Brute force or the Use of lost or stolen credentials.”
- Infosecurity Magazine – “A year ago, researchers found that 2.2 billion leaked records, known as Collection 1-5…With this treasure trove, hackers can simply test email and password combinations on different sites, hoping that a user has reused one. This popular technique is known as credential stuffing and is the culprit of many recent data breaches.”
Cybercriminals are after your organization’s passwords. Why are passwords such a target? Put simply, stealing credentials is the path of least resistance into your environment. If an attacker has your username and password combination, they have a “wide open door” to your network and business-critical systems. These may include email, websites, bank accounts, and other PII sources. Even worse, if an attacker can get their hands on administrator credentials, they have the “keys to the kingdom” and can do anything they want.
Attackers use any number of techniques to get their hands on stolen credentials. These may include brute force attacks, password spraying, and also, using databases of leaked passwords. Leaked passwords that result from prior data breaches are also known as pwned passwords.
Passwords are hashed in Active Directory and cannot be read, even by administrators. So, how can you effectively find weak, reused, and even breached passwords in your environment?
Built-in tools are not enough
There is no built-in functionality in Active Directory that natively allows you to check for reused or breached passwords. The only real built-in tool in Active Directory that administrators have at their disposal is Active Directory password policy. Password policies are part of an Active Directory Group Policy Object, and they define the required characteristics for passwords. These characteristics may include uppercase, lowercase, numbers, special characters, and minimum characters. While this helps prevent weak password usage, certain passwords are still easily guessed with letter and number substitutions. Additionally, most organizations enable the minimums for password length and complexity.
Below is an example of a default, unconfigured Active Directory password policy.
Active Directory password policy
Specops Password Auditor: Bolstering Active Directory password security
Native tools are not enough to protect your environment from weak, reused, and breached credentials. Hackers are quick to capitalize on these types of passwords used to have easy access to your business-critical data. Specops Password Auditor, a free tool, provides an automated tool to proactively scan and find weak, reused, and breached passwords in use in your Active Directory environment. The best part – it makes this process extremely easy.
After installation, define the domain, scan root, and the domain controller you would like to use for the scan process.
Defining the domain, scan root, and domain controller
The Password Auditor will:
- Search Active Directory users
- Read password policies
- Check for breached passwords
- Reads user details
- Check password policy usage
- Read custom password expiration
Running the Specops Password Auditor scan
- Blank passwords
- Breached passwords
- Identical passwords
- Admin accounts
- Stale admin accounts
- Password not required
- Password never expires
- Expiring passwords
- Expired Passwords
- Password policies
- Password policy usage
- Password policy compliance
It scans various Active Directory user account attributes, including:
After Password Auditor scans the environment, it presents you with an easy-to-read dashboard. The dashboard quickly displays relevant password information. Critical points of interest are noted with the red “bubble tips” with the number of findings for the particular password risk.
Scan results displaying password risks in the environment
When you click the password finding details, you will see the specific list of user accounts with the password risk displayed. Additionally, Specops Password Auditor shows the location, last logon, and associated password policy of the particular user account.
Displaying Active Directory user accounts with known breached passwords
Specops Password Auditor allows you to easily handoff official reports to management, internal or external auditors, and others with the Get PDF Report function.
Generating the Password Auditor report
The Specops Password Auditor executive summary report allows quickly handing over information to business stakeholders in the environment. The report contains concise, easy-to-read information regarding the password audit and risk level.
The overview page of the Password Auditor report
Cybercriminals are capitalizing on weak, reused, and breached passwords in Active Directory environments. By stealing credentials, attackers gain easy access to business-critical data and systems. There are no native tools found in Active Directory to find reused or breached passwords.
Using Specops Password Auditor allows quickly gaining visibility to weak, reused, and breached passwords in the environment and auditing many other important AD components such as password policies. You can also generate and provide a concise and easy-to-read executive summary report to provide to business stakeholders and auditors.
Learn more about Specops Password Auditor here.
Specops Password Policy is a powerful tool for overcoming the limitations of the default password policies present in Microsoft Active Directory environments. To be fair, Microsoft did revise and upgrade the default password policy and introduced additional, granular fine-tuning options over the years, but for some enterprise environments that’s still not enough, so Specops Password Policy to the rescue!
For the purpose of this review, the installation was done on a server containing all necessary services: Specops Sentinel – a password filter that is installed on all domain controllers, and Specops Password Policy admin tools. Keep in mind that this can be split onto different servers if needed. If you purchased Breached Password Protection, you’ll need to install Specops Arbiter as well.
The setup process is smooth, and you can expect to be up and running within the hour. As you can see from the image below, the standard requirements are modest and should not be a problem for any enterprise environment that requires such a solution.
Figure 1. Specops Password Policy minimum requirements
Password policy templates
When you start with Specops Password Policy Domain Administration, you’ll notice four predefined password policy templates you can choose from:
Figure 2. Specops Password Policy Domain Administration including default templates
These templates are convenient for a fast setup but, naturally, you can take them to another level by customizing them. If you’re working in an environment that needs to meet specific regulatory standards, the provided templates can be a lifesaver. Even if you can’t or don’t want to use these policies, you can use them as a base to strengthen your policy or create a policy compatible with your environment.
Let’s create a new, blank policy to see what the process looks like. Creating one will take you to the Group Policy editor:
Figure 3. Specops Password Policy inside the Group Policy editor
If you find it familiar, it’s because it is the same environment where you would change your default password policy inside Active Directory. The one key difference here is that Specops Password Policy applies password settings to the user part of group policy rather than computer. This makes more sense as it’s the users that generally set bad passwords rather than machines.
After testing the options and thinking how this would fit into my network, I have to commend Specops for not unnecessarily complicating things and choosing to go with a workflow most system administrators are familiar with.
When I opened Specops Password Policy inside the Group Policy editor, I was pleasantly surprised to see that it supports the use of passphrases. More importantly, it also offers assistance for handling them (something that Active Directory does not). You can use regular expressions so that you can define what a passphrase means to your organization i.e. 3 words, with at least 6 characters in each word, no words should be repeated, and no patterns should be used 111111 222222 etc.
Figure 4, 5. Passphrase support and password options
The General Settings menu offers familiar settings for anyone that’s used to working with the Group Policy Editor in an Active Directory environment. A neat addition here is the “client message” option, which allows you to create a custom message to be shown on the Active Directory logon screen in case the password policy requirements are not met.
Figure 6. General Settings with options and client message notification
The Password Expiration tab offers a wealth of options, including the maximum password age, password expiration notifications, and so on. A key feature here is the length-based password aging rule. This means that the longer the password the longer the user gets to keep it. It can be real incentive to encourage users to move to passphrases.
Figure 7. Options for password expiration rules and password expiration notifications
The Password Rules menu brings additional password rules granularity which should allow for virtually any password policy scenario. Worth noting is that the use of dictionaries with forbidden words is possible either by creating a custom dictionary or downloading dictionaries provided by Specops.
Figure 8. Regulating password rules requirements in one place
Figure 9. Additional protection from users trying to subvert the password policy
Breached Password Protection
A great set of options are found under Breached Password Protection. In a nutshell, it allows the system to compare an Active Directory password to a list of known breached passwords. As might be expected, passwords are hashed in the process.
If a password is discovered in the breached password list, the action triggers the delivery of notifications/alerts.
Figure 10. Breached Password Protection Complete API
Figure 11. Breached Password Protection Express List
With the API, Specops Password Policy supports both email and SMS notifications. When using the Express List (a downloadable passwords list) you can use only email notifications.
I realize there’s a narrow application for it, but I would like to see support for custom SMS gateways in future versions, as large enterprises might find this useful. Specops Software tells me that since there’s no extra cost involved for using the SMS notification feature they’ve never been asked to provide a custom SMS platform.
The latest version of Specops Password Policy comes with several powerful new features, Powershell CMDlets and a security scanner.
Leaked password scanning
While Powershell support is nothing new to Specops Password Policy, the latest version brings us powerful new CMDlets:
- Get-SppPasswordExpiration and Get-PasswordPolicyAffectingUser are user-related CMDlets enabling checks which until now could not be requested nor scripted trough Powershell. I found them rather useful during troubleshooting while trying to discern why a certain policy was not working as intended. Using CMDlets with pretty self-explanatory names is much faster than going through the menus of a newly installed application.
- Get-SppPasswordExpiration checks for the password expiration date, returning the date and reliability of the password.
- Get-PasswordPolicyAffectingUser – if you ever handled a multi-policy environment, you know that something simple as knowing the exact policies applied to the user can be the difference between solving an issue or entering a virtually endless troubleshooting loop. You just need to provide the username in sAMAccountName or userPrincipalName format for which the CMDlet returns GpoID, GpoName, and the password policy name.
- Start-PasswordPolicyLeakedPasswordScanning – As evident from the name, it starts scanning for leaked passwords in your Active Directory environment. Even though this feature is present in the Domain Admin tool, this CMDlet is useful as it can be scripted and delayed, which is ideal for administrators working in large environments. After running the CMDlet, all users that are non-compliant to the policy will be notified on the next logon to change their password. Leaked passwords scanning requires the Specops Breached Password Protection license.
Figure 12. All available Specops Password Policy CMDlets
Looking after your passwords
Specops Software maintains a comprehensive list of leaked passwords based on numerous sources. It contains billions of passwords and is often updated.
Breached Password Protection can be configured with two settings: Breached Password Protection Complete and Breached Password Protection Express.
The Complete setting comes with a master list of leaked passwords that are stored in the cloud. If a user changes their password to one that can be found on the list, a notification is sent via email or SMS, and they are forced to change their password the next time they log in. For this, you’ll need .Net 4.7.1 and Windows Server 2012 R2 or later, with an installation of Specops Arbiter and an API key.
Breached Password Protection Express downloads a subset of the list of leaked passwords, updated usually every 6 months. This also means administrators will need to manually check for updates and initiate a download of the updated list. Users are also immediately prevented from changing their password to a password found in the leaked list.
Length based password expiration
Specops has found a way to reward security-conscious users by extending the timeframe for mandated password change.
Figure 13. The longer the password, the later it expires
Users can be notified of their upcoming mandated password change. As the timeframe for mandated password change is dictated by password length, notifying users is of great importance as it can help user to prepare in advance. The notification can be shown to the users using regular Active Directory resources, on the logon screen or via email. For both methods you can define the number of days before a mandated password change notification is shown or sent.
This is a security scanner for Active Directory, and it’s such a simple yet invaluable tool. It is included in Specops Password Policy and is available as standalone freeware. It groups all possible password security issues found inside your Active Directory. This at-a-glance overview essentially points out all the things you need to worry about, and it’s the place to discover quickly if there’s a problem you might not be aware of like a password being on a leaked list.
Specops has chosen smart way of aggregating important areas around password security and polices, showing the most relevant issues and offering quick insight of potential issues.
Figure 14. A closer look at expiring passwords
Once you’re aware of all the issues, you can quickly focus on what’s critical. I find this to be an easy way to audit your Active Directory environment for a variety of issues at the same time.
After testing Specops Password Policy for a week in a variety of scenarios, I can definitely say we’re talking about a formidable solution. Not only does it make the process of strengthening the password policies better while being simple to use, but it can detect and resolve issues you might not be aware of in the first place.
I can highly recommend Specops Password Policy for any Active Directory environment, and I would go as far as to say it’s a necessity for complex environments dealing with compliance regulations, as well as specific password policy requirements. This solution can raise security level on any Active Directory environment, and you can’t argue about the benefits of better security, can you?
Remote work has left many organizations lagging in productivity and revenue due to remote access solutions. 19% of IT leaders surveyed said they often or always experience network performance and latency issues when using legacy remote access solutions, with an additional 43% saying they sometimes do.
Those issues have resulted in a loss of productivity for 68% of respondents and a loss of revenue for 43%, a Perimeter 81 report reveals.
According to the report, organizations securely connect to internal networks in a variety of ways when working remotely. Some 66% reported using VPNs, 58% said they use a cloud service through a web browser, 48% rely on a remote access solution, and 34% use a firewall.
The many organizations still using legacy solutions like VPNs and firewalls will struggle to scale, face bottlenecks, and lack network visibility.
security solutions and remote work
33% of respondents said a password is the only way they authenticate themselves to gain access to systems. And while 62% of IT managers said they are using cloud-based security solutions to secure remote access, 49% said they’re still using a firewall, and 41% a hardware VPN.
But there are signs of progress, as organizations increasingly favor modern cloud-based solutions over outdated legacy solutions. Following the pandemic and a switch to remote work, 72% of respondents said they’re very or completely likely to increase adoption of cloud-based security solutions, 38% higher than before the pandemic.
“It’s no surprise that companies are increasingly moving to cloud-based cyber and network security platforms. As corporations of all sizes rely on the cloud to run their businesses, they need new ways of consuming security to effectively prevent cyberattacks regardless of their location or network environment.”
Other key findings
- 74% of respondents are adopting cloud-based security solutions over hardware due to security concerns. 44% are doing so due to scalability concerns, and 43% cited time-saving considerations.
- 61% of organizations believe that having to protect new devices is the greatest security concern in light of remote work, while 56% said their greatest concern was lack of visibility into remote user activity.
- 39% of respondents reported that scalability is their greatest challenge in securing the remote workforce, while 38% said budget allocation was their greatest challenge.
We are beginning to shift away from what has long been our first and last line of defense: the password. It’s an exciting time. Since the beginning, passwords have aggravated people. Meanwhile, passwords have become the de facto first step in most attacks. Yet I can’t help but think, what will the consequences of our actions be?
Intended and unintended consequences
Back when overhead cameras came to the express toll routes in Ontario, Canada, it wasn’t long before the SQL injection to drop tables made its way onto bumper stickers. More recently in California, researcher Joe Tartaro purchased a license plate that said NULL. With the bumper stickers, the story goes, everyone sharing the road would get a few hours of toll-free driving. But with the NULL license plate? Tartaro ended up on the hook for every traffic ticket with no plate specified, to the tune of thousands of dollars.
One organization I advised recently completed an initiative to reduce the number of agents on the endpoint. In a year when many are extending the lifespan and performance of endpoints while eliminating location-dependent security controls, this shift makes strategic sense.
Another CISO I spoke with recently consolidated multi-factor authenticators onto a single platform. Standardizing the user experience and reducing costs is always a pragmatic move. Yet these moves limited future moves. In both cases, any initiative by the security team which changed authenticators or added agents ended up stuck in park, waiting for a greenlight.
Be careful not to limit future moves
To make moves that open up possibilities, security teams think along two lines: usability and defensibility. That is, how will the change impact the workforce, near term and long term? On the opposite angle, how will the change affect criminal behavior, near term and long term?
Whether decreasing the number of passwords required through single sign-on (SSO) or eliminating the password altogether in favor of a strong authentication factor (passwordless), the priority is on the workforce experience. The number one reason for tackling the password problem given by security leaders is improving the user experience. It is a rare security control that makes people’s lives easier and leadership wants to take full advantage.
There are two considerations when planning for usability. The first is ensuring the tactic addresses the common friction points. For example, with passwordless, does the approach provide access to devices and applications people work with? Is it more convenient and faster what they do today? The second consideration is evaluating what the tactic allows the security team to do next. Does the approach to passwordless or SSO block a future initiative due to lock-in? Or will the change enable us to take future steps to secure authentication?
The one thing we know for certain is, whatever steps we take, criminals will take steps to get around us. In the sixty years since the first password leak, we’ve done everything we can, using both machine and man. We’ve encrypted passwords. We’ve hashed them. We increased key length and algorithm strength. At the same time, we’ve asked users to create longer passwords, more complex passwords, unique passwords. We’ve provided security awareness training. None of these steps were taken in a vacuum. Criminals cracked files, created rainbow tables, brute-forced and phished credentials. Sixty years of experience suggests the advancement we make will be met with an advanced attack.
We must increase the trust in authentication while increasing usability, and we must take steps that open up future options. Security teams can increase trust by pairing user authentication with device authentication. Now the adversary must both compromise the authentication and gain access to the device.
To reduce the likelihood of device compromise, set policies to prevent unpatched, insecure, infected, or compromised devices from authenticating. The likelihood can be even further reduced by capturing telemetry, modeling activity, and comparing activity to the user’s baseline. Now the adversary must compromise authentication, gain access to the endpoint device, avoid endpoint detection, and avoid behavior analytics.
Technology is full of unintended consequences. Some lead to tollfree drives and others lead to unexpected fees. Some open new opportunities, others new vulnerabilities. Today, many are moving to improve user experience by reducing or removing passwords. The consequences won’t be known immediately. We must ensure our approach meets the use cases the workforce cares about while positioning us to address longer-term goals and challenges.
Additionally, we must get ahead of adversaries and criminals. With device trust and behavior analytics, we must increase trust in passwordless authentication. We can’t predict what is to come, but these are steps security teams can take today to better position and protect our organizations.
While there has been a year-over-year decrease in publicly disclosed data breaches, an Arctic Wolf report reveals that the number of corporate credentials with plaintext passwords on the dark web has increased by 429 percent since March.
For a typical organization, this means there are now, on average, 17 sets of corporate credentials available on the dark web that could be used by hackers.
With access to just one corporate account, attackers can easily execute account takeover attacks, which allow them to move laterally within an organization’s corporate network and gain access to sensitive data, intellectual property, competitive information, or funds.
Cybersecurity incidents now occur after hours
The sharp increase in corporate credential leaks underscores the need for organizations to have dedicated 24×7 monitoring of their network, endpoint, and cloud environments in order to prevent targeted attacks that could happen at any time.
Of the high-risk security incidents observed, 35% occur between the hours of 8:00 PM and 8:00 AM, and 14% occur on weekends; times when many in-house security teams are not online.
“The cybersecurity industry has an effectiveness problem. Every year new technologies, vendors, and solutions emerge. Yet, despite this constant innovation, we continue to see breaches in the headlines.
“The only way to eliminate cybersecurity challenges like ransomware, account takeover attacks, and cloud misconfigurations is by embracing security operations capabilities that fully integrate people, processes, and technology,” said Mark Manglicmot, VP Security Services, Arctic Wolf.
COVID-19 increasing the number of security operations challenges
- A 64 percent increase in phishing and ransomware attempts – Hackers have created new phishing lures around COVID-19 topics and adapted traditional lures seeking to take advantage of remote workers.
- Critical vulnerability patch time has increased by 40 days – A combination of higher common vulnerabilities and exposures (CVE) volumes, more critical CVEs, and the emergence of a remote workforce have significantly slowed the patching programs at many organizations.
- Unsecured Wi-Fi usage is up by over 240 percent – Remote workforces connecting to open and unsecured Wi-Fi networks outside of their office or home are now facing increased risks of malware exposure, credential theft, and browser session hijacking.
On Risk-Based Authentication
Interesting usability study: “More Than Just Good Passwords? A Study on Usability and Security Perceptions of Risk-based Authentication“:
Abstract: Risk-based Authentication (RBA) is an adaptive security measure to strengthen password-based authentication. RBA monitors additional features during login, and when observed feature values differ significantly from previously seen ones, users have to provide additional authentication factors such as a verification code. RBA has the potential to offer more usable authentication, but the usability and the security perceptions of RBA are not studied well.
We present the results of a between-group lab study (n=65) to evaluate usability and security perceptions of two RBA variants, one 2FA variant, and password-only authentication. Our study shows with significant results that RBA is considered to be more usable than the studied 2FA variants, while it is perceived as more secure than password-only authentication in general and comparably se-cure to 2FA in a variety of application types. We also observed RBA usability problems and provide recommendations for mitigation.Our contribution provides a first deeper understanding of the users’perception of RBA and helps to improve RBA implementations for a broader user acceptance.
Sidebar photo of Bruce Schneier by Joe MacInnis.
The cybersecurity market is growing even in the midst of the pandemic-driven economic downturn, with spending predicted to reach $123 billion by the end of the year. While disruptive technologies are undoubtedly behind much of this market growth, companies cannot afford to overlook security basics.
Biometrics may be a media darling, but the truth is that passwords will remain the primary authentication mechanism for the foreseeable future. But while passwords may not be a cutting-edge security innovation, that’s not to suggest that CIOs don’t need to modernize their approach to password management.
Mandatory password resets
Employees’ poor password management practices are well-documented, with Google finding that 65% of people use the same password for multiple, if not all, online accounts. To circumvent the security risks associated with this behavior, companies have historically focused on periodic password resets. Seventy-seven percent of IT departments surveyed by Forrester in 2016 were expiring passwords for all staff on a quarterly basis.
This approach made sense in the early days of the digital age, when employees typically only had a handful of passwords to remember. I’d argue that times had already changed by 2016, but we are certainly in an entirely different landscape today. As digital transformation accelerates and employees are faced with managing multiple passwords for all of their accounts, it’s simply no longer realistic or wise to force frequent password resets.
It’s time to retire password expiration
Both NIST and Microsoft have recently come out against forced periodic password resets for a variety of reasons, including:
- Password expiration eats up significant resources and budget. According to Forrester, a single password reset costs $70 of help desk labor. When you multiply this by the average number of employees in a typical organization, it’s easy to see how password expiration can become an unwieldy expense and add significant pressure on overburdened IT teams.
- It encourages poor cybersecurity practices. When users are frequently asked to change passwords they typically create weaker ones—for example, slight variants of the original password or the same root word or phrase with different special characters for each account.
- The practice impedes efficiency and introduces friction. Forced resets have a negative impact on productivity as employees often struggle to remember their passwords. One recent study found that 78% of people had to reset a password they forgot in the past 90 days, eating up valuable time that could have better been deployed elsewhere. In addition, the frustration associated with frequent changes can cause employees to seek a workaround or engage in poor security practices like sharing passwords among colleagues or reusing personal passwords for corporate accounts.
Exposure, not expiration
The fundamental purpose of passwords is to ensure that no one but the authorized user has access to the account or system in question. As such, it follows that password security has evolved from a focus on expiration to a focus on exposure. If credentials are secure, there is no reason for companies to incur the cost and other issues associated with forcing a reset. It’s critical that CIOs adopt this mindset and evaluate how they can continuously screen passwords to ensure their integrity.
Putting NIST’s recommendations into practice
According to NIST, companies should compare passwords “ …against a list that contains values known to be commonly-used, expected or compromised… The list MAY include, but is not limited to:
- Passwords obtained from previous breach corpuses
- Dictionary words
- Repetitive or sequential characters
- Context-specific words, such as the name of the service, the username, and derivatives thereof.”
Given that multiple data breaches occur in virtually every sector on a daily basis, companies need a dynamic, automated solution that can cross-reference proposed passwords against known breach data. In this environment, it’s highly likely that a password could be secure at its creation but become compromised down the road. As such, CIOs also need to monitor password security on a daily basis and take steps to protect sensitive information if a compromise is detected.
Depending on the nature of the account and the employee’s privilege this could take a variety of forms, including:
- Stepping up MFA or additional authentication mechanisms
- Forcing a password reset
- Temporarily suspending access to the account
Because these actions occur only if a compromise has been detected, this modern approach to credential screening eliminates the unnecessary cost and friction associated with password expiration.
Protecting the password layer in the new normal
Replacing password expiration with password exposure will be particularly critical as CIOs manage an increasingly hybrid workforce. With Gartner finding that 74% of organizations plan to shift some employees to permanent remote work positions, it’s likely that users will be creating new digital accounts and accessing different services online.
A modern password management approach that continuously screens for any credential compromise is the best way that organizations can secure this complex environment while simultaneously encouraging productivity and reducing help desk costs.
While passwords may not be going away completely, 92 percent of respondents believe passwordless authentication is the future of their organization, according to a LastPass survey.
Passwordless authentication reduces password related risks by enabling users to login to devices and applications without the need to type in a password.
Technologies such as biometric authentication, single-sign-on (SSO) and federated identity streamline the user experience for employees within an organization, while still maintaining a high level of security and complete control for IT and security teams.
Organizations still have a password problem
Problems with passwords are still an ongoing struggle for organizations. The amount of time that IT teams spend managing users’ password and login information has increased year over year.
In fact, those surveyed suggest that weekly time spent managing users’ passwords has increased 25 percent since 2019. Given this, 85 percent of IT and security professionals agree that their organization should look to reduce the number of passwords that individuals use on a daily basis.
Additionally, 95 percent respondents surveyed say there are risks to using passwords which could contribute to threats in their organization, notably human behaviors like password reuse or password weakness.
Security priorities are at odds with user experience
When it comes to managing an organization, security is a core challenge for IT teams. However, it is the lack of convenience and ease of use that employees care about. Security is the main source of frustration for the IT department, particularly when issues are often derived from user behavior when managing passwords.
The top three frustrations for IT teams include users using the same password across applications (54 percent), users forgetting passwords (49 percent) and time spent on password management (45 percent).
For employees, the issues lie in convenience. Their top three frustrations are changing passwords regularly (56 percent), remembering multiple passwords (54 percent) and typing long, complex passwords (49 percent).
Primary benefits of passwordless authentication
Better security (69 percent) and eliminating password related risk (58 percent) are believed by respondents to be the top benefits of deploying a passwordless authentication model for their organization’s IT infrastructure. Time (54 percent) and cost (48 percent) savings are also noted benefits of going passwordless.
Meanwhile, for employees a passwordless authentication model would help to address efficiency concerns. 53 percent of respondents report that passwordless authentication offers the potential to provide convenient access from anywhere, which is key given the shift towards remote work that is likely here to stay.
Top challenges of passwordless deployment
While going passwordless can provide a more secure authentication method, there are challenges in the deployment of a passwordless model.
Respondents report the initial financial investment required to migrate to such solutions (43 percent), the regulations around the storage of the data required (41 percent) and the initial time required to migrate to new types of methods (40 percent) as the biggest challenges for their organization to overcome.
There are also some concerns around resistance to change. Three quarters of IT and security professionals (72 percent) think that end users in their organization would prefer to continue using passwords, as it is what they are used to.
Passwords are not going away completely
When it comes to identity and access management, 85 percent do not think passwords are going away completely. Yet, 92 percent of respondents believe that delivering a passwordless experience for end-users is the future for their organization.
There is a clear need to find a solution that combines passwordless authentication and password management in today’s organizations.
“As many organizations transition to a long-term remote work culture, giving your employees the tools and resources to be secure online in their personal lives as well as in the home office is more important now than ever,” said Gerald Beuchelt, CISO at LogMeIn.
“This report shows the continued challenge that organizations face with password security and the need for a passwordless authentication solution to enable both IT teams and employees to operate more efficiently and securely in this changing environment.”
Apple has released iOS 14, with a bucketload of new and improved functional features and a handful of privacy and security ones.
New privacy and security features in iOS 14
The new iOS will tell you when an app is using your camera or microphone
It will show an indicator dot (green for when camera or camera+microphone is in use, orange for microphone) in the top right part of the device’s screen.
The downside is that it’s fairly small and you might miss it if other things are happening on the screen. The upside is that you can check which app most recently used your camera or microphone via the Control Center.
Of course, you can deny access to your camera and microphone to any app through the Privacy settings.
You can share with apps your approximate location instead of the precise one
Go to Settings > Privacy and Location Services > Location Services, and you can configure for each app whether you want it to access your device’s location “only while the app is in use”, “always”, “never”, or you want the app to ask you for permission each time you run it (then you get the option to give it permission to access your location “Only once”).
When you allow location access for an app, you’ll get the option to provide your precise location or leave it to the app to determine your approximate location (the latter is good enough for apps that show local news or weather).
You can choose to share with apps just some photos
Under Privacy > Photos you can see which apps have requested access to your photos and you can choose to restrict each app’s access just to selected photos or photo albums (or none).
You can limit tracking
Each time you connect to a Wi-Fi network your phone will show a different MAC address. This is to prevent ISPs and advertisers to track your movements (i.e., see when and where you connect to a network), and this option is on by default.
In Settings > Privacy > Tracking, you can choose to not allow apps to send you a request to track you. If you do that, “any app that attempts to ask you for your permission will be blocked from asking and automatically informed that you have requested not to be tracked. In addition, all apps, other than those that you have previously given permission to track, will be blocked from accessing the device’s Advertising Identifier.”
If you allow tracking, tracking permissions can also be controlled on a per-app basis.
It has to be pointed out, though, that these app tracking options will start working as intended in early 2021, when these privacy controls become mandatory for developers.
“We want to give developers the time they need to make the necessary changes, and as a result, the requirement to use this tracking permission will go into effect early next year,” Apple explained.
Facebook complained earlier this year that these new privacy requirements would have a significant negative impact on its advertising business.
You will be able to see a summary of an app’s privacy practices before you download it from the App Store
You still can’t see these because app developers have yet to roll them out, but when they are ready, you’ll be able to peruse these summaries through a “App Privacy” button on the listing in the store, and they will look something like this:
You’ll be able to see which tracking cookies have been blocked
The Safari mobile browser has been updated to show a Privacy Report, which shows all the cross-site tracking cookies it has blocked in the last 30 days if you turned on Prevent Cross-Site Tracking in Safari’s Privacy and Security Settings.
The report is accessible from the AA menu in the browser’s address bar.
You’ll be notified if a password you stored in the iCloud Keychain has been spotted in a known data breach
To turn this option on, go to Settings > Passwords > Security Recommendations and toggle on Detect Compromised Passwords. For the secure password monitoring to work, iCloud Keychain has to be enabled.
In iOS 14, Apple has also fixed a number of security vulnerabilities, including:
- A vulnerability in an integrated drive electronics (IDE) component that could allow a remote authenticated attacker to execute arbitrary code on a paired device during a debug session over the network (CVE-2020-9992), and a
- A logic issue affecting the sandbox that may allow a malicious application to access restricted files (CVE-2020-9968)
I don’t know what the laws are like where most people are but,
“What is your ex-wife’s newest lastname?”
Would be considered a celebration, not Nihilistic in a number of places.
Because that would mean she had got married again which under archaic laws she’s someone elses legal responsibility now. So,
1, No more alimony check,
And in some places,
2, No more child support,
3, The required selling out from under the new “happy couple” of the old matrimonial home…
But at the very least you will know you are not the only one without “the sense God gave a goose” and in all probability she was better looking back when you made that mistake so your excuse is slightly better.
But joking aside, the sad truth is the only people that win in divorces are those shark lawyers.
So the way to stop them taking a bite out of either of the now nolonger happy couple is don’t get in their clutches…
And the best way to do that as it’s been said on this blog,
“The prelude to divorce is marriage, if you don’t get married you can’t get divorced”
Also remember pre-nups may not be valid if you move or a legislator inks a new law…
Apple has released Safari 14, which features many functional improvements, a Privacy Report that shows all the trackers the browser has neutralized, and and does not support Adobe Flash anymore.
Safari 14 sports a redesign of the tab bar, which now displays site favicons by default and previews of the contents of some pages (when the user hovers over a tab), and a customizable start page.
It also features improved extension support, as Apple has already put things in motion to allow app developers to easily convert their existing extension into a Safari web extension or build a new one, and support for.
But on to the Safari 14 privacy and security additions:
The Privacy Report shows the cross-site trackers that Intelligent Tracking Prevention (ITP) prevented from accessing identifying information, and how many and which trackers the visited websites sport. It also shows which entity is behind each tracker.
ITP uses on-device machine learning to identify and block the trackers, and known trackers are independently verified by DuchDuckGo. Safari blocks trackers only if the “Prevent cross-site tracking” option is turned on, and the Privacy Report can only be compiled if users have turned ITP on.
The report is accessible through the “Safari” tab, via the start page, and via the shield-style icon to the left of the browser’s address bar.
Secure password monitoring
Safari 14 will notify users when one of their saved passwords in iCloud Keychain has shown up in a data breach (iCloud Keychain has to be enabled, of course).
It will also allow them to immediately change the password by pointing them to the correct page for each website (if the admin has specified the page’s URL in the web server’s .well-known directory).
Removed support for Adobe Flash for improved security
Adobe Flash has been a thorn in security-minded users’ and cybersecurity professionals’ side for many years, as its vulnerabilities were often exploited by attackers.
Three years ago, browser makers have announced that they would drop Flash support by the end of 2020, and now the time has come for the move. Adobe Flash will reach end-of-life on December 31, 2020.
Apple has fixed four WebKit vulnerabilities in Safari 14. All can be triggered by the browser processing maliciously crafted web content and three could lead to arbitrary code execution.
More information about and a PoC for the one discovered by Marcin “Icewall” Noga of Cisco Talos can be found here.
Traditional password-based security might be headed for extinction, but that moment is still far off.
In the meantime, most of us need something to prevent our worst instincts when it comes to choosing passwords: using personal information, predictable (e.g., sequential) keystroke patterns, password variations, well-known substitutions, single words from a dictionary and – above all – reusing the same password for many different private and enterprise accounts.
What does a modern password policy look like?
While using unique passwords for every account is a piece of advice that has withstood the test of time (though not the test of widespread compliance), people also used to be told that they should use a mix of letters, numbers and symbols and to change it every 90 days – recommendations that the evolving threat landscape has made obsolete and even somewhat harmful.
In the past decade, academic research on the topic of password practices and insights gleaned from passwords compromised in breaches have revealed what people were actually doing when they were creating passwords. This helped unseat some of the prevailing password policies that were in place for so long, Josh Horwitz, Chief Operations Officer of Enzoic, told Help Net Security.
The latest NIST-sanctioned advice regarding enterprise password policies (as delineated in NIST Special Publication 800-63B) includes, among other things, the removal of the requirement for character composition rules and for mandatory periodic password changes. Those are recommendations that are also being promulgated by Microsoft.
As data breaches now happen every single day and attackers are trying out the revealed passwords on different accounts in the hope that the user has reused them, NIST also advises companies to verify that passwords are not compromised before they are activated and check their status on an ongoing basis, against a dynamic database comprised of known compromised credentials.
The need for modern tools
But the thing is, most older password policy tools don’t provide a method to check if a password is strong and not compromised once the password is chosen/set.
There’s really only one that both checks the passwords at creation and continuously monitors their resilience to credential stuffing attacks, by checking them against a massive (7+ billion) database of compromised credentials that is updated every single day.
“Some organizations will gather this information from the dark web and other places where you can get lists of compromised passwords, but most tools aren’t designed to incorporate it and it’s still a very manual process to try to keep that information up to date. It’s effectively really hard to maintain the breadth and frequency of data updates that are required for this approach to work as it should,” Horwitz noted.
But for Enzoic, this is practically one of its core missions.
“We have people whose full-time job is to go out and gather threat intelligence, databases of compromised passwords, and cracking dictionaries. We’ve also invested substantially in proprietary technology to automate that process of collection, cleansing and indexing of that information,” he explained.
“Our database is updated multiple times each day, and we’re really getting the breadth of data out there, by integrating both large and small compromised databases in our list – because hackers will use any database they can get their hands on, not just those stolen in well-publicized data breaches.”
Enzoic for Active Directory
This constantly updated list/database is what powers Enzoic for Active Directory, a tool (plug-in) that integrates into Active Directory and enforces additional password rules to prevent users from using compromised credentials.
The solution checks the password both when it’s created and when it’s reset and checks it daily against this real-time compromised password database. Furthermore, it does so automatically, without the IT team having to do anything except set it up once.
Enzoic for AD is able to detect and prevent the use of:
- Fuzzy variations of compromised passwords
- Unsafe passwords consisting of an often-used root word and a few trailing symbols and numbers
- New passwords that are too similar to the one the user previously used
- Passwords that employees at specific organizations are expected to choose (this is accomplished by using a custom dictionary that can be tailored to each organization)
The tool uses a standard password filter object to create a new password policy that works anywhere that defers to Active Directory, including Azure AD and third-party password reset tools.
Can multi-factor authentication save us?
Many will wonder whether such a tool is really crucial for keeping AD accounts safe. “What if we also use multi-factor authentication? Doesn’t that solve our authentication problems and keeps us safe from attacks?”
In reality, password remain part in every environment, and not every authentication event includes multi-factor authentication (MFA).
“You can offer MFA, but until you actually require its use and get rid of the password, there’s always going to be doors in that the attackers can use,” Horwitz pointed out.
“NIST also makes it very clear that authentication security should include multiple layers, and that each of these layers – including the password layer – need to be hardened.”
Do you really need Enzoic for Active Directory?
Enzoic has made it easy for enterprises to check whether some of the AD passwords used by their employees are weak or have been compromised: they can deploy a free password auditing tool (Enzoic for Active Directory Lite) to take a quick snapshot of their domain’s password security state.
“Some password auditing tools take long time to try to brute-force passwords, but attackers are much more likely to start their efforts with compromised passwords,” Horwitz added.
“Our tool takes just minutes to perform the audit, it’s simple to run, and allows IT and IT security leaders and professionals to realize the extent of the problem and to easily communicate the issue to the business side.”
Enzoic for Active Directory is likewise simple to install and use, and is built for easy implementation and automatic maintenance of the modern password policy.
“It’s a low complexity tool, but this is where it really shines: it allows you to screen passwords against a massive database of compromised passwords that gets updated every day – and allows you to do this at lightning speed, so that it can be done at the time that the password is being created without any friction or interruption to the user – and it rechecks that password each day, to detect when a password is no longer secure and trigger/mandate a password change.“
Aside from checking the passwords against this constantly updated list, it also prevents users from using:
- Common dictionary words or words that are often used for passwords (e.g., names of sports teams)
- Expected passwords and those that are too similar to users’ old password
- Context-specific passwords and variations (e.g., words that are specific to the business the enterprise is in, or words that employees living in a specific town or region might use)
- User-specific passwords and variations (e.g., their first name, last name, username, email address – based on those field values in Active Directory)
Time and time again, it has been proven that if left to their own devices, users will employ predictable patterns when choosing a password and will reuse one password over multiple accounts.
When the compromised account doesn’t hold sensitive information or allows access to sensitive assets, these practices might not lead to catastrophic results for the user. But the stakes are much higher when it comes to enterprise accounts, and especially Active Directory accounts, as AD is most companies’ primary solution for access to network resources.
91 percent of people know that using the same password on multiple accounts is a security risk, yet 66 percent continue to use the same password anyway. IT security practitioners are aware of good habits when it comes to strong authentication and password management, yet often fail to implement them due to poor usability or inconvenience.
To select a suitable password management solution for your business, you need to think about a variety of factors. We’ve talked to several cybersecurity professionals to get their insight on the topic.
Simran Anand, Head of B2B Growth, Dashlane
An organization’s security chain is only as strong as its weakest link – so selecting a password manager should be a top priority among IT leaders. While most look to the obvious: security (high grade encryption, 2FA, etc.), support, and price, it’s critical to also consider the end-user experience. Why? Because user adoption remains by far IT’s biggest challenge. Only 17 percent of IT leaders incorporate the end-UX when evaluating password management tools.
It’s not surprising, then, that those who have deployed a password manager in their company report only 23 percent adoption by employees. The end-UX has to be a priority for IT leaders who aim to guarantee secure processes for their companies.
Password management is too important a link in the security chain to be compromised by a lack of adoption (and simply telling employees to follow good password practices isn’t enough to ensure it actually happens). For organizations to leverage the benefits of next-generation password security, they need to ensure their password management solution is easy to use – and subsequently adopted by all employees.
Gerald Beuchelt, CISO, LogMeIn
As the world continues to navigate a long-term future of remote work, cybercriminals will continue to target users with poor security behaviors, given the increased time spent online due to COVID-19. Although organizations and people understand that passwords play a huge role in one’s overall security, many continue to neglect best password practices. For this reason, businesses should implement a password management solution.
It is essential to look for a password management solution that:
- Monitors poor password hygiene and provides visibility to the improvements that could be made to encourage better password management.
- Standardizes and enforces policies across the organization to support proper password protection.
- Provides a secure password management portal for employees to access all account passwords conveniently.
- Reports IT insights to provide a detailed security report of potential threats.
- Equips IT to audit the access controls users have with the ability to change permissions and encourage the use of new passwords.
- Integrates with previous and existing infrastructure to automate and accelerate workflows.
- Oversees when users share accounts to maintain a sense of security and accountability.
Using a password management solution that is effective is crucial to protecting business information. Finding the right solution will not only help to improve employee password behaviors but also increase your organization’s overall online security.
Michael Crandell, CEO, Bitwarden
Employees, like many others, face the daily challenge of remembering passwords to securely work online. A password manager simplifies generating, storing, and sharing unique and complex passwords – a must-have for security.
There are a number of reputable password managers out there. Businesses should prioritize those that work cross-platform and offer affordable plans. They should consider if the solution can be deployed in the cloud or on-premises. A self-hosting option is often preferred by some organizations for security and internal compliance reasons.
Password managers need to be easy-to-use for every level of user – from beginner to advanced. Any employee should be able to get up and running in minutes on the devices they use.
As of late, many businesses have shifted to a remote work model, which has highlighted the importance of online collaboration and the need to share work resources online. With this in mind, businesses should prioritize options that provide a secure way to share passwords across teams. Doing so keeps everyone’s access secure even when they’re spread out across many locations.
Finally, look for password managers built around an open source approach. Being open source means the source code can be vetted by experienced developers and security researchers who can identify potential security issues, and even contribute to resolving them.
Matt Davey, COO, 1Password
65% of people reuse passwords for some or all of their accounts. Often, this is because they don’t have the right tools to easily create and use strong passwords, which is why you need a password manager.
Opt for a password manager that gives you oversight over the things that matter most to your business: from who’s signed in from where, who last accessed certain items, or which email addresses on your domain have been included in a breach.
To keep the admin burden low, look for a password manager that allows you to manage access by groups, delegate admin powers, and manage users at scale. Depending on the structure of your business, it can be useful to grant access to information by project, location, or team.
You’ll also want to think about how a password manager will fit with your existing IAM/security stack. Some password managers integrate with identity providers, streamlining provisioning and administration.
Above all, if you want your employees to adopt your password manager of choice, make sure it’s easy to use: a password manager will only keep you secure if your employees actually use it.
Perform a quick Google search for “causes of data breaches”, and you will be inundated with reports of stolen credentials and weak passwords. Organizations can spend billions on technology to harden their systems against attack, but they are fighting a losing battle until they are able to confidently attribute a login with a valid user.
Image by the FIDO Alliance
What is FIDO, and why does it matter?
FIDO stands for Fast Identity Online. It is a free and open set of standards and technologies that aims to reduce the world’s reliance on passwords. FIDO is designed to bolster authentication assurance by “protecting” and eliminating passwords.
FIDO-enabled advances in authentication are paving the way to this foundational paradigm shift. Unfortunately, authenticators are not quite there yet, because even though the capabilities are available for incredible strong authentication, implementations can vary, and it is up to implementers to determine how much of FIDO’s security will be integrated into their products.
A few examples: biometrics are supported, but not always implemented; authentication procedures are often cumbersome; passwords are still used as a primary credential. Further, as inherently secure as FIDO standards are, there is always room for improvement. Here are five ways to maximize FIDO.
Maximize FIDO: Use all three factors
More is better – most of the time. Thanks to smartphones, three-factor authentication – something you know, something you have, something you are – should be ubiquitous, but it is not. Many FIDO authenticators are only using two-layered factors, usually something you have and something you know.
While certainly better than just a password, this does not protect against instances such as a device being left open at a café. Using the built-in biometric capabilities inherently supported in all modern smartphones, FIDO-based authenticators can provide 3FA, bolstering security and eliminating such vulnerabilities, all while keeping user friction to a minimum.
Make it simple and secure
Many FIDO-based authenticators implement two-factor authentication (2FA) by interjecting an additional code/PIN from within their authenticator app. The user must remember the PIN and attempt to type it in before the timer runs out, or if the timer is already low, wait for it to be reset before attempting to enter it. Either way, this increases friction for the user and decreases security, and this PIN can still be extracted from the user through social engineering.
There are better ways. Apps should be designed from the ground up with simplicity in mind. An example of a simple and secure method could be a simple three-digit code paired with an image, and nothing for the user to enter. The user would simply ensure the code and image match on their device and portal, and then click “ok”.
Fully leverage existing MDM features
Smartphones, and smart devices for that matter, are everywhere. With the growing number of these devices permeating our planet, wise and insightful minds saw fit to develop technologies to monitor and protect these devices. Mobile device management (MDM) functions can bolster existing authentication paradigms through features such as “geofencing”.
FIDO-enabled authenticators can use geofencing to allow or prevent authentication based on the user’s physical location. Another key MDM feature that should be in place can prevent connections for devices that have been “rooted” or “jailbroken”. These devices present a much greater security threat and can be easily identified using existing technology.
Get rid of passwords
Who here is not guilty of reusing a password or two… or three? Passwords are a legacy security afterthought. Unfortunately, many FIDO-based authenticators are still relying on usernames and passwords as the primary authentication credential pair. But FIDO enables secure certificate-based authentication – we no longer need the password. Passwordless authentication also brings with it the added benefit of decentralized key stores allowing the organizations to get rid of the big red targets that are centralized password repositories.
Use bidirectional authentication
Last but not least, implementing bidirectional authentication can improve on FIDO’s already stellar authentication model. Bidirectional authentication takes the traditional FIDO authentication model and adds server-to-user authentication as well, so before the user sends their authentication information to the server, the server authenticates to the user. This provides an added degree of confidence to the end user and all but eliminates the possibility of a Man-in-the-Middle attack due to there being nothing for the end user to share.
The technology for simple and secure authentication is available and – thanks to FIDO standards and protocols – straightforward to implement. In the end, it comes down to the creativity and diligence of those designing current authenticators to completely leverage the available technology and integrate them in a well-thought-out manner that increases security and decreases user friction.
14% of IT workers are consumed with Identity and Access Management (IAM), spending at least an hour per day on routine IAM tasks, according to 1Password.
IAM continues to be a significant productivity bog for IT and employees alike, with 57% of IT workers resetting employee passwords up to five times per week, and 15% doing so at least 21 times per week.
Shadow IT issues
IAM is often used to detect shadow IT, and 1Password’s survey revealed that it’s largely successful. Four in five workers report always following their company’s IT policy, meaning that just 20% of workers are driving all shadow IT activity in the enterprise. These employees don’t act out of malice but rather a drive to get more done, with 49% citing productivity as their top reason for circumventing IT’s rules.
“The shadow IT picture is more complicated than many think,” said Jeff Shiner, CEO, 1Password. “Most of us follow the rules, but a small group of employees trying to get more done circumvent policies and create openings for credential attacks. They’re sometimes enabled by IT workers who empathize with their pursuit of productivity.”
Ignoring the IT policy
Employees who break their company’s IT policy tend to be:
- Speed demons: They’re nearly twice as likely to say convenience is more important than security—and almost 50% more likely to say strict password requirements aren’t worth the hassle.
- Pessimistic about IT capabilities: Employees who break IT policies are nearly twice as likely to say it’s unrealistic for companies to be aware of and manage all apps and devices used by employees at work, and say the IT department is more of a hindrance than a help.
- Millennials and Gen Z: Nearly three times as many workers who are 18-39 say they do not always follow IT policies, compared to those ages 56 and up.
Lack of tools amid the relentless quest for productivity
IT workers cited lack of suitable technology resources and concern for employee effectiveness as the reason nearly one in three IT workers are not fully enforcing security policies.
Twenty-five percent of IT workers say they don’t enforce security policies universally and 4% don’t enforce those policies at all due to the hassle involved with managing policies to concerns over workforce productivity.
Thirty-eight percent of IT workers who do not strictly enforce security policies said their organization’s method for monitoring is not robust, while 29% agreed “it’s just too hard and time consuming to track and enforce” and 28% said “our employees get more done if we just let them manage their own software.”
One in three IT workers say that strict password requirements at work aren’t worth the hassle.
The usage of enterprise password managers
89% of IT departments using a password manager say it’s had a measurable impact on security at their company.
IT departments using EPMs report that they save time and frustration for employees (57%), reduce time for IT departments (45%), enhance productivity (37%), reduce breaches/attacks (26%) and create happier employees (26%).
The past few years have seen an increase in employees using personal devices and systems to access work emails and company databases, and exchange valuable information with colleagues, clients, and vendors. These tools can help people complete their jobs but are fraught with security challenges.
The scale of this challenge increased considerably in 2020 due to the expanded use of devices to accommodate work-from-home mandates and consequent sudden surge in cybercrime.
Frost & Sullivan examined how threats and attacks exist around employees’ external systems and devices, and found that multi-factor authentication (MFA) can be easily leveraged by IT departments. It’s clear that companies can better protect themselves using tools more sophisticated than password protection.
A better user experience ensures full user adoption
“Passwords are no longer enough for businesses to secure their data. MFA has become a necessity for the modern business. However, MFA implementation and adoption can be cumbersome for IT departments and users,” explained Roberta Gamble, Partner and Vice President at Frost & Sullivan.
“Businesses need solutions that provide ease of installation and deployment, user-friendly tools and interface, and a clear method for the business to enforce usage.”
More and more companies, self-employed and private customers are using Boxcryptor to protect sensitive data – primarily in the cloud. Boxcryptor ensures that nobody but authorized persons have access to the data. Cloud providers and their staff, as well as potential hackers are reliably excluded. The audit verified whether this protection is guaranteed.
During the audit, Kudelski was given access to the source code of Boxcryptor for Windows and to the internal documentation.
“All these components were logically correct and did not show any significant weakness under scrutiny. It is important to note that the codebase we audited was not showing any signs of malicious intent.”
The goal of the audit
The goal of the audit was to give all interested parties an indirect insight into the software so that they can be sure that no backdoors or security holes are found in the code.
Robert Freudenreich, CTO of Boxcryptor, about the benefits of an audit: “For private users, Boxcryptor is a means of digital self-defense against curious third parties, for companies and organizations a way to achieve true GDPR compliance and complete control over business data. With software that is so security relevant, it is understandable that users want to be sure that the software is flawless.”
The audit process started at the beginning of May with short communication lines to the developers and managers in the Boxcryptor team. If Kudelski had found a serious security vulnerability, they would not have held it back until the final report, but would have reported the problem immediately.
A problem rated as “medium”
The problem rated as medium is a part of the code that affects the connection to cloud providers using the WebDAV protocol. Theoretically, the operators of such cloud storage providers could have tried to inject code into Boxcryptor for Windows.
In practice, however, this code was never used by Boxcryptor, so there was no danger for Boxcryptor users at any time. In response to the audit, this redundant part of the code was removed.
Two problems classified as “low” and further observations
One problem classified as low concerns the user password: to protect users with insecure passwords, it was suggested that passwords be hashed even more frequently and that the minimum password length be increased, which we implemented immediately.
The second problem classified as low was theoretical and concerned the reading of the Boxcryptor configuration.
IT and application development professionals tend to exhibit risky behaviors when organizations impose strict IT policies, according to SSH.
Polling 625 IT and application development professionals across the United States, United Kingdom, France, and Germany, the survey verified that hybrid IT is on the rise and shows no signs of slowing down.
Fifty-six percent of respondents described their IT environment as hybrid cloud, an increase from 41 percent a year ago. On average, companies are actively using two cloud service vendors at a time.
While hybrid cloud offers a range of strategic benefits related to cost, performance, security, and productivity, it also introduces the challenge of managing more cloud access.
Cloud access solutions slowing down work
The survey found that cloud access solutions, including privileged access management software, slow down daily work for 71 percent of respondents. The biggest speed bumps were cited as configuring access (34 percent), repeatedly logging in and out (30 percent), and granting access to other users (29 percent).
These hurdles often drive users to seek risky workarounds, with 52 percent of respondents claiming they would “definitely” or at least “consider” bypassing secure access controls if they were under pressure to meet a deadline.
85 percent of respondents also share account credentials with others out of convenience, even though 70 percent understand the risks of doing so. These risks are further exacerbated when considering that 60 percent of respondents use unsecure methods to store their credentials and passwords, including in email, in non-encrypted files or folders, and on paper.
“As businesses grow their cloud environments, secure access to the cloud will continue be paramount. But when access controls lead to a productivity trade-off, as this research has shown, IT admins and developers are likely to bypass security entirely, opening the organization up to even greater cyber risk,” said Jussi Mononen, chief commercial officer at SSH.
“For privileged access management to be effective, it needs to be fast and convenient, without adding operational obstacles. It needs to be effortless.”
Orgs using public internet networks
In addition to exposing the risky behaviors of many IT and application development professionals when accessing the cloud, the survey also revealed some unwitting security gaps in organizations’ access management policies. For example, more than 40 percent of respondents use public internet networks – inherently less secure than private networks – to access internal IT resources.
Third-party access was also found to be a risk point, with 29 percent of respondents stating that outside contractors are given permanent access credentials to the business’ IT environment.
Permanent credentials are fundamentally risky as they provide widespread access beyond the task at hand, and can be forgotten, stolen, mismanaged, misconfigured, or lost.
Mononen continued, “When it comes to access management, simpler is safer. Methods like single sign-on can streamline the user experience significantly, by creating fewer logins and fewer entry points that reduce the forming of bad IT habits.
“There is also power in eliminating permanent access credentials entirely, using ephemeral certificates that unlock temporary ‘just-in-time’ access to IT resources, only for time needed before access automatically expires. Ultimately, reducing the capacity for human error comes down to designing security solutions that put the user first and cut out unnecessary complexity.”
A data dump containing account information of over 26 million LiveJournal users has been offered for sale on dark web marketplaces and is now being shared for free on underground hacker forums.
The data dump, supposedly originating from a 2014 LiveJournal breach, contains email addresses, usernames, profile URLs and plain text passwords of 33+ million users.
After removing duplicates, Troy Hunt has added the dump to the Have I Been Pwned? service, which potentially affected users can use to check whether they’ve been affected. He also dated the data dump to 2017 because the year was included in the data dump’s file name.
When did the breach happen?
The story of this data breach and leak is an interesting one.
There have been rumors about a supposed LiveJournal breach for years, though the blogging platform, which is owned by Russian media company Rambler Media Group, never confirmed them.
Back in 2018, Hunt received reports about a sextortion campaign targeting LiveJournal users and using their passwords:
— Troy Hunt (@troyhunt) October 11, 2018
Denise Paolucci, one of the owners of Dreamwidth, an online journal service based on the LiveJournal codebase (and with a significant crossover in user base), said on Tuesday that the data dump has been available on the black market since at least October of 2018, when they first reported people getting spam extortion emails with passwords in them.
“Beginning in March of 2020, and again in May of 2020, we saw several instances of Dreamwidth accounts being broken into and used for spam. We believed at the time, and continue to believe, that the source of the password information being used to break into these accounts is the same black-market file that claims to be LiveJournal password data. Every user we asked whether they had used the compromised password on LiveJournal before confirmed that they had,” she explained.
“We have no way to tell for sure whether LiveJournal has actually had a data breach, or whether the file that’s circulating is real or fake. All we can say for certain is that none of the evidence we’ve seen has disproven the claim made by the people offering the file that the file contains usernames and passwords taken from LiveJournal. We’ve contacted LiveJournal about our findings several times, and they’ve told us each time that they don’t believe the situation warrants disclosure to their users. However, at this point we must advise that you treat the file as legitimate and behave as though any password you used on LiveJournal in the past may be compromised.”
Past and current LiveJournal users are advised to change their passwords to a new, long and unique one and to do the same on any other account where they used the same one.