The impact of password failure on the IT security industry

Passwords have been the pillar of securing data since IT began. However, our recent survey revealed that 77 per cent of IT professionals believe passwords are inadequate for IT security. The study looked at the attitudes of nearly 200 cybersecurity professionals. It also found that 53 per cent of those surveyed thought that modern hacking tools could easily crack passwords within their company. Given that only IT professionals were questioned, it is fair to say that the findings reflect the attitude of the industry – and maybe it is time to rework the way in which passwords are handled.

Attackers capitalise on automation

Cybercriminals are using automation to help them capitalise and save time on mundane tasks like brute forcing user credentials. Criminals can take advantage of a computer’s ability to execute mind-numbing tasks and ultimately they can monetise the laziness of people choosing weak passwords. All it takes is a little bit of code and a lot of bad intentions; contrary to primitive connotations in its name, a brute force attack is actually pretty clever.

The reason these attacks are successful is because someone much smarter forged the path. Someone figured out how to automate these cyberattacks. Someone found the vulnerabilities to exploit. Someone did all the smart work up front and it’s that smart part that stings because more often than not, it’s the automation process and the persistence that will beat organisations’ defences.

So why aren’t we?

If brute force attacks are being automated to try millions of passwords in seconds, but people only change their passwords once in a blue moon, what chance do they have? We need to combat this by also automating password rotation. Administrative passwords are crucial to any given business. All it takes is one little password to be compromised for a hacker to gain access to other areas of the network. Shockingly, the same survey found that 10 per cent of respondents never updated their administrative passwords.

Of course, it’s not easy for IT staff to keep track of all their admin passwords, but this gets even more complicated when you’re expected to know every place where the credentials are used – and what might break when they’re updated. However, because of the sensitive systems that these credentials protect, frequent privileged password changes are essential for good security. So what if organisations could react with an automated defence? If they take control of privileged account management, it greatly reduces the attacker’s surface for compromise and eliminates lateral movement in the event a brute force attack is successful and they manage to get in the system.

This is neither rocket science, nor is it original. After one of the major data breaches of last year -- top 3 by notoriety -- many consultants parachuted in from the biggest names in the IT security business. They sat and stared at tonnes of screens, drank lots of caffeine, and after 36 hours concluded that all the privileged credentials should be changed. Now imagine that was an automated response that would have happened the moment a breach was detected- of course that would have been better. By simply rotating credentials at the point in time of an active attack as a response, it would cut off the attacker’s access to the privilege needed to succeed, without effecting legitimate users who were already going through a process to gain access on demand. The key is that since the legitimate users wouldn’t have access to always on privilege in that scenario anyway, the only ones feeling the pain of the automated response are the bad guys.

When the power to control rights and privileges is sorted, the solution should then hook up to other security systems to make sure everything is working in a healthy, closed loop process. If analytics and logging solutions are looking at all the security event data to find patterns, then surely all the data about who has legitimate privilege is equally as important. That leads to simple correlations - like an action that takes place using a privileged identity that was not currently checked out to any authorised user is suspicious. If solutions are detecting malware and other incidents as they happen, it can automate a privileged response in near real-time with no operational impact, making automation an ally instead of an enemy.

Jonathan Sander, VP of Product Strategy at Lieberman Software