If you really want to improve cyber resilience stop letting employees create their own passwords
- Published: Wednesday, 15 June 2022 08:22
A fundamental change of attitude to access credentials is required to give organizations a chance of regaining control over cyber security says Julia O’Toole, Founder and CEO of MyCena Security Solutions.
In mid-March, the Cybersecurity and Infrastructure Security Agency (CISA) released a report highlighting how cyber actors routinely exploit poor security configurations, weak controls, and other poor cyber hygiene practices to gain access and compromise user systems. These included not enforcing multifactor authentication, primarily with remote desktop access, the use of vendor-supplied default login usernames and passwords, and the failure to detect and block phishing attempts.
CISA suggested that organizations can help strengthen their network defences against commonly exploited practices by adopting a zero-trust security model, which enables users to be assigned only the access rights required to perform their assigned tasks. Access control can limit the actions of malicious cyber actors and reduce the chance of user errors.
However, CISA also stresses the importance of implementing multi-factor authentication (MFA) protocols, employing antivirus programs and detection tools and searching for vulnerabilities, as well as initiating a software and patch management program. These are all said to provide a higher degree of visibility into endpoint security, or else effectively aid in protecting against malicious cyber actors.
Julia O’Toole believes that these recommendations are simply not enough and that organizations need more than surface-level fixes to prevent cyber breaches.
“Preventing malicious actors from gaining network access won’t happen through antivirus programs. These are simply temporary fixes that do nothing to correct the fundamental vulnerabilities in how organizations approach their cyber security. It’s time for businesses to take control and lead their own cyber resilience, rather than hide their difficulties behind third-party software.”
“We’ve seen earlier this year how MFA can be easily exploited by malicious cyber actors wishing to gain network access. These vulnerabilities are often known and exploited by hackers for months before affected organizations are made aware, posing a significant danger to those whose systems are compromised.”
“MFA is not the solution CISA wants to pretend it is and enforcing the use of stronger passwords doesn’t stop the problem either. When, according to the 2022 Verizon Data Breach Investigation Report, 82 percent of network breaches start with a compromised login - whether using stolen credentials or phishing - the difference between “123456” and “1&!7A8%9gh3Tio” is negligible in protecting your network. Hackers don’t “hack in”, they simply log in using ‘found’ passwords, be it through social engineering, phishing or even just paying employees for their credentials. Trusting employees to create their own keys is the ultimate problem that CISA should be addressing.”
Whilst O’Toole agrees with CISA’s advice to give role-based access, she explains that this does not fix the credentials vulnerabilities. “The root cause of the problem is letting employees create their own passwords. Imagine if CISA let their employees make their own keys to walk into their Arlington facilities just because they have MFA!”
“In reality, they take far more precautions to ensure their systems stay secure, starting with keeping control of their access keys. Likewise, in the digital world, organizations can distribute end-to-end encrypted passwords to their employees to securely access their online systems, one by one, without ever seeing a password. Employees can only gain access to parts of the network for which they have the keys, which means: no key, no access.”
“As passwords stay encrypted from creation, distribution, use, to expiry, employees cannot give away by error a password they don’t know. This solves the problem of human errors leading to credentials compromise, which is the source of 82 percent of breaches. And contrary to other access management methods, there is no master password or identity to steal, so criminals cannot find a privileged account or single point of access to take control of the network and launch a ransomware attack.”
“Companies should be investing sooner rather than later to stop cybercriminals from gaining access to their systems through credentials. Keeping control of their own encrypted digital keys will protect them from over 4 out of 5 breaches. Without this minimum layer of cyber security, all it takes is one employee slip up to result in a potentially devastating and costly network breach.”