By Morey Haber, CTO & CISO, BeyondTrust
In the cyber world, we’re exposed to an onslaught of recommendations and top lists for improving IT security. They may have some universal characteristics, but are infrequently not relevant for adoption by everyone, everywhere, and at every time. In fact, can you guess what the number one, universal, and best security recommendation is for everyone to embrace? Here’s a hint, it is related to passwords.
To further set the stage for this recommendation, let’s consider all the infosec recommendations we experience on a daily basis. These include everything from security skills and cyber awareness training to patch management. They target problems from phishing to vulnerability management, but are not necessarily relevant to every employee within an organization, nor are they necessarily relevant to each person on their personal devices at home.
While it is common knowledge to avoid email spam, and employees are often trained on how to identify suspicious emails and advised not to click on suspicious links, it is interesting that younger generations are far less likely to embrace email outside of the corporate enterprise. Instant messaging and other forms of social media are their tools of choice, which suggests that traditional email may slowly fade away like postal correspondence or the fax machine. The demise of email may take a few more decades to transpire, but this downshift is well underway.
All of this helps further refine the single best recommendation. Remember, we need to consider a universal security recommendation that translates to everyone.
Fixing an Age-Old Security Issue
Regardless of persona at home or at work, the one thing everyone uses is passwords. We use passwords for work, for resources on the Internet, for social media and for our applications. We use them in the form of passcodes and PINs for banking, mobile devices, and for office and home alarm systems. Passwords are ubiquitous, and we use them constantly — even on newer systems that ironically claim to be “password-less.” In these instances, a mechanism under the hood is still identifying your access rights and storing that “somehow”.
The most common storage of any password is within a single human brain. We assign a password to a system or application, recall it when it needs to be used, and hopefully remember it each time we change it. Our brains are full of passwords, and often, we forget them, reuse them, need to share them, and are forced to document them on post-it notes, spreadsheets, and even communicate them via email or SMS text messages (a very poor security practice!).
These insecure methods for creating, sharing, and reusing passwords are responsible for the types of data breaches that routinely make the front-page news, serving as cautionary tales of what is at high-risk of happening when good password management strategies do not adhere too. The ramifications crisscross both our professional and personal lives.
Passwords literally can be found everywhere, and we need at least one basic tenant to help fix a thousand-year-old problem. Therefore, the most important security recommendation for everyone is:
Ensure that every password you use is unique and not shared with any other resource (including people) at any other time.
While there is no denying that remembering an already considerable and ever-expanding list of passwords (an average of 120 for the modern-day corporate user) is improbable for most humans, there are password management tools, solutions, and techniques for making this a reality, thereby going a long way toward reducing password-related threats.
Modern operating systems, browsers, and applications can help create unique passwords for every resource, and securely store them for retrieval in lieu of a human having to remember every single one. The passwords are basically stored behind one unique “master” password (it may also be referred to as a “key” or “secret”) that only the individual knows. While this is good solution for home and small business users (to a limited degree), it does not scale to most businesses that need to share accounts (due to technology limitations) and automatically generates unique passwords, such as to keep up with employee changes or to meet regulatory compliance guidelines.
Another security best practice to be mindful of — a password alone should never be the only authentication mechanism for critical data, sensitive systems, and potentially daily operations into those resources. Multi-factor authentication (MFA) or two-factor authentication (2FA) should be layered on top to ensure a unique password, per account, is actually being used by the correct identity when authentication is required.
One key merit of this universal security recommendation is that it ensures that if your password is stolen, leaked, or inappropriately used, it can only be leveraged against the corresponding resource assigned (if MFA or 2FA is not present). If passwords are unique, a threat actor cannot use one compromised account and password to attack other resources. The attacker’s options and movement are significantly limited, though they could try to leverage advanced techniques to steal other credentials from the system they have compromised, such as by scraping passwords from memory. In that case, not only generating unique passwords but also rotating passwords frequently will help mitigate the attack.
Solutions for privileged password management across an organization’s entire information and security infrastructure can help. Advanced tools provide automated management for sensitive accounts and passwords (including SSH key management), such as shared administrative accounts, application accounts, local administrative accounts, and service accounts, across nearly all IP-enabled devices.
This helps ensure this top security recommendation can be implemented across an organization to enforce strong enterprise password security.
About the Author
With more than 20 years of IT industry experience and author of Privileged Attack Vectors and Asset Attack Vectors, Mr. Haber joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition. He currently oversees the vision for BeyondTrust technology encompassing privileged access management, remote access, and vulnerability management solutions, and BeyondTrust’s own internal information security strategies. In 2004, Mr. Haber joined eEye as the Director of Security Engineering and was responsible for strategic business discussions and vulnerability management architectures in Fortune 500 clients. Prior to eEye, he was a Development Manager for Computer Associates, Inc. (CA), responsible for new product beta cycles and named customer accounts. Mr. Haber began his career as a Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science in Electrical Engineering from the State University of New York at Stony Brook.
