Oct 09 · 4 min read
Last week, I came across an interesting research on cybersecurity practices during the past decade (2010-20) by Jean-Christophe Gaillard, a UK-based cybersecurity strategist. Jean candidly explains how even large firms which have had fully functioning information security teams have ignored the cybersecurity basics and are struggling with various issues now.
Jean’s findings and comments set me thinking.
During the past two decades (or close to that), I have had the opportunity to interact with IT professionals on varied topics across the globe in person and through various media, forums, and online communities.
While many cybersecurity practices have changed or evolved over the years, one particular practice strikingly remains the same - then and now: the way organizations and IT teams handle sensitive passwords. It has been two decades, but the story remains the same!
Any firm dealing with IT, obviously deals with passwords and other types of credentials too. Unless forced by industry regulations or until facing a security incident themselves or hearing about a compromise in a similar business, firms do not attach much importance to password security.
As the popular saying goes, hackers nowadays don’t actually hack into networks; they simply royally walk-in using stolen, weak, or compromised credentials freely available on the dark web.
TechTarget provides a wonderful definition for the phrase ‘data breach’: “... an incident in which sensitive, protected, or confidential data has potentially been viewed, stolen, or used by an individual unauthorized to do so..”
At the root of many data breaches lies the involvement of stolen credentials or misuse of administrative access. Yet, the all-important password security measures remain one of the most neglected basic security measures.
Source:Information Is Beautiful
Time and again security researchers and industry analysts stress that more than 80% of the data/security breaches worldwide involve stolen credentials or misuse of administrative access.
Many organizations are struggling to enforce password policies. While IT Managers understand the importance of using strong, unique passwords that help combat identity-based attacks, it is common to see the same passwords assigned to multiple IT assets; developers reusing passwords across their personal and work accounts; passwords on spreadsheets circulated across departments; a departing IT staff exiting with a copy of all the credentials, and similar practices.
When developers reuse passwords, a compromise of one of their personal accounts gives hackers easy access to corporate data. Uncontrolled or unmonitored access often leads to exploitation by malicious insiders. Weak security practices and vulnerabilities in the supply chain lead to breaches upstream.
During the recent years, lack of basic security measures and failure to adopt the best practices in password management, IT access controls, MFA enforcement, and patch management have led to some of the worst data breaches. While concentrating on deploying sophisticated and advanced security technologies, these companies lost sight of the basics leading to financial and reputation loss.
Data breaches and security incidents happen due to a variety of reasons. Not all security incidents can be prevented - there is no magic wand or a silver bullet available yet. But it has been proved time and again that identity thefts remain at the root of a majority of the data breaches and cyberattacks.
By concentrating on the basic password security best practices, IT departments can indeed prevent a good number of attacks. Strong, unique passwords are still effective when periodically randomized. Password management is indeed the foundation of IT security.
Password management is not just about ensuring strong, unique passwords. It extends to entire lifecycle management, monitoring, and controlling access. You can establish a centralized vault, granularly control ‘who’ can access ‘what’; automate password security best practices; rotate passwords of IT assets at periodic intervals; grant RDP, SSH, SQL connections with IT assets without revealing passwords; maintain a complete record of all activities, and gain visibility over all IT access.
Identity theft protection services that offer monitoring and recovery services for your personal information could be of help. These services scan the web for signs of unauthorized activity and help you recover your identity. Regardless of how much or how little you use the internet, you may be at risk for identity theft. A good identity theft service actively monitors all your accounts and personal information and alerts you as soon as it encounters any unusual activity. For example:
When there’s a security breach, time is of the essence. It can mean the difference between a few minutes to secure your accounts, or lasting personal and financial damages.
Though the death of passwords is being predicted for so long, passwords still remain the first authentication measure for most types of IT access. Despite the emergence of passwordless authentication technologies, passwords/identities remain the top choice.
The password is still the undisputed king of authentication. Passwords are here to stay and password security is one of the foundational measures. The sooner organizations ditch the decades-old spreadsheet approach and adopt advanced password management, the better equipped will they be to combat data breaches.
Mother of all breaches – Reinforces the need for enhanced password security
Yes, you read it right. 26 billion records have been leaked online. Researchers from Security Discovery...
Feb 7 · 4 min read
Local admin rights for Developers – Balancing the scales between basic necessity and security risk
Local admin rights for Developers – Balancing the scales between basic necessity and security risk...
Jan 25 · 5 min read
Privileged Access Management Best Practices for Unparalleled Security
Privileged accounts are the keys to your kingdom. Protecting and managing access to these sensitive...
Dec 21 · 5 min read
Endpoint Privilege Management: Filling the gaps in Intune (Part 2)
Intune EPM (Now Microsoft Entra) helps organizations manage admin rights in a very basic manner ...
Oct 10 · 3 min read
Endpoint Privilege Management: The local admin rights dilemma (Part 1)
The debate over giving unrestricted admin rights is a constant struggle between IT staff and ...
Oct 6 · 4 min read
2013 Target Data Breach: 10 Years On, but the Same Threat Pattern Looms Large!
Hackers targeted the low-hanging fruit, launched an unsophisticated attack, and carried out a...
July 25 · 6 min read
Password management best practices: Practice or Pay!
Passwords leaked from data breaches in the past continue to cause ripples in 2023, even amidst...
May 26 · 5 min read
Identity thefts and data breaches - The aftermath of privileged access mismanagement
Cybersecurity is a growing concern for businesses of all sizes, as advanced hackers and cybercriminals...
Dec 27 · 4 min read
Spate of cyberattacks rock the land down under
Lack of API security, exposed credentials, and misuse of privileged access continue to cause harm...
Nov 25 · 4 min read
Make this Thanksgiving a memorable one. Treat yourself to a surprise!
We're planning to make this year's Thanksgiving extra special.
Nov 21 · 2 min read
The Spooky Season is here early! Recent data breaches re-emphasize the significance of password security
As Halloween is dedicated to remembering the martyred, organizations falling victim to data breaches remind us...
Oct 20 · 4 min read
We're at GITEX, Dubai. Come, meet us!
Are you planning to participate in GITEX, Dubai? If yes, this is a great opportunity to meet our product experts and get a ...
Oct 10 · 2 min read
May God defend me from my friends
As stories of trusted insiders causing information security breaches continue to unfold, it’s time organizations woke up to...
Dec 21 · 4 min read
Ransomware attack on Colonial Pipeline: Executing cyberattacks, now a child's play!
With the easy availability billions of compromised credentials on the dark web, and the practice of password reuse rampant, hackers...
jun 7 · 5 min read
Eliminating Admin Rights and Controlling Applications (Part 3)
One of the most effective approaches to reducing risks is eliminating the local admin accounts altogether and...
May 17 · 4 min read
Looking for a Passwordstate alternative?
Passwordstate, an enterprise password manager developed by Click Studios, suffered a supply chain attack between...
Apr 30 · 3 min read
Local Admin Accounts Management: Microsoft LAPS Vs. PAM (Part-2)
In the previous post, we dealt with the importance of local admin accounts, the associated security risks, and...
Apr 06 · 3 min read
Top 10 password policy recommendations for sysadmins in 2021
Passwords are omnipresent in our personal and business digital environments. An average person has at least...
Jun 12 · 8 min read
Local Admin Accounts - Security Risks and Best Practices (Part 1)
We are all too familiar with the local administrator account that gets created automatically when installing a Windows...
Mar 19 · 4 min read
Poor password security practices cause massive security breaches
Weak passwords, password reuse, password sharing, hard-coded credentials, lax measures to storing credentials...
Mar 13 · 6 min read