Nearly everything that people do online these days requires a username and password. Despite the fact that these credentials safeguard credit card details, personally identifiable information, and other sensitive data, in 2017 people continued to use easy to guess passwords like “123456,” “Password,” and “iloveyou.” What’s worse is that these insecure passwords are rarely changed and used across multiple sites. Now what happens if those same people practicing poor credential management are your employees?
Credentials are the oxygen of malicious activity. For bad actors, the success of phishing, keylogging, or other attempts to capture legitimate credentials is the most crucial factor for completing nefarious activities. When developing a plan of attack, credentials are often either the target, or used as a mechanism to gain access to the intended network targets.
And stealing usernames and passwords isn’t an insurmountable task. In fact, quite the opposite. Attackers simply need tools like keyloggers and Trojans to capture data for every type of account imaginable. Now to cripple a company financially, it doesn’t take a zero-day attack, just some legitimate credentials.
One in five security professionals still uses paper to manage privileged passwords
It’s not just low-level employees that have poor security hygiene. Even IT security professionals still use paper to log their privileged passwords. With those habits, all it takes is one disgruntled employee to walk by, obtain the credentials necessary for administrative access and free rein in the environment. In this case especially, no one would question the validity and identity of a high-privileged employee making changes within the network.
Effective prevention of credential theft should include four strategies
To lower the risk of stolen credentials, infosec professionals are singing the praises of two-factor (2FA) and multi-factor authentication (MFA) to better secure IT systems. In particular, strategies that prevent credential theft should include four points:
Having more than one factor of authentication
One-time passwords that are only valid for one login or transaction, and only for a limited amount of time
Employee training, since they are always the weakest link in the security chain
With a 2FA/MFA strategy, there is an additional layer of protection so that if an attacker steals credentials, they have no more access than an attacker with no authentication factors at all.
Finding a modern 2FA to fit your business
According to our partners over at Duo, the most secure technology is one that users actually want to use. So finding a modern MFA and 2FA (M/2FA) solution that is easy to use with minimal impact to end users is the key to success.
Other criteria to consider when choosing a M/2FA solution include:
Low-Touch for Admins - Leveraging the power of the cloud. Admins should be able to deploy solutions quickly without hardware or software to install. It shouldn’t require an expert to manage, so that users, phones, tokens, and integrations can all be done by the laymen.
Visibility Into Security Health - Admins accessing a modern 2FA solution should be able to see authentication logs for reporting, analytics, and compliance requirements, detailed down to user and device. It should also support the use of APIs to export logs to security information and event manager (SIEM) solutions.
Capability to Create User Access Policies - To further strengthen a security posture, the solution should allow administrators to create role-based access policies and organize users into functional groups based on job title or level of access.
Built-In Security - Asymmetric cryptography, Universal 2nd Factor, and easy security patching should all be built in so that the security solution itself is actually secure.
Is your company at risk for credential theft?
Without modern 2FA, we have no way of proving the identity of the person or machine providing the credentials for
access to a company’s most precious assets. Any organization that isn’t taking the steps to validate identity should be prepared to be breached. At Edgeworx, we work with our clients and our ecosystem of security partners to ensure that network architectures are secure and are adaptable to today’s growing threat landscape.
To learn more about improving your organization’s security posture, contact one of our security experts today at +1.647.793.4731.