There is something fundamentally wrong with cybersecurity. Passwords and credentials are still the most common method used to control access today, as they have been for the past six decades, but they are unreliable for defense and the hatred runs deep.
Access control has always been a derivative of some ancient and strange model, Netenrich CISO Chris Morales he says, and he hates passwords, very well.
“For all the money and things we do that are great, all our security collapses on a crappy password,” he said.
“The problem we have is that access is all or nothing and that password is something you already know.” Morales said. “So if you know something, you’re considered trustworthy, and you can go look for everything.”
There is broad recognition from the more than three dozen cybersecurity leaders Cybersecurity Dive spoke with that Access is a seriously broken system. However, businesses can’t do much without passwords and identity in their most common forms today.
This problem is not new, it is older than the internet. Poor identity governance is a chronic condition.
“I think identity is in some cases the whole ball game,” MK Palmore, Director of the Office of the CISO at Google Cloud, told Cybersecurity Dive.
Too many credentials
If access is fundamental to the structure of the systems, passwords are the connective tissue that holds it together.
It’s no wonder organizations use thousands of apps and services to get things done. The average uses of large companies 367 software applications and systemsaccording to Forrester.
Each of these will likely be tied to a username and password, although single sign-on is becoming more common.
This glut of credentials fuels a collective of identity and access management systems, including password managers, single sign-on services, multi-factor authentication, and other tools designed to verify identity and enforce permissions.
“For all the money and cool things we do, all our security collapses on a crappy password.”
Chris Morales
Netenrich CISO
Cybersecurity experts generally refrain from calling out the effectiveness of password managers or MFA because these tools, however fallible, still strengthen an organization’s security posture.
These tools simplify user access and concentrate risk for organizations. Multiple large-scale attacks in the last year serve as a warning.
A sustained attack against LastPass it went unnoticed for months and was converted one of the most prominent security flaws 2022 when an as-yet-unidentified threat actor stole a cloud-based backup of all customer vault data, including encrypted usernames and passwords.
The attack underlined the crux of this difficult situation for the defenders.
Phishing and exploiting stolen or compromised credentials are still both most frequent attack vectorsaccounting for 3 in 10 breaches, according to IBM Security”Cost of a data breach report.”
Credential manipulation and credential-based attacks are a crisis, they say Karim Toubba, CEO of LastPass. “Based on the data we have, we’re going to have a pretty juicy target on our back [in] perpetuity”, Toubba told Div. of Cybersecuritye.
LastPass is not alone in this regard.
The single sign-on provider Okta was hit by a phishing attacka breach and he had his GitHub source code stolen last year. Twilio’s widely used two-factor authentication service was compromised last summer when several employees were misled to provide your credentials to threat actors.
“Whenever you centralize something, you give a good target,” he said Michael Sikorski, CTO and Vice President of Unit 42 at Palo Alto Networks. “The jewels in the crown are all in one place.”
Identity abuse breaks the integrity of the system
Weaknesses in authentication fuel cyberattacks, and bad things can and will happen when unauthorized users are granted access.
Threat actors wreak all kinds of havoc—data theft, ransomware, and extortion campaigns—when they gain what appears to be legitimate access to business systems.
“All of these breaches, all of these attacks, the vast majority of them come back to weak knowledge-based credentials, particularly user authentication and passwords.” said Andrew Shikiar, Executive Director of the FIDO Alliance.
“The fundamental problem is the primary authentication factor, which is the password,” Shikiar said “We’ve been relying on this inadequate method for user authentication for 60 years.”
Binary mechanism passwords that are applied to approve or deny access underscore the root of the problem.
Access may not be the first line of defense in all scenarios, Matthew Prince, CEO of Cloudflare he said, but “it’s the most important line of defense because it makes all the other security issues we worry about much more manageable.”
Business is booming for credentials, which account for the vast majority — nearly 90 percent — of assets for sale on the dark web, according to IBM Security X-Force. They sell for an average price of almost $11 per listing.
“I think identity is in some cases the whole ball game.”
MK Palmore
Director of the CISO office at Google Cloud.
The potential payoff for cybercriminals who obtain these credentials, which are often exposed through phishing and data breaches, is massive.
Stolen credentials are the most popular entry point for breaches, according to Verizon.Data Breach Investigation Report.” Compromised identities were exploited by threat actors 4 out of 5 of all violations studied by CrowdStrike over the past year.
Threat actors are also affecting critical infrastructure with valid account credentials. They were responsible more than half of attacks against critical infrastructure organizations in fiscal year 2022, according to the Cybersecurity and Infrastructure Security Agency.
System access and identity are vital and everyone knows it, attackers and defenders alike.
“Identity and access management is by far the most important component of cybersecurity because it is the core of cybersecurity. That’s where it starts.” Keeper CEO and co-founder Darren Guccione said.
Organizations can limit risk by design
Limiting the risks posed by identity fraud may be more realistic than eliminating passwords entirely in the short term, but that comes down to permissions, and that too is fraught with complications.
Access to IT infrastructure is still too broad and privileged accounts are given without much consideration, he said John Dwyer, Head of Research, IBM Security X-Force.
Ransomware succeeds because threat actors exploit this flat architecture, and yet “best practices have been to not do any of these things my entire career.” Dwyer saidd.
Allowing access to systems is complex, but should be recognized as one of the new core principles of cyber security, according to Kelly Shortridge, Senior Principal Engineer in the Office of the CTO at Fastly.
Organizations that adhere to this practice can design their systems to reduce the impact of a threat actor obtaining a developer’s credential and reorient their defense strategy around resiliencesaid Shortridge.
“Failure is inevitable, it also happens all the time,” Shortridge said. “We have to be able to prepare,” respond gracefully and adapt to evolving conditions.
Cybersecurity authorities recognize the benefits of IAM while warning organizations about the multitude of problems that manifest in these policies and tools.
“We’ve made the whole process of marrying all these different technologies really, really complex.”
Identity governance and alignment, infrastructure hardening, MFA and monitoring can prevent some of the most likely threatsaccording to CISA and the National Security Agency.
CISA voluntary cybersecurity performance targets It also encourages organizations to mitigate account security risks by changing default passwords, separating user and privileged credentials, revoking unnecessary access, supporting MFA, and requiring long and unique passwords.
Combining this advice and other widely recognized best practices, such as password managers and single sign-on, with the reality of the threat landscape remains difficult for defenders.
“We’ve made the whole process of marrying all these different technologies really, really complex,” Rapid7 CSO Jaya Baloo said
unfulfilled fundamentals of cyber securitysuch as taking care of credentials, showing up again and again, when things go wrong.
“There are a lot of cases where we’re still not doing the basics,” said Palmore. “There are a lot of organizations that are not doing the blocking and tackling right.”
The slow push for a password-less future
Efforts to expand access encryption and rid the world of passwords are underway, but change is difficult and the task is extraordinary.
Some efforts such as Fishing resistant MFAwhich are based on cryptographic techniques such as an asymmetric pair of public and private keys, biometrics or the FIDO2 standard, can offer higher levels of assurance.
A passwordless standard developed by the FIDO Alliancestep keys for short, is also gaining support and momentum.
“Virtually every company that you would want to work together to try to solve the password problem is working together on this body,” Shikiar said.
The magnitude of the challenge is enormous, requiring industry alignment behind the cause, capability across all endpoints, application and service development, and widespread user adoption.
“The fundamental problem is the primary authentication factor, which is the password. We have been relying on this inadequate method for user authentication for 60 years.”
Andrew Shikiar
Executive Director of the FIDO Alliance
Several CISOs interviewed by Cybersecurity Dive expressed interest in going password-free in their organizations. However, since many critical systems do not support this authentication protocol and may never support it, the path to passwordless will have to wait until newer versions of technology and infrastructure appear.
“I don’t know if we’ll ever get 100 percent to a point where we feel validated” that an identity accessing a company and its information is completely infallible, G said.ary Barlet, Federal Field CTO at Illumio.
“I try to live in the real world” Barlett said“not the ideal world”.
