In the afterglow of increased data breaches, ensure controls are in place to centrally secure, manage and monitor access to your infrastructure and data (on-premise, wired, wireless and cloud–based) - prevent data breaches with enterprise password security
Blog summary: SecureNet Consulting reviews why password management and security is fundamental in cyber IT security strategy, for protecting the business and data. We review the challenges, who has fallen prey to inadequate processes and systems, how your data could be compromised through poor password securiy and then take a look at the features and benefits of password security solutions.
Password Security Challenges
Passwords are by far the most frequently used method for user authentication.
Audit and compliance standards worldwide recognise the risks associated with data breaches due to password hacking compromises, lost or stolen credentials.
In response, compliance requirements have risen to the top of the agenda for IT-management with the new EU General Data Protection Regulation act (GDPR) – such compliance standards are putting a strong emphasis on access ad privileged user password management, including tracking, auditing users.
Are you drowning in a pile of privileged passwords?
Do you store administrative passwords in spreadsheets & flat files?
Do you find it difficult to track who has access to which accounts?
Do you still logon to each application separately to periodically change passwords?
Administrative / Privileged passwords are literally everywhere in enterprises - servers, databases, switches, routers, firewalls and any other hardware or software. Historically, these passwords were insecurely found to be stored in spreadsheets, text files and even as printouts and are shared by a group of administrators.
Equally, the number of logins and passwords that employees must manage on a daily basis continues to be a source of frustration and lost productivity. Employees must remember login information for numerous applications. Many of these applications require different user names and passwords, different password complexity requirements, and forced password changes in shorter intervals. The number of logins that an employee must manage grows with the deployment of each additional business application. The corporate help desk often endures the process of restoring lost or forgotten login information for an employee.
These factors together contribute to security risks and increase help desk costs that few organisations can afford not to address.
Industry examples of breaches caused by passwords
Yahoo, Adult Friend Finder, LinkedIn, Tumblr and Daily Motion, Verizon, The AA, virgin media, Wonga, DropBox, Twitter, and many more.
Ways in which systems are compromised by passwords
According to an IDC report, upto 70% of security breaches have been due to cracking weak passwords or using of lost / stolen user login credentials.
What is more alarming is that a large percentage of the breaches were not detected for over one week.
The time between a breach and its discovery is where the real damage from a cyber attack occurs. Hackers can exploit stolen credentials to install malware on an employee’s computer and in your network. The malware can extract sensitive information before you know your system has been compromised.
- Poor password policies
- Poor employee / user education
- Poor password strength
- Dictionary attacks / hacks
- Insecure storage of passwords inviting security threats
- Uncontrolled super-user privileges
- No role-based access control; internal controls become fragile
- No provision for enforcing standard password practices/policies
- No centralised control
- Social engineering
- Phishing attack (luring users with malicious websites, via website click buttons, email links)
- Malicious software installed on users devices – which ends up on the corporate network
- Malicious Mobile App
Enterprise Password Security Management Solution Benefits
* Solve ‘password sprawl’ and secure users accessing the corporate network, cloud and mobile applications.
* Empower users, reduce support costs and strengthen security
* Meet security audits and regulatory compliance such as SOX, HIPAA and PCI
* Protect against external and insider threats
* Gain visibility into the scope of privileged accounts across your estate, to more effectively address risk
* Change privileged identities faster than attackers can exploit them
* Secure suppliers, contractors, database admin or network admin, or employee access
* Secure on-premise and cloud-base application / systems
* Reduce your attack surface by reducing breach risk
* Improve password security for privileged users
* Automate password change management
* Eliminate security lapses and password fatigue
* Alert of privileged account credential changes
* Reduce operational costs by reducing help desk calls for password resets
* Improve end-user productivity and satisfaction by reducing time spent locked out of accounts
* Strengthen security through consistent enforcement of password policy
* Unify and centralise password management across data center, cloud, and mobile resources
Password Security Recommendations
- Change passwords every three months at the very least (although contradictory advice from recent NIST conference recommends no more periodic password changes. This is a huge change of policy as it removes a significant burden from both users and IT departments. It’s been clear for a long time that periodic changes do not improve password security but only make it worse – you decide for yourself).
- Passwords should contain at least nine characters. Even a weak nine-character password will take four months to crack.
- Educate your users not to re-use their password for non-work-related purposes.
- Passwords should contain a combination of letters, numbers and symbols.
- They should contain a combination of uppercase and lowercase letters.
- Eliminate character-composition requirements. This is a nice idea in the abstract, but Microsoft and others (Bruce Schneier, for example) have found that, when confronted with password complexity requirements, people fall into a few recognisable patterns that password cracking programs exploit. For example, it turns out that a typical password consists of a root that’s usually something pronounceable plus a suffix such as a number. And yes, they know that you’re using “$” for “s”, “!” for “i”, etc.
- The new password must not match any of the employee’s previous passwords.
- Check new passwords against a dictionary of known-bad choices. You don’t want to let people use ChangeMe, thisisapassword, yankees, and so on. More research needs to be done into how to choose and use your “banned list”.
- No password hints
- Knowledge-based authentication (KBA) is out. KBA is when a site says, “Pick from a list of questions – Where did you attend high school? What’s your favourite football team? – and tell us the answer in case we ever need to check that it’s you.”
- Turn on Multi Factor Authentication wherever you can. Authentication can be something you know (password), something you have (smart card, token, or mobile device app), or something you are (fingerprint). Using users’ smartphone to provide ‘multi-factor authentication’, which would mean a hacker would have to have access to a target’s devices as well as login details.
Solution features you can expect from password management solutions
SecureNet Consulting helps organisation meet the strictest audit and IT compliance requirements by identifying and provisioning the best password security management solutions, technical engineering, support resources.
Password security and management solutions control administrative and user access to a wide range of systems and infrastructures, from applications, accounts on operating systems, databases, middleware, to network devices and SaaS / cloud applications.
Automated password management & recovery
Automatically reset the passwords of servers, databases, network
devices, cloud platforms and other resources without impact to applications
or downtime.
|
Video Record & Audit
Video record & audit all privileged access,
get complete record of all actions.
|
 Privileged user password management |
Randomise password credentials Discover each credential, replace it
with a unique value, and randomise it on a regular basis or in response to
anomalous behaviour.
|
Discover default passwords
When new devices
are deployed with default passwords that could make your network vulnerable -
discover and secure these credentials.
|
Control Access
Control access to IT resources and applications based on roles and job responsibilities. |
Securely Share
Securely share administrative passwords with the
members of your team on need basis.
|
Eliminate
hard-coded passwords
Remove embedded
passwords and data source credentials from scripts, application code and
configuration files, and SSH keys from servers, making them inaccessible to
attackers and malicious users.
|
Self Service Passwords
Secure password reset
Enterprises with many users and complex organisations
need flexible and scalable password solutions.
Self-Service
features for users help reduce calls to your IT help desk by allowing your
employees to perform the following on their own.
Reset passwords upon check-in to help eliminate password theft and
reuse
|
Securely rotate
application passwords
Application
passwords and SSH keys can be automatically rotated based on policy without
impact to application performance or downtime.
|
Discover, Store & Organise
Store
& organise all your privileged identities in a centralised vault.
|
Two Factor Authentication
Built in authentication system, or integration with leading vendor solutions |
Manage cloud identities
on a wide range of platforms
including Office 365, Azure Active Directory,
Amazon AWS, IBM SoftLayer, Rackspace and Force.com.
|
Remind users
automatically about soon-to-expire passwords by email or SMS
|
Closing thoughts
As with all IT / cyber / data / infrastructure security – no single solution is a silver bullet to solving security problems.
Integrated enterprise password management solutions / systems with identity based access control, to factor authentication and single sign-on systems would be a more desirable holistic solution to solving access breach and human error risks associated to data and network breaches that we hear so much about in the news / press.
Despite these sensible measures, CESG advocates a simpler approach in a new guide;
(https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/458857/Password_guidance_-_simplifying_your_approach.pdf)
The advice aligns with that given by the US organisation NIST in a Guide to Password Management from 2009.
Both organisations recommend making users responsible for password security while acknowledging the natural limitations of human users. When the password policies become too demanding many users will defend themselves with their own ways to cope, as using sticky notes, or trying to invent their own password rules, actually reducing the secrecy of their passwords.Who decides your organisations security and data protection - we say implement comprehensive solutions that will scale to grow with you into the future, ease IT administration and allay executive worries and fears - by tightening your IT security posture an policies.
Related solution reading
- Password management as a cloud-based service
- Identity based access control
- Malware / phishing protection
- Two factor authentication
- Single-sign-on
- Security training
Contact SecureNet Consulting today for solutions advice, engineering, support, professional services and proof of concept resources for password security and management.
 |
 |
 |
 |
 |
 |
 +44(0)7714 209927
+44(0)1273 329753
| ||
 info@securenetconsulting.co.uk |
 |  |  |  |
