Be Legendary Podcast promo

Security has an underlying defect: passwords and authentication

There is something fundamentally wrong with cybersecurity. Passwords and credentials remain the most common method used to control access today, as they have for the last six decades, but they are untrustworthy for defense and hatred runs deep.

Access control has always been a derivative of some weird, old model, Netenrich CISO Chris Morales says, and he hates passwords — big time.

“For all the money and things we do that are cool, our entire security collapses on a sh–ty password,” he said.

“The problem we have is that the access is all or nothing and that password is something you know,” Morales said. “So if you know something, you’re deemed trustworthy and you can go get everything.” 

There is broad recognition for the more than three dozen cybersecurity leaders Cybersecurity Dive spoke with that access is a severely broken system. Yet, businesses can’t do much without passwords and identity in their most common forms today.

This problem isn’t new — it’s older than the internet. Poor identity governance is a chronic condition.

“I think identity is in some cases the whole ballgame,” MK Palmore, director of the office of the CISO at Google Cloud, told Cybersecurity Dive.

Glut of credentials

If access is fundamental to the structure of systems, passwords are the connective tissue that hold everything together.

It’s not uncommon for organizations to use thousands of applications and services to get things done. The average large business uses 367 software applications and systems, according to Forrester.

Each of these is likely tied to a username and password, though single sign-on is taking hold.

This glut of credentials feeds a collective of identity and access management systems, including password managers, single sign-on services, multifactor authentication and other tools designed to verify identity and enforce permissions.

“For all the money and things we do that are cool, our entire security collapses on a sh–ty password.”

Chris Morales Netenrich

Chris Morales

Netenrich CISO

Cybersecurity experts generally refrain from calling out the efficacy of password managers or MFA because these tools, however fallible, still strengthen an organization’s security posture.

These tools simplify access for users, and they concentrate risk for organizations. Multiple, far-reaching attacks in the last year serve a cautionary tale.

A sustained attack against LastPass went undetected for months and became one of the most high-profile security blunders of 2022 when a cloud-based backup of all customer vault data, including encrypted passwords and usernames, was stolen by a still-unidentified threat actor.

The attack underscored the crux of this plight for defenders.

Phishing and the exploitation of stolen or compromised credentials remain the two most prevalent attack vectors, accounting for 3 in 10 breaches, according to IBM Security’s “Cost of a Data Breach Report.”

Credential manipulation and credential-based attacks are a crisis, according to LastPass CEO Karim Toubba. “By virtue of the data we hold, we’re going to have a pretty juicy target on our back [in] perpetuity,” Toubba told Cybersecurity Dive.

LastPass isn’t alone in that regard.

The single sign-on provider Okta got hit by a phishing attack, a breach and had its GitHub source code stolen last year. Twilio’s widely used two-factor authentication service was compromised last summer when multiple employees were duped into providing their credentials to threat actors.

“Whenever you centralize something, you give a good target,” said Michael Sikorski, CTO and VP at Palo Alto Networks’ Unit 42. “The crown jewels are in one place.”

Identity abuse cracks system integrity

Authentication shortcomings fuel cyberattacks and bad things can and will happen when access is granted to unauthorized users.

Threat actors cause all kinds of havoc — data theft, ransomware and extortion campaigns — when they gain what appears to be legitimate access to enterprise systems.

“All these breaches, all these attacks, the vast majority of them come back to weak knowledge-based credentialing, especially user authentication and passwords,” FIDO Alliance Executive Director Andrew Shikiar said.

“The fundamental problem is the primary authentication factor, which is the password,” Shikiar said. “We’ve been relying on this unfit method for user authentication for 60 years.”

The binary mechanism passwords apply to approve or deny access underscores the root of the problem.

Source link

About The Author

Scroll to Top