There is something fundamentally wrong with cybersecurity. Passwords and credentials remain the most common method used to control access today, as they have for the last six decades, but they are untrustworthy for defense and hatred runs deep.
Access control has always been a derivative of some weird, old model, Netenrich CISO Chris Morales says, and he hates passwords — big time.
“For all the money and things we do that are cool, our entire security collapses on a sh–ty password,” he said.
“The problem we have is that the access is all or nothing and that password is something you know,” Morales said. “So if you know something, you’re deemed trustworthy and you can go get everything.”
There is broad recognition for the more than three dozen cybersecurity leaders Cybersecurity Dive spoke with that access is a severely broken system. Yet, businesses can’t do much without passwords and identity in their most common forms today.
This problem isn’t new — it’s older than the internet. Poor identity governance is a chronic condition.
“I think identity is in some cases the whole ballgame,” MK Palmore, director of the office of the CISO at Google Cloud, told Cybersecurity Dive.
Glut of credentials
If access is fundamental to the structure of systems, passwords are the connective tissue that hold everything together.
It’s not uncommon for organizations to use thousands of applications and services to get things done. The average large business uses 367 software applications and systems, according to Forrester.
Each of these is likely tied to a username and password, though single sign-on is taking hold.
This glut of credentials feeds a collective of identity and access management systems, including password managers, single sign-on services, multifactor authentication and other tools designed to verify identity and enforce permissions.
“For all the money and things we do that are cool, our entire security collapses on a sh–ty password.”
Cybersecurity experts generally refrain from calling out the efficacy of password managers or MFA because these tools, however fallible, still strengthen an organization’s security posture.
These tools simplify access for users, and they concentrate risk for organizations. Multiple, far-reaching attacks in the last year serve a cautionary tale.
A sustained attack against LastPass went undetected for months and became one of the most high-profile security blunders of 2022 when a cloud-based backup of all customer vault data, including encrypted passwords and usernames, was stolen by a still-unidentified threat actor.
The attack underscored the crux of this plight for defenders.
Phishing and the exploitation of stolen or compromised credentials remain the two most prevalent attack vectors, accounting for 3 in 10 breaches, according to IBM Security’s “Cost of a Data Breach Report.”
Credential manipulation and credential-based attacks are a crisis, according to LastPass CEO Karim Toubba. “By virtue of the data we hold, we’re going to have a pretty juicy target on our back [in] perpetuity,” Toubba told Cybersecurity Dive.
LastPass isn’t alone in that regard.
The single sign-on provider Okta got hit by a phishing attack, a breach and had its GitHub source code stolen last year. Twilio’s widely used two-factor authentication service was compromised last summer when multiple employees were duped into providing their credentials to threat actors.
“Whenever you centralize something, you give a good target,” said Michael Sikorski, CTO and VP at Palo Alto Networks’ Unit 42. “The crown jewels are in one place.”
Identity abuse cracks system integrity
Authentication shortcomings fuel cyberattacks and bad things can and will happen when access is granted to unauthorized users.
Threat actors cause all kinds of havoc — data theft, ransomware and extortion campaigns — when they gain what appears to be legitimate access to enterprise systems.
“All these breaches, all these attacks, the vast majority of them come back to weak knowledge-based credentialing, especially user authentication and passwords,” FIDO Alliance Executive Director Andrew Shikiar said.
“The fundamental problem is the primary authentication factor, which is the password,” Shikiar said. “We’ve been relying on this unfit method for user authentication for 60 years.”
The binary mechanism passwords apply to approve or deny access underscores the root of the problem.
Access may not be the first line of defense in all scenarios, Cloudflare CEO Matthew Prince said, but “it’s the most important line of defense because it makes all of the other security problems that we worry about much more manageable.”
Business is booming for credentials, which account for the vast majority, almost 90%, of assets for sale on the dark web, according to IBM Security X-Force. They sell for an average price of almost $11 per listing.
“I think identity is in some cases the whole ballgame.”
Director of the office of the CISO at Google Cloud.
The potential payoff for cybercriminals who get their hands on these credentials, which are often exposed by phishing and data leaks, is massive.
Stolen credentials are the most popular entry point for breaches, according to Verizon’s “Data Breach Investigations Report.” Compromised identities were exploited by threat actors in 4 in 5 of all breaches studied by CrowdStrike during the last year.
Threat actors are hitting critical infrastructure with valid account credentials, too. They were responsible for more than half of all attacks against critical infrastructure organizations in fiscal year 2022, according to the Cybersecurity and Infrastructure Security Agency.
System access and identity are vital and everyone knows it, attackers and defenders alike.
“Identity and access management is by far the most important component of cybersecurity because it’s the nucleus of cybersecurity. That’s where it starts,” Keeper CEO and Co-Founder Darren Guccione said.
Organizations can limit risk by design
Limiting risks posed by identity pitfalls might be more realistic than altogether eliminating passwords in the near term, but that comes down to permissions and that too is fraught with complications.
Access to IT infrastructure is still far too broad and privileged accounts are given away without much consideration, said John Dwyer, head of research at IBM Security X-Force.
Ransomware is successful because threat actors exploit this flat architecture, and yet, “the best practices have been not to do any of those things for my entire career,” Dwyer said.
Permissioning access to systems is complex but it needs to be recognized as one of the new basics of cybersecurity, according to Kelly Shortridge, senior principal engineer in the CTO office at Fastly.
Organizations that adhere to this practice can design their systems to curtail the impact of a threat actor getting a developer’s credential, and reorient their defense strategy around resilience, Shortridge said.
“Failure is inevitable, it’s also happening all the time,” Shortridge said. “We need to be able to prepare for it,” respond gracefully and adapt to evolving conditions.
Cybersecurity authorities avow the benefits of IAM while simultaneously warning organizations about the host of problems manifesting in these policies and tools.
“We’ve made that entire process of marrying all of these different technologies really, really complex.”
Identity governance and alignment, infrastructure hardening, MFA and monitoring can prevent some of the most highly likely threats, according to CISA and the National Security Agency.
CISA’s voluntary cybersecurity performance goals also encourage organizations to mitigate account security risks by changing default passwords, separating user and privileged credentials, revoking unnecessary access, supporting MFA and requiring long and unique passwords.
Pairing that advice and other widely recognized best practices, such as password managers and single sign-on, with the reality of the threat landscape remains difficult for defenders.
“We’ve made that entire process of marrying all of these different technologies really, really complex,” Rapid7 CSO Jaya Baloo said.
Unmet basics of cybersecurity, such as taking care of credentials, turn up, time and again, when things go wrong.
“There’s many instances where we’re still not doing the basics,” Palmore said. “There’s lots of organizations that aren’t doing the blocking and tackling correct.”
The slow push for a passwordless future
Efforts to broaden the encryption of access and rid the world of passwords are afoot, but change is hard and the task is extraordinary.
Some endeavors such as phishing-resistant MFA, which rely on cryptographic techniques such as an asymmetric pair of public and private keys, biometrics or the FIDO2 standard, can deliver higher levels of assurance.
A passwordless standard developed by the FIDO Alliance, passkeys for short, is also gaining support and momentum.
“Virtually every company that you’d want to have working together to try to solve the password problem is working together in this body,” Shikiar said.
The magnitude of the challenge is vast, requiring industry alignment behind the cause, capability across all endpoints, development in apps and services, and widespread user adoption.
“The fundamental problem is the primary authentication factor, which is the password. We’ve been relying on this unfit method for user authentication for 60 years.”
FIDO Alliance Executive Director
Multiple CISOs Cybersecurity Dive interviewed expressed interest in going passwordless across their organizations. However, because many critical systems don’t and may never support this authentication protocol, the path to passwordless will have to wait until newer versions of technology and infrastructure emerge.
“I just don’t know that we’re ever going to 100% get to a point where we feel validated” that an identity accessing an enterprise and its information is completely foolproof, said Gary Barlet, federal field CTO at Illumio.
“I try to live in the real world,” Barlet said, “not the ideal world.”