By: Torsten George, cybersecurity evangelist, Centrify
The world has been faced with numerous life lessons in 2020, but it’s clear that millions of people still haven’t learned one of the most basic. A new NordPass report has unveiled that millions of people still haven’t broken the habit of using easy-to-remember…but easy-to-hack….passwords. Out of the 200 top passwords, ‘123456’ took the number one spot, but unfortunately for the 2 million+ people using it, it can be broken in less than a second. Other popular passwords included ‘iloveyou’ and the ever-so-creative ‘password.’
When it comes to breaches, all roads still lead to identity. Hackers don’t hack in anymore. They log in using weak, default, stolen, or otherwise compromised credentials. Compromised corporate email credentials like the ones found in this round of C-suite email hacks can be extremely valuable for cybercriminals and monetized in many different ways, including:
Espionage – Many C-suite emails contain sensitive information that can be used for personal gain by selling the content to interested parties (e.g., selling M&A or customer information to a competitor).
Ransom – Many C-suite emails contain sensitive information that can be used for personal gain by requesting a ransom from the victim in exchange for not publishing the email content.
CEO Fraud – This type of attack targets executives to steal their access credentials, often to commit financial fraud by subsequently tricking employees to authorize fraudulent wire transfers or gain access to W-2 information.
Regular Spear Phishing Attacks – These types of attacks are more sophisticated, whereby the threat actor customizes the attack email with the target’s name, job title, company, and other personal information to make the recipient believe they have a connection to the sender.
It’s more critical than ever before that organizations and consumers alike put credential best practices at the top of their New Year’s resolution lists. Our top advice includes:
Utilize multi-factor authentication (MFA). At an absolute minimum, it’s essential to utilize multi-factor authentication (MFA) wherever possible. This approach requires an extra step to verify your identity beyond a username and password using something you know (like a text code), something you have (like a smartphone), or something you are (like a face or fingerprint scan). This prevents scammers from gaining access, even if they acquire your login details.
Organizations should enforce the use of password managers for employees. A password manager is an easy way to ensure employees are using complex passwords. Some solutions will also advise the user if one of the passwords has potentially been compromised in a data breach and prompt them to change it immediately.
Have a more focused security strategy. For enterprises, less is more. Instead of pouring more money into a shotgun approach to security, organizations need a more focused strategy oriented on purchasing the highest reward tools. Since privileged access is now a leading attack vector, that is where the smart money should be going. If we assume hackers are already in the network, does it make sense to spend more money hardening the perimeter, or rather on restricting movement inside the network?
Adopt a “Zero Trust” approach. Zero Trust means trusting no one – not even known users or devices – until they have been verified and validated. An identity-centric security approach based on Zero Trust principles re-establishes trust, and then grants least privilege access just-in-time based on verifying who is requesting access, the context of the request, and the risk of the access environment. Organizations must assume that bad actors are in the network already, and consumers must realize they’re constant targets.
In 2021, companies across all industries should consider moving to a Zero Trust approach, powered by additional security measures such as multi-factor authentication (MFA), a focused security strategy and utilize password managers to stay ahead of the security curve and leave passwords behind for good.
About Torsten George
Torsten George is currently a cyber security evangelist at Centrify, which helps organizations secure privileged access across hybrid and multi-cloud environments. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He is an internationally recognized IT security expert, author, and speaker. Torsten has been part of the global IT security community for more than 25 years and regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege For Dummies book. Torsten has held executive level positions with RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).