A recent article by Security Week explains how hackers do not “hack in” to systems anymore; instead, cyber criminals gain access to systems through weak, stolen or compromised passwords. This unauthorized use of passwords or credentials known as “privileged credential abuse” often provides hackers and cyber criminals with a “path of least resistance” to target organizations.
As organizations continue to experience breaches, it is becoming clear that proper security measures are not in place. Companies often allocate most of the security budget on protecting the network perimeter when really, they should be focusing on preventing privileged access abuse.
A survey by Centrify found that “52% of respondents said they do not have a password vault, and 21% still have not implemented multi-factor authentication (MFA) for privileged administrative access.” These types of password protection tools could help thwart targeted attacks against the organization. Another article on ZDnet cites that Microsoft users who enable MFA are 99.9% less likely to have their credentials compromised – a report that argues that passwords or their level of complexity do not really matter anymore.
Below are the three best practices when reviewing credentials for an organization:
- You need more than a password: As breaches continue to occur, static passwords are not enough and can’t be trusted to protect your systems; you never know who is trying to access your system. Therefore, all organizations should adopt multi-factor authentication as an extra protection step.
- Stronger security strategy: All companies across all industries need to reassess their security dollars and ensure the proper resources are being used. With a more focused strategy and approach, the correct systems will be in place to protect any movement inside of the network.
- Zero Trust Privilege: All users that have access to accounts that have sensitive information should not be automatically trusted until they have been verified and validated. “Accounts with access to sensitive data should be given the ‘least amount of privilege’ and only for the period of time it is needed, then it should be revoked.” This model ensures all services are “authenticated, authorized and encrypted.”
As cyber breaches continue to occur, more and more passwords and credentials are stolen. Many of these breaches could be prevented if organizations refocus their cyber security budget on the higher priority threats to include threats from privileged credential abuse.