Reality Check: How Adversaries Use Unsecured Passwords to Crack into Enterprise Systems

19

JANUARY 2021

By: Mohie Ahmed

Weak passwords have long been the Achilles heel of IT teams, and despite all the best intentions, corporate policies, education, and workarounds, passwords aren’t going away any time soon. There is some buzz around password-less access, but there are good arguments to suggest that passwords should play a fundamental role in authenticating access.

While biometric data, facial and fingerprint scanning will improve security in the future, passwords are personal and portable and cannot be taken away – unless those passwords are easily guessed.

It is the combination of passwords and multi-factor authentication (including bio-related) that can dramatically reduce the odds of having an infrastructure taken over or assets stolen. 

Passwords continue to get the most press when it comes to hacks, whether those passwords are shared accidentally or intentionally, or stolen. Until advanced access technologies (iris scanning, facial recognition, voice biometrics, fingerprint, etc.) are affordable and manageable, for the foreseeable future, passwords are here to stay.

For end-users, they are easy (or should be). However, that simplicity combined with ubiquity is what makes passwords attractive to cybercriminals, who have multiple approaches, including these top five:

  1. Phishing, a social engineering trick which attempts to trick users into supplying their credentials to what they believe is a genuine request from a legitimate site or vendor.
  2. Credential Stuffing or testing databases or lists of stolen credentials against multiple accounts to find a match.
  3. Password Spraying, using a list of commonly used passwords against a user account name, such as 123456, ABCDEF, password, password123 and birthdays, telephone numbers, and other commonly created passwords.
  4. Keylogging, which records the strokes typed on a keyboard and has been used to tunnel into bank accounts, digital wallets, eCommerce accounts, and more.
  5. Targeted, manual “brute force,” which is often used to attack individuals were guessing their passwords is made easier based on their social media activity, relationships, and more.

Modern password management will protect organizations and the individuals in those organizations by providing suggested passwords that are held in a vault and changed as necessary, with automation that makes this invisible to the user and less time consuming for IT analysts.

The best way to avoid breaches due to password hacks is to identify and eliminate unsecured passwords, which, according to Verizon’s DBIR 2020 report, are still the main entry point for cybercriminals.

A strong password management tool like Ironsphere’s Dynamic Password Controller can provide granular access control to help prevent password-related data breaches from occurring.

The Dynamic Password Controller is a password vault that stores and rotates SSH keys and passwords of privileged accounts (admin, system, root, etc.) centrally and securely.

Authorized users log in with their personal accounts, check-out the credential of a privileged account, and then use it to connect to target endpoints. The Dynamic Password Controller generates searchable log records and audit trails to meet security and compliance requirements.

Our solution works with Windows, Linux, and Unix, with Oracle, PostgreSQL, MsSQL, and other databases, and interoperates with all devices and applications with a CLI interface and applications with a password change API.

Contact us to learn more about how your organization can eliminate unsecured passwords and protect your data, applications, and infrastructure.

Similar Blogs

Enterprise Risk Appetite Frameworks Should Include PAM

Enterprise Risk Appetite Frameworks Should Include PAM

Just as cyber risks evolve, the evolution of risk appetite frameworks is more active than ever. With more sophisticated adversaries, more digital transformation initiatives, more mobile works, ecosystem partnerships and connectivity to multiple clouds and services, enlightened management teams and their boards are updating their levels of “risk tolerance.”

read more