Time to Remove the Ticking Time Bomb From Your IT Security Strategy
By Shahrokh Shahidzadeh, CEO, Acceptto
There was a time where dozens of stolen passwords or digital credentials would send paralyzing fear into the hearts of IT Security professionals as they, better than most, understand that it only takes just one to access sensitive data and extort millions.
Unfortunately, recent headlines announcing 500 million and now even 773 million credentials stolen signal a new level of “normal on the war against cybercriminals. It means that attacks are even more frequent than we realize. The two largest data breaches of the past decade alone resulted in over half a billion compromised user records, a statistic that should frighten any IT professional. And the problem is getting worse. Of the top 14 largest data breaches, only one – Heartland Payment Systems’ 2008 data breach – happened before 2010.
Passwords: A Human Problem?
It’s clear that adherence to outdated models drives cybersecurity concerns. 81% of security breaches in 2017 were due to weak or stolen passwords. Due to the frequency of data breaches, we all must now operate under the assumption that it’s not a matter of ‘if’, but ‘when’ we become aware of the fact that our credentials and personal information being compromised.
The continued prevalence of passwords ignores all we know about how behavior drives cybersecurity. According to a study of a 2018 data breach by web security expert Troy Hunt, 86% of involved users were relying upon already previously leaked passwords. Meaning not only are users creating weak passwords in the first place, but they’re also continuing to rely on weak passwords that are already sitting in databases available to any hacker or cyber-criminal willing to look or pay. Even when attempting to make unique passwords, users are forced into a symbol and character restrictions that drive users towards more common, easier to remember passwords. Further, those popular password meters don’t always pick up on obvious password character patterns (names, nouns, etc.) that are obvious to hackers, resulting in users feeling a false sense of security and bad advice.
Passwords: Will They Ever Be Replaced?
When it comes to security incidents, the most relevant of them is credential hijacking which accounts for the majority of attacks. Because of this past focus on password complexity, organizations have increased the total cost of ownership (TCO) associated with password resets and Helpdesk calls. Unfortunately, none of this has been proven to improve overall security.
Industries are past due in acknowledging that the use of the password is taking away valuable resources from other strategic IT investments. This hyper-focus on passwords alone has compounded the security risk on a year-over-year basis, it is now a reality that most organizations are going to be breached because of the lack of security work done on other fronts.
To decrease dependency on passwords and remove them altogether requires initiative from executive leadership and sponsorship and ultimately retiring the 60-year-old architecture of user directories. There have been solutions offered over the years to address the challenge but oftentimes the associated TOC has made passwordless solutions – such as smart cards and tokens such as Yubikey and use of biometrics (e.g. fingerprints, voice, retina detection, etc.) – which are either cost-prohibitive for most organizations, vulnerable and often suffering from the same shortcomings of good old binary passwords.
However, the good news is that in the last few years the security industry has responded to this challenge with various low cost, easy-to-manage passwordless solutions such as those deploying passwordless continuous authentication — where a solution constantly tracks the activity of the user pre-auth and post-authorization, to determine how likely the current user is actually authorized. Not only do these types of solutions address the cost associated with passwords by removing them altogether, but they improve the overall security posture of any organization, pre, during, and post-authorization.
Defusing a Ticking Time Bomb with a Continuous Approach
Cybersecurity professionals, whether tackling mass password breaches or a targeted phishing campaign, are working against a ticking timebomb trying to outmaneuver and foolproof the constant variable of human behavior. It’s time to adapt systems to human behavior, not the other way around. Digital behaviors – things like how and when you access applications, devices you use, where you are, what your data and application usage signature looks like, the time you are doing specific things – can all be part of a collection of key attributes that can establish the legitimacy of claimed identities and validity of authentication.
Investing in a passwordless continuous authentication technique is the way forward. This is a technique that not only makes sure you are who you say you are when you log in, but also tracks that accuracy through your full online session (pre-, during- and post-session):
For example, let’s say you have an employee that uses two unique workstations, a laptop and a desktop, three locations with distinct IP addresses, a certain set of applications, and then logging in at certain fixed hours that all can be derived as the user habits. If someone tried to take over their account from an unknown device, at an unknown location and wrong time with different digital hygiene than the known normal, a solution using continuous behavioral authentication would alert your system to a possible breach.
At that point, whoever was attempting to use that person’s account could be locked out, preventing them from getting into your company’s files. You could then look into the situation to determine if a breach occurred or there was a more benign explanation.
Getting rid of passwords and securing the access at the authentication state and continuously post-authorization is the key step forward to protecting against data breaches and is a paradigm shift that is available now.
About the Author
Shahrokh Shahidzadeh is the CEO of the Acceptto. He is a seasoned technologist and leader with 27 years of contribution to modern computer architecture, device identity, platform trust elevation, large IoT initiatives, and ambient intelligence research with more than 20 issued and pending patents. Prior to Acceptto, Shahrokh was a senior principal technologist contributing to Intel Corporation for 25 years in a variety of leadership positions where he architected and led multiple billion-dollar product initiatives. Shahrokh can be reached online at https://www.linkedin.com/in/shahrokh-shahidzadeh-1187062/ or on twitter @AccepttoCorp and at our company website http://www.acceptto.com/