Password Dependency: How to Break the Cycle

password-dependency:-how-to-break-the-cycle

The world has been taught numerous life lessons over the last couple of years, but it’s clear that millions of people still haven’t learned one of the most basic when it comes to security. A report from NordPass has revealed that millions of people still haven’t broken the habit of using easy-to-remember, but easy-to-hack passwords. Of the 200 most common passwords, ‘password’ took the number one spot, but unfortunately for the more than four million people using it, it can be broken in less than a second. Other popular passwords included ‘guest’ and the ever-so-creative ‘123456’. When it comes to breaches, all roads still lead to identity. Hackers don’t hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the password dependency cycle. But how can this be done?

Typically, hackers seek the path of least resistance and target the weakest link in the cyber defense chain ― humans. Consequently, most of today’s data breaches are front-ended by credential harvesting campaigns, followed by credential stuffing attacks. Once inside, hackers can fan out and move laterally across the network, hunting for privileged accounts and credentials that help them gain access to an organization’s most critical infrastructure and sensitive data. In fact, a study by the Identity Defined Security Alliance (IDSA) reveals credential-based data breaches are both ubiquitous (94% of survey respondents experienced an identity-related attack) and highly preventable (99%).

Today’s economic climate exacerbates these cyber risks, and the impact of the COVID-19 pandemic has led to an acceleration in digital transformation and technical change that will further stress-test organizations’ dependency on passwords. This creates new challenges in minimizing access-related risks across traditional datacenters, cloud, and DevOps environments. As a result, organizations need to look beyond usernames and passwords when it comes to granting access to valuable data and critical systems. While employee education and training can help, what’s needed are additional measures to ensure secure access…which is what Zero Trust Network Access (ZTNA) provides.

ZTNA solutions create an identity- and context-based, logical access boundary around an application or a set of applications. Access is granted to users based on a broad set of factors, for instance, the device being used, as well as other attributes such as the device posture (e.g., if anti-malware is present and functioning), time/date of the access request, and geolocation. Upon assessing the contextual attributes, the solution then dynamically offers the appropriate level of access at that specific time. As there is a constant change in the risk levels of users, devices, and applications, access decisions are made for each individual access request.

Roadmap to Success

When it comes to implementing emerging technologies like ZTNA, it is always important to listen to the early adopters, as they can provide insights into key factors to success and help avoid pitfalls. Organizations that have recently adopted ZTNA report the following key factors were critical to their success:

  • Assess Application Usage Prior to ZTNA Implementation: Since one of the contextual attributes in making access decisions is the relationship between users and applications, it’s essential to gain insights into the application usage prior to the implementation process. To assist with this discovery process, some early adopters of ZTNA reported that they leveraged endpoint visibility solutions to gain insights into the usage of both installed and Web applications. Others simply interviewed the heads of specific departments (e.g., sales, finance, HR) to gather details. The insights were subsequently used to map users with the required application access and ultimately influence the scope of the policies.
  • Define Granular Access Policies: Don’t treat ZTNA the same way as traditional VPNs, whereby users are granted access to all applications. Instead, spend some time to draw up granular access policies that are derived from identifying specific use cases (e.g., contractor access, access to highly sensitive applications) and define user-specific policies.
  • Eliminate Standing Application Entitlements: Take the opportunity to clean up application access privileges based on your assessment of application usage as part of the rollout of the ZTNA project.
  • Establish a Continuous Feedback Loop: As your business needs constantly evolve, so should your application access policies. Thus, it is essential to fine-tune established access policies on an ongoing basis. Many early adopters of ZTNA policies recommended a quarterly audit/review process during the initial phase of the implementation process, and then switching to a bi-annual process once the ZTNA program has matured. Ultimately, you want to establish a mindset that focuses on continuous improvement and refinement of the access policies.
  • Assure User and Business Leader Buy-In: As with all technology implementations, it is vital to assure buy-in from both business leaders and users as early as possible. For example, implementing a user focus group as part of your initial planning process is a good strategy. These participants contribute to try-storming and provide early input, as well as raise any concerns about user experience prior to moving into the implementation phase. This saves costs by avoiding otherwise necessary rounds of iterations and helps increase adoption rates overall.
  • Select Best-of-Breed Solutions: Evaluate ZTNA offerings for their ability to be resilient, meaning functioning across disruptions, unintentional decay, or malicious actions that are fundamental to their operations. Assess solutions for the capability to gather deep visibility into all endpoints, data, network, and applications within your organization. Consider ZTNA solutions that conform with the National Institute of Standards and Technology (NIST) Zero Trust Architecture, whereby the policy enforcement should be as close as possible to the user, meaning they should be enforced directly at the endpoint.

While there are a variety of paths to break the dependency on passwords, ZTNA allows organizations to minimize their attack surface while ensuring the productivity of their remote workforce.

The post Password Dependency: How to Break the Cycle appeared first on SecurityWeek.

Majority of GAO’s Cybersecurity Recommendations Not Implemented by Federal Agencies

majority-of-gao’s-cybersecurity-recommendations-not-implemented-by-federal-agencies

Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December 2022, the US Government Accountability Office (GAO) says in a new report.

Since 1997, the GAO has been regarding information security as a government-wide high-risk area and expanded it twice since: in 2003 to include critical cyber infrastructure and in 2015 to include the protection of personally identifiable information.

During this time, GAO performed assessments of the risks associated with the information technology systems of federal agencies and critical infrastructure (such as communications, energy, financial services, and transportation organizations) and recommended actions to improve their cybersecurity risks.

“Until these are fully implemented, federal agencies will be more limited in their ability to protect private and sensitive data entrusted to them,” GAO notes.

GAO has now published the first in a series of four reports that bring into focus cybersecurity areas that need to be urgently addressed, starting with the need for a comprehensive cybersecurity strategy.

The White House and the National Security Council (NSC) issued a National Cyber Strategy and an Implementation Plan in 2018 and 2019, respectively, but GAO reported in 2020 that these do not address all desirable characteristics of national strategies (only three out of six characteristics were included).

While an Office of the National Cyber Director position was established and filled in 2021, a comprehensive national strategy has yet to be fully developed and implemented.

“We recommended that the National Security Council work with relevant federal entities to update cybersecurity strategy documents to include goals, performance measures, and resource information, among other things,” GAO notes.

Another area that the GAO has been looking into is federal agencies’ supply chain risk management practices. In 2020, out of 23 agencies reviewed, none had fully implemented all the seven foundational practices in the area and 14 had implemented none of these practices.

Despite that, agencies heavily rely on information and communications technology (ICT) products and services to conduct operations.

According to GAO, “implementing foundational practices for ICT supply chain risk management is essential to agencies addressing the risks of malicious actors disrupting mission operations, stealing intellectual property, or harming individuals.”

GAO’s new report also underlines the need for the Office of the National Cyber Director to address continuing cybersecurity workforce challenges, for federal agencies to improve the security of internet-connected devices – including Internet of Things (IoT) and operational technology (OT) devices – and for the federal government to address the risks associated with quantum computing and artificial intelligence (AI) technologies.

Related: US Offshore Oil and Gas Infrastructure at Significant Risk of Cyberattacks

Related: Over 12,000 Cyber Incidents at DoD Since 2015, But Incident Management Still Lacking

Related: U.S. Department of State Approves New Cyberspace Security Bureau

The post Majority of GAO’s Cybersecurity Recommendations Not Implemented by Federal Agencies appeared first on SecurityWeek.

Netwrix Acquires Remediant for PAM Technology

netwrix-acquires-remediant-for-pam-technology

Data security software vendor Netwrix has acquired Remediant, an early-stage startup working on technology in the PAM (privileged access management) category.

Financial terms of the acquisition were not disclosed. 

read more