Despite much talk about passwordless credentials, many organizations still depend on passwords for employee identity and access management.
In the journey toward a passwordless world, compromised passwords still continue to be one of the top contributors to data breaches in the past year.
Verizon’s 2022 investigative report revealed that 80% of Basic Web Application Attacks (BWAA) are from the use of compromised credentials. The report also indicated an almost 30% increase in stolen credentials since 2017.
For the here-and-now, how should we protect our organizations and employees against credential and password theft? CybersecAsia sought out some insights from Budiman Tsjin, Solutions Engineering Director for ASEAN, CyberArk.
What are some reasons that have led to the rapid rise of credential and password theft in APAC?
Budiman: The rapid increase in credential and password theft in the region results from increased interest from attackers as well as habits of users.
Today’s attackers are assigning a level of focus on employees’ passwords they once reserved for privileged users’ credentials. Workers today have a shocking amount of access to sensitive resources. 52% of employees have access to sensitive corporate data, according to a CyberArk survey of 1,750 security decision-makers from ten industries. In some sectors, that percentage is even higher. For example, the figure is 65% of employees in the healthcare sector, where the data may include confidential patient records.
Despite the amount of access they have to confidential information, users do not necessarily have good habits when it comes to password management. Using unique passwords for different services is one of the best practices for enforcing security. However, remembering multiple passwords can be a struggle for many. It is common for users to keep physical notes or leverage 3rd party online personal services to remember passwords for easier login. Unfortunately, such habits have a risk of exposing credentials to potential attackers.
Faced with the ongoing challenge of managing multiple passwords in an enterprise setting, organisations cannot rely on unsecured, cobbled-together solutions that are burdensome to operate. Without a centralised solution to securely and easily manage passwords, organisations’ productivity may suffer and the user endpoint become yet another password repository with the risk of stolen credentials becoming much higher.
What are the latest attacker innovations targeting passwords?
Budiman: Our research into Chrome-based browsers revealed that credentials and cookies are stored in clear-text format, which are easily extractable and can be loaded into memory. Once an attacker hijacks the browser, they will be able to transfer all the details into their machine and use them to bypass authentication measures.
Another threat that organisations need to look out for is the use of novel phishing and social engineering tactics to trick users into giving them their credentials. Fake emails, marketing campaigns and alerts act as channels to identify and target individuals who have access to high-value assets. From there, users can be bombarded with various notification pushes to make them respond and open their workloads to attacks, such as data theft and malware.
What should employees do if their passwords for business applications have been compromised?
Budiman: Employees need to follow their respective cyber incident response plan. This plan should outline the roles and responsibilities of each staff in mitigating risks and ensuring business continuity. Clear directions from the CIOs and CISOs are essential to achieving this as they have the knowledge and skills to keep systems protected. Through strong collaboration, employees can play a collaborative role in hardening their organisation’s resilience.
Security awareness training is also crucial in equipping employees with the capabilities to take a proactive stance against cyberattacks. In particular, response drills and spot checks can test employee readiness against current and future attack scenarios. From there organisations can identify areas that are lacking in so that they can rectify them or educate the users as quickly as possible.
Why is there a need for companies to adopt workforce password management instead of just personal password management?
Budiman: Enterprise grade password management solutions store credentials in a centralised vault and securely share them among approved users, unlike consumer-grade tools which provide only limited or no access management capabilities and a lack of auditing functionality. Additionally, enterprise grade solutions have enhanced reporting functions to monitor application access, which helps organisations identify suspicious activities and safeguard their most critical resources. This includes adaptive MFA or step-up authentication, like challenge questions or physical keys to verify users’ identities.
What are aome strategies that organizations should implement to secure their workforce?
Budiman: Here are four ways organisations can apply security-first controls to employee passwords while balancing the need for protection and productivity.
Security-first Password Storage and Retrieval
IT and security teams can mitigate the risks of highly vulnerable passwords by implementing secure, centralized storage for workforce credentials. Key functions to look for:
- The ability to centrally control how accounts and credentials are stored, managed and retrieved
- The peace of mind of securing passwords with end-to-end encryption in transit or at rest
- The flexibility to host passwords in a secure cloud location or self-hosted vault, depending on your organization’s needs
Organisations can protect employee credentials by enabling automated, real-time password retrieval from their chosen cloud or vault location. Inspired by just-in-time controls typically used for IT admins, this capability can help CIOs, CISOs and their teams ensure passwords are never stored locally at endpoints — thus reducing the attack surface.
-
Safe Password Sharing and Account Management
By applying a least privilege approach, enterprises can ensure that employees — for example, line-of-business team managers — can securely share credentials without revealing password characters. Here are key controls to adopt:
- Protect privacy by controlling who can share, view and edit credentials.
- Impose precise time limits on how long a user can access a shared app.
- Manage the transfer of credential ownership to new users.
- Prevent users from saving passwords in built-in browser password managers, reducing the number of accounts and credential repositories.
In an era of increased workforce turnover, this level of control is essential. For example, with automated tools, you could transfer ownership of an app’s account without losing the chain of custody when the primary owner leaves your organization.
-
Frictionless — and Secure — User Experience
Eighty-six percent of security leaders believe that optimising the user experience is important for enabling Zero Trust success through Identity and Access Management tools. Building upon that perspective, enterprises can benefit from the password protection capabilities that can:
- Integrate with corporate directories and third-party identity providers.
- Know when users are entering credentials into web apps’ login forms and offer to save them in a secure vault — and securely auto-fill credential fields in future instances.
- Automatically generate strong, complex and unique passwords for users whenever needed.
-
End-to-end Visibility for Audits and Reporting
An enterprise-grade approach to password protection should provide real-time visibility into users’ access activity. Security controls must continue past the point of authentication. Enterprises should look for ways to require an extra layer of protection that allows them to monitor and record all actions taking place once a user is logged in. In light of today’s compliance demands, it’s important to ensure any records surrounding high-risk actions taken in apps are backed up by a full audit trail.