In the world of cybersecurity, we’re exposed to an onslaught of recommendations and top “n” lists for improving IT security. The impetus for these recommendations may be the emergence of modern threats, breaches in the news, or to convey detailed analysis of various dangerous attack vectors. While such articles and blogs play a crucial part in helping to educate both the IT community and non-IT workers alike, these posts are commonly narrow in focus. They may have some universal characteristics, but are frequently not relevant for adoption by everyone, everywhere, and at every time.
This is where this blog steps in. Read on to learn the most important IT security recommendation that is relevant to absolutely everyone, regardless of their position within or without the IT community. I will give you a hint, it is related to passwords.
What is IT security?
IT security describes a collection of cybersecurity strategies, methods, solutions, and tools that are designed to prevent hackers and threat actors from gaining unauthorized access to organizational assets (i.e. computers, networks, data, and digital identities). A comprehensive IT security strategy combines advanced IT security technologies and human resources to prevent, detect, and remediate a variety of cyberthreats. It will include protection for hardware systems, software applications, and endpoints, as well as the network itself (on-prem and cloud-based).
Why do we need IT security solutions?
According to IBM’s 2022 Cost of a Data Breach Report, “For 83% of companies, it’s not if a data breach will happen, but when. Usually more than once.” The increase in remote workers, the growth of the cloud, and the proliferation of connected devices (whether these are provided by the organization or an example of BYOD – bring your own device) has changed the dynamic of the workplace perimeter. Where previously an organization could defend a physical perimeter—the physical walls of the workplace—against breach, today’s perimeters have had to expand to include employees, partners, and vendors who are accessing the network from absolutely anywhere in the world, and information that is being stored in something as non-physical as the cloud.
All of this has placed significant strain on IT security teams, who now need to protect a nearly infinite perimeter full of continuously expanding threat vectors against increasingly more sophisticated digital adversaries. And every year, the financial and reputational threat to the organization who can’t defend against every cyberattack increases. In 2022, the global average cost of a data breach hit its highest amount on record ($4.35M USD, a 12.7% increase compared to 2020). IT security has become much more than a nice-to-have for organizations—it’s financially, operationally, and in some cases legally critical.
What are the biggest threats to IT security?
Threats to IT security can come in different forms. The top 4 threats to today’s IT security teams include:
- Ransomware - The number of breaches caused by ransomware grew 41% in the last year, got costlier (the average cost of a ransomware attack in 2022 was $4.54M USD), and took 49 days longer than average to identify and contain.
- Insider threats – The average cost of a malicious insider attack in 2022 was $4.18M USD.
- Phishing attacks – The second most common cause of a data breach in 2022, the average cost of a phishing attack related breach is $4.91M USD.
- Cloud attacks – 45% of breaches occurred in the cloud in 2022, with the average cost of a breach at $4.14M USD.
- Compromised credentials - Stolen or compromised credentials were not only the most common cause of a data breach in 2022, but at 327 days, took the longest time to identify. This attack vector ended up costing USD 150,000 more than the average cost of a data breach.
Why aren’t all IT security solutions universally relevant?
Let’s consider all the infosec recommendations we experience on a daily basis. These include everything from security skills and cyber awareness training to patch management. They target problems from phishing to vulnerability management, but are not necessarily relevant to every employee within an organization, nor are they necessarily relevant to each person on their personal devices at home. For example, a default Windows 11 or macOS Ventura asset will automatically patch security vulnerabilities and reboot, if necessary, keeping the problem out of sight and out of mind for the average user. In addition, recommendations for cybersecurity training are generally tailored for a specific kind of organization and not necessarily applicable across different verticals due to a number of variables.
While it is common knowledge to avoid email spam, and employees are often trained on how to identify suspicious emails and advised not to click on suspicious links, it is interesting that younger generations are far less likely to embrace email outside of the corporate enterprise. Instant messaging and other forms of social media are their tools of choice, which suggests that traditional email may slowly fade away like postal correspondence, or the fax machine. The demise of email may take a few more decades to transpire, but this downshift is well underway and being driven by generational divides and newer communication tools.
All of this helps further refine our single best recommendation. Remember, we need to consider a universal security recommendation that translates to everyone.
What is the number one, universal, and best security recommendation?
Regardless of persona at home or at work, on premises, or remote, employee or vendor—the one thing everyone uses are passwords. We use passwords for work, for resources on the Internet, for social media, for our applications. We use them in the form of passcodes and PINs for banking, mobile devices, and for office and home alarm systems. Passwords are ubiquitous, and we use them constantly—even on newer systems that ironically claim to be “passwordless.” Passwordless is just a proxy for a password or secret behind the scenes. In these instances, a mechanism under the hood is still identifying your access rights and storing that “somehow” and the actual techniques are more suitable for more technical blogs.
Fixing a Thousand-Year-Old Security Issue
Passwords date back at least to the era of the Roman military. Passwords were once carved into wood and passed around by soldiers via the active guard on duty. In essence, passwords were a shared resource—which we (should) recognize is a liability, since multiple people would have knowledge of the passwords at any given time.
Today, the most common storage of any password is within a single human brain. We assign a password to a system or application, recall it when it needs to be used, and hopefully remember it each time we change it. Our brains are full of passwords, and often, we forget them, reuse them, need to share them, and are forced to document them on post-it notes, spreadsheets, and even communicate them via email or SMS text messages (a very poor security practice!).
These insecure methods for creating, sharing, and reusing passwords are responsible for the types of data breaches that routinely make the front page news, serving as cautionary tales of what is at high-risk of happening when good password management strategies are not adhered too. The ramifications crisscross both our professional and personal lives.
Passwords are everywhere, and we need at least one basic tenet to help fix a thousand-year-old problem. Therefore, the most important security recommendation for everyone is to: ensure that every password you use is unique and not shared with any other resource (including people) at any time. Technology today can help solve this problem using Personal Password Managers or Privileged Access Management solutions for Enterprises.
What are the top password security best practices for anyone to deploy?
1. Leverage a password management tool that can supply, manage, and rotate unique passwords.
While we recognize that remembering an already considerable and ever-expanding list of passwords (an average of 100 for the modern day corporate user) is improbable for most humans, there are password management tools, solutions, and techniques for making this a reality, thereby going a long way toward reducing password-related threats.
Modern operating systems, browsers, and applications can help create unique passwords for every resource, and securely store them for retrieval in lieu of a human having to remember every single one. The passwords are basically stored behind one unique “master” password (it may also be referred to as a "key" or "secret") that only the individual knows. While this is good solution for home and small business users (to a limited degree), it does not scale to most businesses that need to share accounts (due to technology limitations) and automatically generate unique passwords, such as to keep up with employee changes or to meet regulatory compliance guidelines. This is where enterprise ready Privileged Access Management solutions step in to meet large business requirements.
2. Don’t limit yourself to one authentication mechanism
A password alone should never be the only authentication mechanism for critical data, sensitive systems, and potentially daily operations into those resources. Multi-factor authentication (MFA) or two-factor authentication (2FA) should be layered on top to ensure a unique password per account is actually being used by the correct identity when authentication is required.
One key merit of this universal security recommendation is that it ensures that if your password is stolen, leaked, or inappropriately used, it can only be leveraged against the corresponding resource assigned (if MFA or 2FA is not present). If passwords are unique, a threat actor cannot use one compromised account and password to attack other resources. The attacker’s options and movement are significantly limited, though they could try to leverage advanced techniques to steal other credentials from the system they have compromised, such as by scraping passwords from memory. In that case, not only generating unique passwords, but also rotating passwords frequently will help mitigate the attack. This is where BeyondTrust can provide an end-to-end solution for you.
3. Audit for old accounts
It is important to deactivate or ‘de-provision’ old, unused accounts. Whether an employee or vendor user is transitioning into a new role, is no longer employed by the organization, or has discontinued using their account for other reasons, unused or “orphaned” accounts can give attackers the backdoor access they need to infiltrate the enterprise and execute lateral movement.
The problem with orphaned accounts is that they are often forgotten or unnoticed, and as the saying goes, you can’t protect what you don’t know about. Identifying where over-privileged, orphaned, and other accounts exist on the network is a critical step toward IT security, but there are tools that can help:
- The Privileged Access Discovery Application (PADA) identifies the age of passwords for accounts on your network. Not only can it identify a password that hasn’t been rotated, but it can also leverage that capability to identify unused accounts, account misconfigurations, overprivileged accounts, service accounts using user identities, and remote access tools you might not know are present on your network.
- Identity Security Insights allows you to gain a centralized view of identities, accounts, and privileged access across your IT estate. It Identifies over-privileged and high-risk privileged accounts, inactive and orphaned accounts, and partially revoked identities, allowing you to proactively remove unnecessary privileges and accounts before they are exploited.
Ensuring end-to-end security with BeyondTrust Password Safe
BeyondTrust’s Password Safe is a solution for enterprise ready privileged password management across an organization’s entire information and security infrastructure. Password Safe provides automated management for sensitive accounts and passwords (including SSH key management), such as shared administrative accounts, application accounts, local administrative accounts, and service accounts, across nearly all IP-enabled devices. This helps ensure this top security recommendation can be implemented across any organization to enforce strong enterprise password security.
Furthermore, request, approval, session monitoring and management, and retrieval workflow functionality is included for end-user access of managed privileged accounts. This helps control when passwords are used and, most importantly, how they are used.
For more information on this number one recommendation and BeyondTrust Password Safe, please contact us here. We are ready and able to enhance your organization’s cybersecurity posture.
Morey J. Haber, Chief Security Officer, BeyondTrust
Morey J. Haber is the Chief Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored four books: Privileged Attack Vectors, Asset Attack Vectors, Identity Attack Vectors, and Cloud Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board. Morey currently oversees BeyondTrust security and governance for corporate and cloud based solutions and regularly consults for global periodicals and media. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition where he served as a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.