Are you a cybersecurity recycler?
In the last few decades, we’ve learned some very hard lessons about recycling. Having “disposable” everything is not good for the environment, economy, or posterity. We all need to learn how to correctly recycle, reuse, repurpose, and dispose of material items.
The critical word in the previous paragraph is “material”. Some nonmaterial items should never be recycled, especially when dealing with cybersecurity. For instance, if you recycle passwords and accounts, you are potentially a “security recycler” and it could lead to unnecessary risks and unforeseen threats
Password Cycling versus Recycling
If you think that the term “cybersecurity recycler” is a manufactured catchphrase, you are partially correct. Nonetheless, nonmaterial items like passwords do have a cost to recycle.
While password cycling, a synonym for password rotation, is an IT security best practice for privileged credentials when it is executed with unique passwords; password recycling—the re-use of credentials—introduces a quantifiable risk and is a security taboo.
Choosing unique, never used before passwords provides far superior security, and only has a cost associated with the time, tools, and processes to actually change them. There is nothing material disposable—even if you use one time passwords (OTPs). Passwords (and accounts, for that matter) should be unique each time they are rotated/changed.
So, why am I making this the focal point of a blog? In the realm of information technology and cybersecurity, we recycle all the time. We recycle hardware, software licenses, as well as often overlooked items, like data storage and basic disk space. This recycling is all done in the name of efficiency and cost-effectiveness. Other items, as we have just covered, should never be recycled.
However, the practical problem most organizations face is how to avoid recycling passwords and accounts, and to keep them unique each time they are changed.
Eliminate Password Recycling & Enforce Password Security Best Practices
This is where BeyondTrust Password Safe comes in. The technology is designed to manage accounts and passwords and place your most precious ones—privileged accounts—under management. This means that an account’s name, password, and usage is all governed by an automated, immensely scalable solution and can be checked in / checked out and documented for usage with every session. In addition, the passwords can be automatically rotated such that password recycling never occurs and every system, account, and resource has a unique password. This protects against password re-use attacks, impedes lateral movement, and dramatically condenses your organization’s threat surface.
Finally, Password Safe has session management tools to record RDP and SSH sessions interactively when these accounts are used. This capability allows you to determine whether or not the account and passwords were used appropriately, providing a measurable benefit for meeting auditing and compliance standards.
The concepts of recycling in the material world help improve sustainability across our planet. Recycling of security technology can be cost-effective so long as we can ensure that the threats from previous usage are mitigated. Password and account recycling, however, should never occur and BeyondTrust can help ensure you do not succumb to the dark side of cybersecurity recycling practices.
Learn more about BeyondTrust Password Safe.
Morey J. Haber, Chief Security Officer, BeyondTrust
Morey J. Haber is the Chief Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored three books: Privileged Attack Vectors, Asset Attack Vectors, and Identity Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board. Morey currently oversees BeyondTrust security and governance for corporate and cloud based solutions and regularly consults for global periodicals and media. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition where he served as a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.