Are you a cybersecurity recycler?
In the last few decades, we’ve learned some very hard lessons about recycling. Having “disposable” everything is not good for the environment, economy, or posterity. We all need to learn how to correctly recycle, reuse, repurpose, and dispose of material items.
The critical word in the previous paragraph is “material”. Some nonmaterial items should never be recycled, especially when dealing with cybersecurity. For instance, if you recycle passwords and accounts, you are potentially a “security recycler” and it could lead to unnecessary risks and unforeseen threats
Password Cycling versus Recycling
If you think that the term “cybersecurity recycler” is a manufactured catchphrase, you are partially correct. Nonetheless, nonmaterial items like passwords do have a cost to recycle.
While password cycling, a synonym for password rotation, is an IT security best practice for privileged credentials when it is executed with unique passwords; password recycling—the re-use of credentials—introduces a quantifiable risk and is a security taboo.
Choosing unique, never used before passwords provides far superior security, and only has a cost associated with the time, tools, and processes to actually change them. There is nothing material disposable—even if you use one time passwords (OTPs). Passwords (and accounts, for that matter) should be unique each time they are rotated/changed.
So, why am I making this the focal point of a blog? In the realm of information technology and cybersecurity, we recycle all the time. We recycle hardware, software licenses, as well as often overlooked items, like data storage and basic disk space. This recycling is all done in the name of efficiency and cost-effectiveness. Other items, as we have just covered, should never be recycled.
However, the practical problem most organizations face is how to avoid recycling passwords and accounts, and to keep them unique each time they are changed.
Eliminate Password Recycling & Enforce Password Security Best Practices
This is where BeyondTrust Password Safe comes in. The technology is designed to manage accounts and passwords and place your most precious ones—privileged accounts—under management. This means that an account’s name, password, and usage is all governed by an automated, immensely scalable solution and can be checked in / checked out and documented for usage with every session. In addition, the passwords can be automatically rotated such that password recycling never occurs and every system, account, and resource has a unique password. This protects against password re-use attacks, impedes lateral movement, and dramatically condenses your organization’s threat surface.
Finally, Password Safe has session management tools to record RDP and SSH sessions interactively when these accounts are used. This capability allows you to determine whether or not the account and passwords were used appropriately, providing a measurable benefit for meeting auditing and compliance standards.
The concepts of recycling in the material world help improve sustainability across our planet. Recycling of security technology can be cost-effective so long as we can ensure that the threats from previous usage are mitigated. Password and account recycling, however, should never occur and BeyondTrust can help ensure you do not succumb to the dark side of cybersecurity recycling practices.
Learn more about BeyondTrust Password Safe.
Morey J. Haber, Chief Technology Officer and Chief Information Security Officer at BeyondTrust
Morey J. Haber is Chief Technology Officer and Chief Information Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored four Apress books: Privileged Attack Vectors (2 Editions), Asset Attack Vectors, and Identity Attack Vectors. In 2018, Bomgar acquired BeyondTrust and retained the BeyondTrust name. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition. Morey currently oversees BeyondTrust strategy for privileged access management and remote access solutions. In 2004, he joined eEye as Director of Security Engineering and was responsible for strategic business discussions and vulnerability management architectures in Fortune 500 clients. Prior to eEye, he was Development Manager for Computer Associates, Inc. (CA), responsible for new product beta cycles and named customer accounts. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.