Why strong passwords alone won’t stop identity-based attacks

By David Higgins, Senior Director Field Technology Office, CyberArk.

You can buy almost anything online from the comfort of your own home. Need groceries? Check. A holiday? Check. Even a new car? It will magically appear in your driveway from the click of a button! Unfortunately, purchasing stolen credentials has become just as simple. A concerning 108.9 million accounts were breached in the third quarter of 2022, a 70% increase compared to the previous quarter. With a lengthy list of passwords at their disposal, cybercriminals rarely need to flex their creative muscles to open the door to an enterprise environment. If that doesn’t work, an automated brute-force attack to guess and test username/password variations at scale is a solid backup plan.

No matter how strong an organisation’s password policies and awareness efforts are, they won’t be enough to defend against identity-based attacks. Identity security is crucial. So, why is this the case and how can they best protect themselves?

Workers know strong passwords are important - they just can’t keep up The average staff member accesses more than 30 applications and accounts at work, and roughly 55 others at home. Requiring users to maintain multiple complex passwords and to repeatedly authenticate themselves to systems and applications often can become too much. Worryingly, despite the security risks, password hygiene remains poor. In fact, 54% of all employees reuse passwords across multiple work accounts. When required to update these, many continue to change a single digit on their old password, save passwords in their browsers or store them in company-provided password managers (built for consumer purposes) and call it a day. This is especially concerning as 52% of an organisation’s workforce has direct access to sensitive corporate data as a result of hybrid working. A designation once reserved for IT admins, “privileged users” could mean anyone now — an HR professional, finance manager, developer, third-party vendor — you name it.

Humans aren’t the only ones using passwords and credentials at work According to our own research, non-human identities outnumber human identities by a factor of 45x. Of these machine identities, 68% have access to sensitive corporate data and assets.

As organisations accelerate to hybrid or multi-cloud environments, there are even more gaps that attackers can use as entry points.

Risky password practices are on the rise

Whether crunched for time, lacking cloud-specific technical skills, or feeling pressure from developers and cloud engineering teams, IT teams often overprovision cloud identity and access management (IAM) permissions. While this is much easier than trying to identify the proper least privilege access permissions for each identity, and helps to prevent productivity roadblocks, cyber attackers can exploit these unused or unnecessary privileges. As excessive cloud permissions pile up with every new IT or transformation initiative, risk exposure grows and cybersecurity debt accumulates.

The constant push to operate and deploy faster has also led to more embedded credentials and access keys in code. These credentials are rarely changed and often left exposed. When powerful credentials for enterprise security systems are embedded into scripts, the result can be disastrous, as seen in the Uber breach earlier this year. By compromising the credentials of a non-privileged user, the attacker was able to locate embedded admin credentials for Uber’s privileged access management (PAM) solution in a misconfigured network share — and in doing so, became a “privileged user” with access to the many powerful credentials stored inside. This emphasized the need for strong defence-in-depth layers surrounding credential vaults and other critical security systems.

IT security teams are drowning everywhere An enterprise with 1,000 employees spends an estimated $495,000 annually on resolving password issues alone. Password resets are just the tip of the iceberg. IT security departments are struggling to defend against ransomware, software supply chain attacks and more as a lack of skilled workers continues to plague the industry. Ramifications include increasing workloads for existing team members, unfilled open jobs and high burnout rates.

Getting rid of passwords completely may seem like the solution to all of this, but the world is not quite ready. And traditional password managers and disparate Identity Access Management solutions weren’t built to protect and continuously manage the thousands (or tens of thousands) of identities within your enterprise — nor were they intended to reach across the data centre, hybrid, multi-cloud and SaaS environments.

How organisations can approach identity security

As identity-based threats continue to grow and passwords continue to fail, a broader approach to identity security is in order. It’s not just about stopping attackers from getting in anymore – though tools such as adaptive MFA should be used to understand context around the user and help strengthen authentication - it’s about making it very difficult for them to move around the network without raising red flags and creating so much noise that they become easier to spot and block.

Leaders should invest in identity security frameworks that can take their password policies to the next level. These should be centred on privileged access management controls needed to secure any human or machine identity wherever it exists — not just those considered “privileged.” Each individual identity should be granted the exact level of access it needs to interact with applications, infrastructures and data — at just the right time — while encircled by continuous threat detection.

The future of identity security

As cyberattacks become more frequent and sophisticated as we head into 2023, storing and managing credentials securely will become a major priority for businesses. In order to survive and continue to grow amongst this growing threat landscape, it’s vital that businesses protect themselves by deploying an identity security strategy which can empower the team do more, block more attacks and enable more innovation.

By Nick Edwards, VP Product, Menlo Security.
Sergei Serdyuk, NAKIVO’s VP of product management, sheds light on data protection trends and predictions for 2023.
By James Anderson, Area Vice President, EMEA Channels at Exabeam.
By Amit Tailor, Systems Engineering Director at Palo Alto Networks.
By Niall McConachie, regional director (UK & Ireland) at Yubico.