Muhammad Yahya Patel (Mo) is a highly acclaimed Security Engineer and member of the Check Point Office of the CTO. Mo has over 10 years of experience in cyber security, ISP field & operations and ICT. Before joining Check Point, he worked as a Security Consultant, designing and implementing security solutions for private and public sector organizations including the UK’s National Health Service. He is a trusted advisor amongst some of the UK’s top VARs and works closely with C-levels on strategy and security challenges.
In this timely and informative interview, Security Engineer Muhammad Yahya Patel discusses what executives need to know about password theft and credential exposure, how organizations can strengthen their password security protocols, and actionable steps that organizations can implement immediately.
Passwords seem pedestrian. Why are password theft and credential exposure executive-level issues?
You could say that passwords are the keys to the kingdom. Executives should know that when attackers get ahold of credentials, it places everything at-risk. Credential theft could enable hackers to access the most sensitive and critical data owned by an organization, which could ultimately cost an organization financially, result in reputational damage, and prompt consumers to lose trust in the firm.
Attacker access to credentials and accounts can also result in executive impersonation attacks. These are a major problem, as attackers may deliberately impersonate executives to cajole employees into divulging company information or into making payments to fake supplier companies (a.k.a attackers’ bank accounts).
Lastly, if privileged credentials were to be accessed and used by an attacker, this could be very dangerous. In an extreme scenario, an attacker with privileged credentials and account access may be able to completely wipe all online presence of an organization.
How can executives address password hygiene and identity management?
Executives need to enact and enforce good practices. Understand that people now have “password overload” due to the sheer number of online services and corporate applications, both work-related and personal. Add in the requirements of password complexity and not being able to use a previous password — the human mind will adopt the path of least resistance, and we can expect poor practices as a response to this.
The key is to reduce the high risks associated with passwords. What I mean by this is that organizations should adopt other authentication mechanisms and reduce the password overload. You may combine multiple account protection solutions, which will lower the risk of credential theft or account takeover, and at the same time, will also help improve the overall security posture in your organization.
How do passwordless logins, such as SSO, boost security?
SSO is one such solution that has become more integrated and easily connected to many corporate applications and services. This solution negates the need for several different passwords, as SSO means that employees will use a single set of credentials to access the necessary apps and services. Yes, there is a risk, but combine SSO with multi-factor authentication and you add a second layer of protection.
Would you be able to recommend actionable steps that companies can take to address the widespread problem of insecure passwords and credential exposure?
Conduct an evaluation to determine if a password manager would be appropriate for your organization. Password managers have several benefits. They allow your employees to securely store passwords, generate unique passwords and they can auto-complete passwords on websites. I’m sure you’re already thinking that this could be the answer you were looking for.
Implement an account monitoring solution. You need to know if an account is compromised or if an account was targeted in an attack. Make sure steps are taken to review the default account settings, so that you can turn on features like locking an account after certain attempts. You don’t want an attacker to have unlimited time and an unlimited number of login attempts, allowing them to force their way into your organization.
At present, we see that credential theft largely occurs via phishing attacks. What organizations should be questioning first is ‘how did my email security allow this phishing email through?’ ‘Is it effective at blocking and preventing these carefully crafted emails?’ If not, then you need to invest in technology that will stop such attacks from reaching the mailboxes. The second step is to look at technology that actually prevents a user from inputting their credentials into a phishing website. The solutions exist, so it’s a matter of investment and adoption.
For more from this author, please see CyberTalk.org’s past coverage. Lastly, to receive more cutting-edge cyber security news, best practices and analyses, please sign up for the CyberTalk.org newsletter.