Recent WHO and ZOOM data breaches prove the need for passwordless IT
Cyberattacks attacks are on the rise once again. High-profile targets like the World Health Organization (WHO) and their top officials are a lucrative target for hackers. Also, hackers got hold of 500,000 Zoom user passwords.
“This is unprecedented for everyone here. We’re doing what we can to mitigate it” is a direct quote from WHO’s chief information officer (CIO), Bernardo Mariano. He also stated that they have doubled the size of the security team and increasing collaboration with security vendors. All commendable actions by the organization.
Passwords and credentials are a huge problem
In this case it turns out that the WHO security systems were not compromised per se. Yet, Australian cybersecurity expert, Robert Potter was able to get a hold of a list of leaked WHO credentials and said he was able to verify that the WHO email addresses and passwords were real.
How is this possible? The answer is simple: many WHO employees were using their company credentials to create accounts on other services, outside the WHO ecosystem or the organization’s security perimeter.
The same is true for the Zoom case. “Bear in mind as well that these credentials were not from any breach at Zoom itself, but rather just broad collections of stolen, recycled passwords.”
Potter also calls the WHO’s password security ’appalling‘, citing examples like 48 instances of ’password‘, ’changeme‘, or even their first names. He said the exposed login information seemed to have originated from a hack in 2016.
To summarize these two cases:
- Impossibly weak passwords like ‘password’ are STILL being used in real life
- They are getting re-used elsewhere, along with other company credentials
- Passwords are not very often changed
We’ve quoted this before but it bears repeating: The Verizon Data Breach Investigations Report inidcates that 80% of hacking-related breaches still tied to passwords. How to go forward, then?
Will managing passwords better or enforcing stricter policies really help?
The short answer: not really. We believe it’s time to acknowledge a few points:
- You really cannot control how people behave outside your company, no matter what your polices state on paper
- If you make your processes too complicated or inconvenient, people will find ways to bypass your controls or ignore your policies
- Blaming the users will only get you so far. It’s also an excuse. It is our job in the security industry to make the tools both secure and easy to use. Read how we have defended ‘the dumb users’
- What is happening in general, is happening in ‘hardcore’ IT as well. Read more about how professional IT users bypass security controls like Privileged Access Management (PAM).
- There are no security perimeters in the traditional sense of the word but your security perimeter is defined every time access is made. This is particularly true now that more people are working remotely.
Stop worrying about passwords & start implementing passwordless IT!
We believe it is time to stop perpetuating the password problem: it only increases our unhealthy obsession and dependency on them and makes us password-a-holics. The same goes for credentials in general.
Managing access is more critical, rather than managing passwords or credentials.
Basically, you can define two user groups accessing your systems: regular business users and privileged users (IT professionals).
See how we can help you with both user groups:
- How to set up secure remote access for employees working from home
- Make remote work fast & secure for admins, devs and IT subcontractors
Our recommendation is that if you need to prioritize. Start with your IT teams, since they have access to the beating heart of your digital business and operations. They should go passwordless and credentialess ASAP.
We are not alone on this. For example, Microsoft now recommends passwordless strategies. Gartner has also stated that ‘standing privileges’ are a risk – even when stored or vaulted in their report ‘Remove Standing Privileges Through a Just-In-Time PAM Approach’.
There are also (in)famous cases where privileged credentials were involved, like the Snowden case, the Sony breach or when a disgruntled ex-employee shut down the entire North American Citibank network in 2 minutes.
Just-in-time (JIT) credentialess and passwordless access is the new way
Our solution, PrivX, can offer you a more modern and secure approach where:
- No one has permanent access to any target, but each session is validated and authorized every time it is made.
- No one accessing your critical IT infrastructure handles any credentials, or sees any secrets at any point of the process.
- There are no leave-behind credentials for hackers to harvest or misuse in your IT environment or target servers.
- There’s no need to worry that subcontractors walk away with your precious credentials, because they never ‘existed’ in the first place.
- There’s no need waste time on password policies or resetting forgotten passwords which cost time and money – and don’t really work.
Instead, you can get:
- Secure remote access: on-demand access without passwords and with short-lived, ephemeral certificates that the user never sees or handles
- Zero leave-behind credentials or passwords: certificates that are automatically created just-in-time (JIT) when the user establishes the session and are automatically deleted after establishing the connection (in 5 minutes)
- Minimized need for training: an easy and centralized web UI for single sign-on (SSO) access
- Maximized integration: a best-of-breed solution that leverages your existing tool stack, like your identity and access management (IAM) solutions, Active Directory (AD) and security information and event management (SIEM)
- Automated off-boarding: any changes in identities and authorities are automatically reflected in access rights and roles. Example: remove a developer from your Active Directory, and that person’s session to the target host is disconnected automatically in less than a minute.
- Mitigated risk: aligned with the Zero Trust framework and Gartners’ just-in-time (JIT) and zero standing privileges approach to mitigate the risk of credential harvesting or privilege abuse
These are just some of the security benefits of our PrivX solution. It is a quick-to-implement and scalable privileged access management (JIT-PAM) solution for establishing secure remote access to hosts, network devices or web applications and managing third party access.
Learn more about the product that is a great alternative to VPNs or jump hosts, can be set up remotely and requires virtually no maintenance.
Or see how it works below:
You can also sign up for the PrivX test drive to play in your own PrivX sandbox in a browser or contact us here to request a demo.
Stay safe!
Jani Virkkula
Currently employed by SSH.COM as Product Marketing Manager, Jani is a mixed-marketing artist with a strong background in operator and cybersecurity businesses. His career path of translator->-tech writer -> marketer allows him to draw inspiration from different sources and gives him a unique perspective on all types...