Sridhar Iyengar, Vice President – Product Management, ManageEngine shares his views on Password Management
In 2004, former Microsoft Chairman Bill Gates has predicted the death of passwords; in 2006, Bill Gates said that the end to passwords was at sight. Not just him, there has been endless debates on why passwords are not safe enough. With high profile security breaches involving stolen identities; attacks on financial institutions, among others, it’s no wonder talk of password replacement captures interest.
There is no doubt that remembering a dozen passwords is impossible, storing passwords invites trouble, and managing them manually is a pain. However, the options alternate to passwords are not safe either!
The alternate to passwords like biometric authentication, iris authentication, facial authentication, etc., have been cracked even before they could be adopted widely. A few years ago, a group of researchers hacked faces in biometric facial authentication systemsby using phony photos of legitimate users.
Q. How crucial is online security?
Ans: In today’s environment where all business are IT enabled, the information in these systems need to be highly secure and accessed by authorized personnel only. In the backdrop of high profile cyber-attacks, even the mightiest of enterprises and governments across the globe are worried about online security. Not even a single day passes without a story about a hack or a compromise or identity thefts involving data related to millions of users, with the result that cyber-attacks have truly emerged an international crisis.
Q. What are the security loopholes in online security?
Ans: An analysis of some of the biggest breaches in 2013 reveals that threat landscape is rapidly evolving with Advanced Persistent Threats (APT) leading the way. Though there are numerous loopholes, lack of proper access controls, password management and log reviews are found to be causing the cause majority of cyber-attacks.
The hackers’ predominant activities include spreading malware infections, siphoning of login credentials and denial of service attacks that disrupt service to legitimate users. The traditional security attack channels include viruses, keyloggertrojans and cross-site scripting. The Trojans monitor keystrokes, log them to a file and send them to remote attackers. Scripting, on the other hand, enables malicious attackers to inject client-side script into web pages viewed by other users and exploit the information to bypass access controls.
Perimeter security software and traffic analysis solutions help in combating traditional attack vectors. However, hackers are starting to change their modus operandi. Cyber-criminals are now siphoning off login credentials of employees and administrative passwords of IT resources, using techniques that include spam and phishing emails, keystroke loggers, and Remote Access Trojans (RAT).
Once the login credentials of an employee or an administrative password of a sensitive IT resource is compromised, the institution will become a paradise for the hacker. The criminal is then able to initiate unauthorized wire transfers, view the transactions of customers, download customer information, erase details (as happened in the ATM heist) or carry out sabotage.
However, the situation becomes grave if a stolen password has also been used to access a variety of applications and websites. Nowadays, it is quite common for employees to use the same login credentials for multiple sites – social media, banking, brokerage and other business accounts. If the password gets exposed in any of the sites, in all probability, hackers would be able to easily gain access to all your other accounts too.
Q. What are the major security concerns associated with online security?
Ans: Perhaps, the biggest security concern today is ‘insider threats’, meaning the biggest threat to the information security of your enterprise might originate from within your organization. The reputation of some of the world’s mightiest organizations has been shattered in the past by a handful of malicious insiders, including disgruntled or sacked employees.
In most of the reported cyber-sabotages, misuse of Privileged Access to critical IT infrastructure has served as the ‘hacking channel’ for the malicious insiders to wreak havoc on the confidentiality, integrity and availability of the organization’s information systems, resulting in loss of funds and credibility. In government agencies, insider threats might even result in jeopardizing the security of the Nation.
Administrative passwords, system default accounts and hard-coded credentials in scripts and applications have all found themselves in the cyber criminal’s sights. Lack of internal controls, access restrictions, centralized management, accountability, strong policies and to cap it all, haphazard style of privileged password storage and management makes the organization vulnerable to malicious attackers.
Q. How do you rate the awareness of users regarding online security?
Ans: Awareness on online security has always been high; but organizations lack mechanisms to enforce the measures that help bolster security.
Q. Now a days biometric authentication, iris authentication, facial authentication, etc have been cracked, so please tell our readers to best way to manage passwords?
Ans: Although some of these mechanisms are emerging technologies or used in certain top-security facilities, most of them have not yet found their way into mainstream security systems to replace traditional passwords. It will take some time for that to happen, but for now, a viable replacement for traditional passwords is not in sight. That means passwords are going to be here around for a while.
Passwords are commonly perceived to be not secure and a burden. While worrying over the pain points, we overlook the actual problem. The actual problem is not the passwords themselves, but poor password management.
Unable to remember strong passwords, users tend to use and reuse simple passwords everywhere. They store passwords in text files and spreadsheets, share credentials among team members, and reveal secure login details in emails and by word of mouth. Real access controls do not exist and passwords to sensitive resources and applications remain unchanged for ages. Such insecure password management practices invite security issues and other problems.
While the research is on to find an alternative to passwords, it would be prudent to deploy a password manager to safeguard your data. With a password manager, you can secure all your passwords in a centralized repository; use strong, unique passwords without worrying about remembering them; automate and enforce password management best practices; control access to resources and applications; keep track of activities; and do much more.
Q. Which is the most right way to secure online data?
Ans: Combating sophisticated cyber-attacks demands a multi-pronged strategy incorporating a complex set of activities. These include deploying security devices, enforcing security policies, controlling access to resources, monitoring events, analyzing logs, detecting vulnerabilities, managing patches, tracking changes, meeting compliance regulations, monitoring traffic and more.
Of all the combat measures, bolstering internal controls should be prioritized in light of recent high profile attacks. Access to IT resources and digital company assets should align with an employee’s position and needs. A one-size-fits-all approach to access controls just doesn’t cut it in this day and age. In addition, there should be a clear trail identifying ‘who’ accessed ‘what’ and when’. Password sharing needs to be regulated and a well-established company policy should be in place for releasing passwords which grant access to sensitive resources. Standard password management policies, including usage of strong passwords and frequent rotation should be enforced.
An effective way to bolster internal controls is automating the entire life cycle of Privileged Access Management (PAM) which enforces company-wide best practice. Privileged Password Managers like ManageEngine’s Password Manager Pro replace manual administration tasks and assists in securely storing the privileged identities in a centralized vault, selectively sharing passwords, enforcing policies and above all restricting access to the identities. Enterprise class password managers offer advanced protection to IT resources by helping to establish access controls to IT infrastructure, this enables seamless recording and monitoring all user actions during privileged sessions, to provide complete visibility of privileged access. Password Managers also eliminate the problem of ‘password reuse’. Users can protect their online identities by using a unique password to every application or website, without the need to remember every one.
Q. Message to community
Ans: Define good security policies & guidelines, audit them from time-to-time to verify effectiveness and use tools and product to enforce them.
© Technuter.com News Service