Operations //

Identity & Access Management

11/7/2018
02:00 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Why Password Management and Security Strategies Fall Short

Researchers say companies need to rethink their password training and take a more holistic approach to security.

Industry researchers have grown concerned that security pros are making it too easy for hackers to prey on people.

One says that companies need to make password management easier, while the other emphasizes a defense-in-depth approach that includes both technology and training, thereby putting less of a burden on humans.

David Jacoby, a senior security researcher at Kaspersky Lab, found in his firm's study that for less than $50, a criminal can buy a person's full digital identity. This includes personal data stolen from social media and bank accounts, gaming websites, and streaming media accounts.

Most of the data thefts are executed via spear-phishing or by exploiting security vulnerabilities in a Web application, Jacoby says. After a successful attack, the criminal will obtain a password dump, which contains a combination of email addresses and passwords for the hacked service. Because so many people use the same password for multiple accounts, attackers can also use this information to access accounts on other platforms.

"One of the big problems is that people tend to reuse passwords," Jacoby says. "I think we've not done a good job training users how to develop their passwords."

The industry, he says, stresses a technical solution, such as password managers, but the tools aren't always easy for people to use. While Jacoby does recommend using a password manager and better security software for those who can manage them, for most people the best passwords are phrases unique to them, followed by a punctuation mark, then a unique identifier, he says.

So multiple passwords could look something like this:

  • Facebook: Ilikecars!friends
  • Netflix: Ilikecars!movies
  • PayPal: Ilikecars!money

By making their passwords unique and related to specific services, most people should be able to remember them, Jacoby says. He also recommends that people search a resource such as haveIbeenpwned.com to check whether sites they have accounts with have been compromised.

"If you do a search and find that one of your accounts has been hacked, don't panic,” Jacoby advises. "All you can do is move forward. Start by changing your passwords on the compromised sites, and slowly shift to either a password manager or the system I've recommended based on unique identifiers.”

Dylan Tweney, head of the research program at Valimail, adds that while more effective password management makes sense, too often security pros blame users for all their problems.

Tweney points to recent Valimail research, which found that when it came to detecting fraudulent emails, there was virtually no difference between the scores of those who received anti-phishing training compared with those who didn't. Out of 11 emails, those who received the training identified 4.98 and those who didn't spotted 4.97.

Valimail recommends a more balanced approach that includes training, email authentication, deploying secure email gateways, and making sure spam filters are current.

"The idea is to not make humans the front line of defense," Tweney explains. "By taking on a more defense-in-depth approach, the burden on the humans is less, so there's a better chance that when emails do get through, the users will be able to detect them because they won't be overwhelmed."

Related Content:

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
hucklesinthedark
50%
50%
hucklesinthedark,
User Rank: Author
11/8/2018 | 10:21:44 PM
Technical Failures
I like to say that if a user is able to violate an information security policy, be it accidentally or purposefully, then there was a technical control that either failed or was missing entirely. Users shouldn't technically be capable of violating policy. Granted, I say this in partial jest sometimes, but there is also some seriousness to it. Relying on fallible humans will inevitably result in failures. So when you say that the idea is to NOT make humans the front line of defense, I whole-heartedly support that.
Veterans Find New Roles in Enterprise Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/12/2018
Understanding Evil Twin AP Attacks and How to Prevent Them
Ryan Orsi, Director of Product Management for Wi-Fi at WatchGuard Technologies,  11/14/2018
7 Free (or Cheap) Ways to Increase Your Cybersecurity Knowledge
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-19326
PUBLISHED: 2018-11-17
Zyxel VMG1312-B10D devices before 5.13(AAXA.8)C0 allow ../ Directory Traversal, as demonstrated by reading /etc/passwd.
CVE-2018-19274
PUBLISHED: 2018-11-17
Passing an absolute path to a file_exists check in phpBB before 3.2.4 allows Remote Code Execution through Object Injection by employing Phar deserialization when an attacker has access to the Admin Control Panel with founder permissions.
CVE-2018-19324
PUBLISHED: 2018-11-17
kimsQ Rb 2.3.0 allows XSS via the second input field to the /?r=home&mod=mypage&page=info URI.
CVE-2018-15769
PUBLISHED: 2018-11-16
RSA BSAFE Micro Edition Suite versions prior to 4.0.11 (in 4.0.x series) and versions prior to 4.1.6.2 (in 4.1.x series) contain a key management error issue. A malicious TLS server could potentially cause a Denial Of Service (DoS) on TLS clients during the handshake when a very large prime value is...
CVE-2018-18955
PUBLISHED: 2018-11-16
In the Linux kernel 4.15.x through 4.19.x before 4.19.2, map_write() in kernel/user_namespace.c allows privilege escalation because it mishandles nested user namespaces with more than 5 UID or GID ranges. A user who has CAP_SYS_ADMIN in an affected user namespace can bypass access controls on resour...