Each week we hear new reports of mega data breaches, and more often than not, compromised passwords are involved.1 By at least one report, the number of compromised records skyrocketed past 6 billion in the first half of 20172, a 6x increase from 2016.
With the scope and frequency of data breaches increasingly and steadily on the rise, data privacy, critical infrastructure and democracy itself is in peril. But governments and organizations don’t have to remain ignorant or unprotected.
As security professionals, we tend to sit back and predict the Pearl Harbor of data breaches – some argue that it has already happened – and we lose sight of the possibility that our country may suffer a slow death by “1000 Data Breaches” and not from a single Pearl Harbor-like event.
Government doesn’t have to be hacked to be vulnerable
In April 2015, highly sensitive data was stolen on 21.5 million past and current federal employees. Hackers gained access by stealing credentials and planting malware that further infected systems. Due to the sensitive nature of the information that was leaked, hundreds if not thousands of future leaders can be subject to being impersonated, bribed or blackmailed into revealing more sensitive information or decisions with detrimental national consequences.
Additionally, the federal government doesn’t have to suffer a direct data breach to be vulnerable. Third parties providing services to federal agencies have been and will continue to be a source of risk to national security. Several online reports indicate that the recent Deloitte data breach compromised servers used by Pentagon, DHS, State and Energy departments. It is also widely reported that Deloitte did not use multi-factor authentication (MFA) and that an administrator account with a compromised password was used during the attack.3
If one thing is clear from recent data breaches, it’s that compromised passwords continue to be real and present danger to “big 4” advisory and audit firms and to federal agencies by association. Compromised passwords are a vast attack vector to these agencies (and to the government) as seen by the number of them in the following table.4
Success requires reinvention
MFA is not reinvention. It’s been around awhile, although many companies talk about it in their marketing literature as if it’s the next best thing since the iPhone. We must imagine a future in a post MFA world, with a multi-dimensional strong authentication strategy and where a state of breach is assumed.
The best solution is the one you have…that works. MFA was of little to no value to OPM and Deloitte in preventing a data breach which leaked the sensitive data and secrets of the U.S. government. MFA is not and can never be deployed everywhere – or on by default – which leaves systems and data vulnerable. MFA must be complemented by the scale and capabilities of a compromised credential monitoring and verification service to thwart attackers and minimize the risk of devastating data breaches.
- Credential monitoring and verification can prevent data breaches and make people’s lives better.
- Credential monitoring and verification can slow attackers attempts to infiltrate our government and steal our secrets.
- Credential monitoring and verification can prevent data breaches from ever happening via weak or compromised passwords, which is the leading cause of confirmed data breaches.
Updates to NIST 800-63B in July recommends federal agencies to check all new passwords against a database of “breach corpuses” but I don’t think the language is explicit or strong enough. These should become mandatory access controls, not optional, and should be required for any 3rd parties who do business with a government agency and any organization that takes data privacy and security seriously.
Automate or Bust
In Only The Paranoid Survive, Andy Grove wrote that “In technology, whatever can be done will be done.” Weak and compromised passwords can and will continue to be used as cyber weapons against citizens, governments and its most sensitive secrets, critical infrastructure and assets. Therefore, if we know the weapons and tactics that the attacker will use in advance, doesn’t it make sense to engage in the battle using the same tools and tactics?
The technology for automation today can mitigate the risks of stolen credentials -Philip Lieberman
“The technology for automation today can mitigate the risks of stolen credentials, but requires changes in process and the implementation of technology to replace humans,” says Philip Lieberman, President of Lieberman Software. “The day of relying on humans to manage the lifetimes of privileged passwords is long gone. Humans are very poor at finding and managing privileged identities, and the only effective solution is automation.”
As certain as Intel transformed from being a memory to a CPU manufacturer in the 1990s, governments and organizations must transform from being a victim of weak or compromised credentials to dominating them and automate turning insights into compromised credentials into real-time decision making and policy enforcement.
1http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/
2https://www.helpnetsecurity.com/2017/07/25/data-breaches-2017/
3https://www.theguardian.com/business/2017/oct/10/deloitte-hack-hit-server-containing-emails-from-across-us-government
4Compromised passwords reported by VeriClouds CredMonitor service. https://www.vericlouds.com/credentials-monitoring/