Passwords are not Treated as Critical to Cyber Security
October 9, 2014 | Security and Risk | John Worrall
By John Worrall
Over the past year, the password has taken center stage as a critical cyber security problem, illustrated by the Gmail hack, cracking iCloud security and countless others. In response, numerous opinions have been expressed over ways to stop this from happening, including our own.
Yet, organizations continue to allow employees to select their own passwords for corporate assets. Does this mean credentials are not a critical piece of the cyber security strategy? Employees are not expected to manage other key security processes, such as installing antivirus, monitoring updates, reviewing vulnerability reports, etc., yet passwords are ok for employees to own?
Some passwords are far more powerful than others – such as those for privileged accounts – and these absolutely need to be considered a critical cyber security matter rather than simply another password for IT staffers to manage.
The best policy for organizations is to simply not allow employees to set their privileged credentials to begin with. Using a dedicated enterprise password management solution can prevents users from ever knowing the privileged credentials or even having to type anything in, while still giving them the immediate access business requires. Why is it important to eliminate typing in a password?
At this year’s Black Hat Conference, researchers from the University of Massachusetts Lowell demonstrated a new twist to an old conman skill – demonstrating how to intercept passwords visually, without hacking anything. This is a must read!
Using an ATM interaction, the researchers used multiple cameras independently, including Google Glass, web cameras, smartphone cameras and even smartwatches to record the user’s hand and finger motions as they entered their PIN. The cameras couldn’t see the keys, just the hand movements. This movement was then mapped over an image of a soft keyboard and voila! The PIN was stolen without malware, a skimmer, exploiting a zero-day or any other breach.
Cameras are as ubiquitous today as laptops and both are commonly used in the same location. Think about the last time you logged into your work laptop at an airport. How many people did you notice taking photos or videos? How about the coffee shop you last logged in at? In the world of advanced threats where employees are targeted as an easy way to access a network, making sure passwords are treated as a critical security matter is a smart move.
For more information on how your company can secure its privileged passwords and credentials and prevent unwanted access into critical assets, check out our Enterprise Password Vault and Privileged Session Manager products.