Why Strong Passwords Alone Won’t Stop Identity-Based Attacks

October 12, 2022 David Higgins

Passwords Need Defense-in-Depth Identity Security

You can buy almost anything online without leaving the couch now. Need groceries? Check. A holiday? Check. Even a new car? It will magically appear in your driveway — no haggling required! Unfortunately, purchasing stolen credentials has become just as simple. In a market where remote desktop protocol (RDP) access can be bought for under $10, both novice fraudsters and sophisticated attackers are snatching up passwords and usernames in bulk.

With lengthy lists of passwords at their disposal, cybercriminals rarely need to flex their creative muscles. Plain old credential stuffing will open a door to an enterprise environment. If it doesn’t, an automated brute-force attack to guess and test username/password variations at scale is a solid backup plan. Of course, some attackers go the extra mile to trick cautious workforce users into giving up their strong passwords with novel phishing and social engineering techniques like those seen lately.

No matter how strong your organization’s password policies and awareness efforts are, they won’t be enough to defend your organization against identity-based attacks on their own.

Here’s why strong passwords are not enough:

Workers know strong passwords are important. They just can’t keep up. 

  • The average staff member accesses more than 30 applications and accounts at work (and roughly 55 others at home). Requiring users to repeatedly authenticate themselves to systems and applications — and to maintain multiple complex passwords — has become too much. So, people continue to change a single digit on their old password when required, save passwords in their browsers or store them in company-provided password managers (built for consumer purposes) and call it a day.
  • Fifty-two percent of an organization’s workforce has direct access to sensitive corporate data. A designation once reserved for IT admins, “privileged users” could mean anyone now — an HR professional, finance manager, developer, third-party vendor — you name it.

Humans aren’t the only ones using passwords and credentials at work.

  • Non-human identities outnumber human identities by a factor of 45x. Yes, you read that correctly.
  • Of these machine identities, 68% have access to sensitive corporate data and assets.
  • As organizations accelerate to hybrid or multi-cloud environments, there are even more gaps (read: human and machine identities) that attackers can use as entry points.

Embedding credentials, overprovisioning cloud permissions and other risky password practices are on the rise.

  • Whether they’re crunched for time, lacking cloud-specific technical skills or feeling pressure from developers and cloud engineering teams, IT teams often overprovision cloud identity and access management (IAM) permissions — giving identities more privileges than they need — in the name of productivity. As excessive cloud permissions pile up with every new IT or transformation initiative, risk exposure grows and cybersecurity debt accumulates.
  • The constant push to operate and deploy faster has also led to more embedded (or hardcoded) credentials and access keys in code. These credentials are rarely (if ever) changed and often left exposed. When powerful credentials for enterprise security systems are embedded into scripts, the result can be disastrous, as seen in the recent Uber breach. By compromising the credentials of a non-privileged user, the attacker was able to locate embedded admin credentials for Uber’s privileged access management (PAM) solution in a misconfigured network share — and in doing so, became a “privileged user” with access to the many powerful credentials stored inside. This emphasized the need for strong defense-in-depth layers surrounding credential vaults and other critical security systems.

IT security teams like yours are drowning everywhere.

  • An enterprise of 1,000 employees spends an estimated $495,000 annually on resolving password issues alone.
  • Password resets are just the tip of the iceberg. IT security departments are struggling to defend against ransomware, software supply chain attacks and more as a lack of skilled workers continues to plague the industry. According to ISSA research, ramifications include increasing workloads for existing team members (62%), unfilled open jobs (38%) and high burnout rates (38%). The U.S. Bureau of Labor Statistics estimates demand for cybersecurity employees will surge 33% from 2020 to 2030. Many of these openings will be from workers transferring out of the profession or exiting the labor force.

Getting rid of passwords completely may seem like the solution to all of this, but the world is not there yet (though decentralized identity on the blockchain and other technology advancements show promise). And traditional password managers and disparate IAM solutions weren’t built to protect and continuously manage the thousands (or tens of thousands) of identities within your enterprise — nor were they intended to reach across the data center, hybrid, multi-cloud and SaaS environments.

As identity-based threats continue to grow and passwords continue to fail, a broader approach is in order. It’s not so much about stopping attackers from getting in anymore; it’s about making it very difficult for them to move around the network without raising red flags and creating so much noise that they become easier to spot and block.

A defense-in-depth Identity Security framework can help take your strong password policies to the next level and move you closer to zero trust. Centered on privileged access management, Identity Security provides the intelligent controls needed to secure any human or machine identity wherever it exists — not just those considered “privileged.” Each individual identity is granted the exact level of access it needs to interact with applications, infrastructures and data — at just the right time — while encircled by continuous threat detection.

Behind the scenes, controls such as session isolation and monitoring, elevation and delegation are infused into access and identity management capabilities to increase accountability and compliance. This means access can be monitored on an ongoing basis across data center, hybrid, multi-cloud and SaaS environments, and risk-based controls can be applied for each identity to keep things simple for end users.

In the spirit of Cybersecurity Awareness Month, consider how elevating your strategy with Identity Security can empower your team do more, block more attacks and enable more innovation. If you’re ready to take the first step of assessing your environment to discover overprivileged identities, risky permissions and other unknown threats, we’re here to help.

Previous Article
In “Digital or Die” Financial Sector, Identity Security Accelerates Transformation
In “Digital or Die” Financial Sector, Identity Security Accelerates Transformation

“Digital or Die” has become the motto for the financial services sector. Consumer expectations are pushing ...

Next Article
You’ve Enabled MFA — Great! This Cybersecurity Awareness Month, Focus on How and Where It’s Used
You’ve Enabled MFA — Great! This Cybersecurity Awareness Month, Focus on How and Where It’s Used

Decades ago, the internet was built to give people a way to access and share information fast. What it wasn...