Cyber security: is it time to ditch passwords?

If you’ve been reading the news lately you can’t have failed to notice the latest headline about cyber-security and cyber-crime. Reports have suggested that a Russian cyber-attack, known as CyberVor, had stolen a staggering 1.2 billion user name and password combinations and 500 million email addresses from poorly protected sites using a basic botnet which effectively audited the internet and targeted companies, both large and small, for SQL injection vulnerabilities. Whilst the scale is unprecedented, however, there is still some debate among security experts about whether this is in fact the largest single cyber-attack, or rather a series of smaller data grabs gathered over a longer period of time by a gang of loosely-connected criminals. Whilst the debate about the original and scale of the CyberVor cyber-attack rages, one issue seems to have been rather overlooked – and that’s the issue of passwords and whether they are, or can ever be fit of purpose as an authentication tool in the age of cyber-criminality.

In the opinion of Tom Burton, cyber director at KPMG, passwords are still a useful validation tool when used correctly and appropriately. He believes they still have an important role to play, but argues that it is incumbent on organisations to make sure that whatever passwords they use are both robust and fit for purpose. He told InfoSecurity magazine:

“In the short term individuals must take a more risk based approach, maintaining strong and unique credentials for those sites that would create the greatest impact if breached – such as bank or email accounts – while being pragmatic and using common passwords for sites that would be little more than an irritation if breached.”
“The next step will be the rise of consumer-driven ‘two factor authentication’ using physical devices such as mobile phones to provide unique codes for each access – akin to one-time pads used by spies during the Cold War.”
Although the latest security alarm will no doubt raise the profile of cyber vulnerability, few in the industry believe it will change companies’ attitudes towards user authentification in the longer term, or prompt them to actively pursue two-factor policies to improve customer security. CyberArk’s senior director of cyber innovation, Andrey Dulkin, expressed the hope that this latest security breach disclosure would drive businesses to improve security; however, other experts admitted that whilst more secure authentication methods like 2FA can improve overall password security, they are not invulnerable and can be cracked by determined hackers.

Nevertheless Andrey Dulkin still maintains that there are steps that organisations can take to mitigate the risks of attack. He told InfoSecurity magazine:

“The main things organisations should do is separate the personal accounts and the privileged accounts; so that the users may set passwords for their own personal accounts, but the organisation sets strong passwords for the privileged accounts and only enables the use of these privileged accounts as needed by legitimate users, such as administrators.”

“Organisations shouldn’t rely on their users, even its administrators, to set strong passwords or to avoid password reuse with regards to other, non-sensitive assets.”
Gary Newe, senior systems engineering manager at F5 Networks, agreed with Mr Gulkin and assured InfoSecurity that both APT-style attacks and data breaches like this are rightly high on the agenda for CISOs:
“With the sophistication of cyber-attacks developing at such a vast rate, and with this recent incident in mind, it is now more important than ever that organisations take note and put stringent processes in place to prevent more attacks like this from happening.”

“The tools are available and straightforward to implement, but it’s down to businesses to prioritise cyber in their planning,” he added.

“We need to focus on protecting the valuable data which is in the applications and no longer focus on protecting the network which is where many organisations seem to be focusing their efforts. Whether using malware, APTs or traditional application-based hacks, the applications are now the target for cyber criminals, so businesses need to react and invest in protection for them.”

However, Simon Eappariello, senior vice president EMIEA iboss network security believes that industry experts are missing the point when it comes to data security: he argues that whilst prevention may not ultimately be the cure, it goes a long way to alleviating the problem:

“IT has to assume malware is on their network and devices and that data might be being exfiltrated right now and for some time in the past,” he said.

“Most companies that have been breached previously don’t find out for some time and then the clean-up process is often impossible when considering the sheer volume of data that has been processed and limited visibility regarding network traffic and data flow.”

“Ongoing monitoring, anomaly detection and “fast, responsive reporting” can all help improve firms’ ability to deal with data breaches, alert customers quickly and comply with regulations.”

If you are concerned about the escalating security challenges facing your business today and would like to take precautions, then why not speak to Krypsys? Krypsys’ services are focused on helping your business assess its security posture against current and evolving security threats and educating you on the risks to which you are exposed. We have a wealth of experience in security projects in both the public and private sectors and have worked with organisations to protect high value information assets such as trading platforms, e-commerce systems, data-centres and cloud services. We also work with leading IT security vendors and specialist consultancies to close the gaps in your own IT security strategy and to assist in streamlining and prioritising your risk management spending.

Whether you’re looking for help with penetration testing and security reviews, or are looking for advice on security compliance and web security solutions, Krypsys can help you. For more information on web security solutions, please contact Krypsys on 01273 044072 or [email protected].