Secure privileged accounts and keep business secrets where they belong
What did the breaches at Target, JPMorgan Chase, and Anthem have in common? They stemmed from a violation of privileged access. Those with privileged access own the proverbial keys to the kingdom – elevated permissions, and access to sensitive information. When these accounts are compromised, hackers can wreak havoc – from exposing personal data and completing unauthorized transactions, to deleting audit data. This is why privileged accounts are the primary target of attackers.
Stepping up from username and password
Passwords are susceptible to a host of problems – keylogging, phishing, dictionary attacks, social engineering, to name a few. According to the 2016 Verizon Data Breach Investigations Report, legitimate user credentials were used in most data breaches, with 63% of them being weak, default, or stolen passwords. To defend against password attacks, many organizations are now securing privileged access through multi-factor authentication, requiring privileged users to provide a combination of factors – something they know, something they have, and something they are. Multi-factor authentication is known to mitigate against security risks because it is harder to compromise two or more credentials than the password alone.
Locking the front door, but leaving the back door open?
High profile breaches and insider attacks have driven many organizations to adopt multi-factor authentication and privileged access management solutions. However, there seems to be a double standard when it comes to verifying user identity. Common, yet insecure user verification practices involve answering secret questions or verifying identity over the phone. These methods are prone to social engineering and impersonation.
Think about the secret questions you created for password reset when you started your current job. How long ago was that? It’s possible that the answers have since popped up on Facebook or LinkedIn, such as pet name or the first school you attended. Let Sarah Palin be a cautionary tale – the attacker looked up her biographical details online and gained access to her Yahoo email account through password reset.
The second method is equally problematic. It is easy to answer questions that are used to confirm caller identity – name, location, email address or employee ID. Asking more personal questions isn’t any more effective because those “secrets” are not very well-kept. CIA Director John Brennan’s AOL account password was reset by high school students using information including the last four digits of his bank card to gain access. They posed as a Verizon employee and tricked the tech support to reveal personal information to them.
Close that back door and put a lock on it
Organizations need to go beyond a single point of vulnerability and add multi-factor authentication to the password reset procedure, especially for privileged accounts. Specops uReset is a self-service password reset solution with extensive multi-factor authentication capability – not only can it be used to verify user identity for password reset, but also to verify administrator and helpdesk users who are trying to access the system.
(Last updated on October 11, 2021)