Compromised passwords lead to breaches
Four out of every five data breaches occur because of exploited or stolen credentials. This key finding from Verizon’s 2013 Data Breach Investigation Report has helped escalate concerns about hacking to critical levels.
Richard Clarke, the former National Coordinator for Security, Infrastructure Protection and Counter-terrorism, expressed concerns for U.S. computer networks, critical infrastructure and even national security.
At an investor’s conference late last year, he warned companies that if they don’t think they have been hacked, they just don’t know it yet. He went on to say that the threat of hacking by foreign nations is one of the biggest threats the U.S. faces.
The numbers bear out Clarke’s concerns. 2012 saw more than 47,000 security incidents, 621 data disclosures and at least 44 million compromised records, according to the Verizon report. Over the entire nine-year range of the study, that tally now exceeds 2,500 data disclosures and 1.1 billion compromised records – that equates to nearly four compromised records for every man, woman and child in the U.S.
2012 saw security experts adopt the “assume you’re breached” mantra. The weakness of passwords is the main cause of exploitation with 80% of breaches occurring because of a network intrusion exploited by a weak or stolen credential.
Credentials can be exploited in many ways. They are typically stolen when a user downloads malware that captures user name and password information and then sends it to the fraudsters. This leads to hacking, and the use of stolen credentials was the primary way hackers gained access to systems. There are also brute force attacks that break passwords.
Authentication-based attacks – guessing, cracking, or reusing valid credentials – factored into four of every five breaches in 2012.
It would seem that this is reason enough for single factor authentication to be put to rest once and for all. Yet it remains the most common approach.
Suggest report authors: “If data could start a riot (“Occupy Passwords!”), we could use these statistics to overthrow single-factor passwords: the supreme ruler in the world of authentication. If we could collectively accept a suitable replacement, it would’ve forced about 80% of these attacks to adapt or die. We’ve talked about the shortcomings of passwords for years now, and if it were an easy problem (or the pain caused by password problems was greater), it’d be fixed by now.”
Identifying solutions to replace or bolster user names and passwords is a primary driver behind the U.S. government’s National Strategy for Trusted Identities in Cyberspace (NSTIC).
Stronger credentials prevent attacks, says Jeremy Grant, senior executive advisor for identity management and head of the National Program Office for NSTIC. When the U.S. Defense Department mandated the Common Access Card and PKI for network login, intrusion dropped by 46%. This is one of many oft-cited statistics in support of the transition to strong authentication.
The national strategy aims to bolster online privacy, convenience and security, things lacking with usernames and passwords. “The White House made this a priority because in government and critical infrastructure, it’s the humble password that is used to guard access to recourses and it’s woefully obsolete,” Grant explains.
Organizations have tried to make passwords work by making them more complex, says Tracy Hulver, chief identity strategist at Verizon. “You mandate a minimum number of letters with alphanumeric characters and have them change their password frequently,” he explains. “It makes it more complex but if you make something more complex people will write it down and there goes the security out the window.”
Complex passwords also don’t equal foolproof security. Hackers want the credentials because once they have it they have free reign in a system. “You can have a 40 character password with alphanumeric characters but if I put a key logger on your machine I’ll get the password,” Hulver says.
Password reuse also jeopardizes security.
If one company’s identity management system is compromised, it’s likely the hacker will try the stolen credentials on other sites because individual’s commonly reuse passwords, says Chris Russell, vice president of engineering at Swivel Secure. “One compromised password can lead to more sensitive data being hacked,” he adds.
Stronger credentials, such as two-factor authentication and one-time pass codes, are a possible solution, says Grant. “It’s not that one-time pass codes can’t be hacked but they’re more difficult to compromise,” he explains.
The national strategy is focused on multi-factor authentication, Grant says. The challenge is putting it in hands of the user. “It must be cost effective and easy to use because we need to convince everybody to use it,” he explains.
There’s an old saying that with enough time and money anything can be hacked, but it’s also true that most fraudsters will go for the easier score avoiding sites with strong security. “Let’s drive material improvement beyond what we have now,” Grant adds.
Hulver agrees, noting that of the 1.1 billion records breached in the past nine-years of the Verizon study, none of those system used two-factor authentication. Fraudsters go the path of least resistance and two-factor would take more time and effort, he says.
Organizations could also add risk-based analytics to better secure systems, Hulver adds. These systems run the in background of IT networks and track login habits and make risk-based decisions. It may ask for another authentication factor if the user is logging on from an unusual IP address.
Federated identity is another possible solution, says Russell. “If you federate properly, you have fewer identities but each is more strongly protected,” he explains.
In an environment where individuals are accessing cloud-based resources federation can improve security while making it easier on the end user and enterprise. A user would authenticate to the federated identity service and then be able to access any necessary resources. “Federation standards enable a single organization to be the only party that stores the credential,” Russell says. “Cloud services just need to know that I’m authenticated to my service, they don’t need to know my password.”
The breaches of login information from Twitter, Living Social and other sites are causing them to reconsider identity routines, Hulver says. The problem with deploying these systems, especially multi-factor, is added cost and end user acceptance challenges. Two-factor authentication can be viewed as expensive especially for an organization with ten of millions of users.
The other issue for an organization with a large user base is educating individuals on how to use a more complex system, Hulver says. “Adding another step causes increased help desk calls and frustration,” he adds.
It could lead to less frequent usage or even customer attrition. This is certainly part of the equation and a likely reason some organizations choose to stick with a solution that is widely known to be insecure.
Issues aside, organizations are starting to take identity management more seriously, Hulver says. Sadly in most cases the process will start with the mandated use of complex passwords that will have to be changed frequently. Eventually it will lead to multi-factor authentication.
Using risk-based systems that run in the background may be able to screen out 99% of problematic transactions. Two-factor solutions can step in to authenticate an individual helping address the remaining gap, Hulver suggests. Though there is still a long way to go, programs like NSTIC and two-factor initiatives from groups like Google, Twitter and Facebook show the industry is making strides to better secure online identities.