As now enter into the second half of April, and hopefully
you have your taxes filed and getting a refund, the Cyber Threat landscape
still remains about the same. I peruse the
news headlines on a daily basis, and except for the usual data leaks and some
Ransomware attacks, there is nothing earth shattering that has happened, at least
not yet. Let’s hope that it stays that
way.
But there seems to be an increase in some technojargon
usage, and no its not the Remote Workforce or the Zero Trust Framework. Rather, it is MFA that is coming back
again. For those of you who are not familiar
with this acronym, it simply stands for “Multifactor Authentication”.
This is where you are required to go through at least three
or more layers of differing kinds of authentication before you can gain access
to what you are seeking.
But at the heart of this authentication process still remains
the pesky password. Many organizations
across Corporate America are trying to get rid of this all together, but the
use of passwords has become so ingrained into our society for who knows how
many decades that it will never truly disappear by 100%. It will still stick with us in some form or
fashion.
Recently, I have had a few podcasts where my guests and I have
actually talked about in this more detail.
They too are trying to go “passwordless”, but going up against a lot of
employee on this. It all comes down to the
fact that it is simple human nature.
Once we get used to something, we don’t want to change unless
we have to. And even, if we have
supposedly adopted this new change, we still fight in yearning for the old ways
again.
So, if you are CISO, or even an IT Security Manager and really
want to get rid of that password all together, here are some tips for you:
1)
Start with baby steps:
Never attempt to eradicate passwords
100% all at once. Always use some sort
of phased in approach first, so that your employees will get time to get used
to doing something new and different. For
example, if you still rely upon Perimeter Security where the password is still
the primary means of defense, add one in more layer of authentication. This could be a challenge/response kind of format,
or even using something as an RSA token.
This is known as 2FA, or “Two Factor Authentication”. For example, first start with your employees entering
in their password first, then enter in the numeric code that is displayed on the
token. Once your employees start to like this idea, then gradually move up to
MFA.
2)
Adjust your policies accordingly:
Even before you implement 2FA,
conduct a thorough assessment of all of the digital assets at your company, and
determine those that require 2FA or MFA access.
If there are areas that are not as critical, perhaps you can still
continue to be using just a password to give your employees some more time to
adjust to a new process. But keep in mind,
for those areas, always keep a close eye for any suspicious behavior because you
are still using only one line of defense.
3)
Try to bring everything together in one:
By this I mean don’t assign on an individual
basis each and every employee’s rights, permissions, and privileges. Rather, migrate to a Cloud platform, such as that
of Microsoft Azure. Here, you can make use
of what is known as the “Azure Active Directory”. This is simply a super sophisticated way of creating
groups and profiles for the various departments of your business. From here, you can then assign those rights,
privileges, and permissions that are common to the people in that group, and it
will be automatically assigned to them.
Also through the Azure Active Directory, you can also create what are
known as “Federated Identities”. This is
where the same login credentials can be used in a more secure way in order to
gain access to other shared resources on the network drive.
4)
Adopt the concept of Least Privilege:
With this simply means is that you
are giving your employees just enough permissions to access what they
absolutely have to in order to do their daily job tasks. For example, your network administrator will
have a much higher level of this than say, your administrative assistant. But you also need to keep a constant eye on
this, as you do not want an employee to gain more privileges than what they
need. The reason for this is
simple: If their username/password are
compromised, then the Cyberattacker will have far greater to access to your
crown jewels. This can be avoided by conducting
a routine audit at least on a quarterly basis.
5)
Try to educate:
Normally, I would be pretty emphatic
about this, but believe me, trying to train employees on good password Cyber
Hygiene is very difficult. You can go on
and on ad nauseum about the importance of creating long and complex passwords, the
syntax of a good password, blah, blah, blah.
But in the end, your employees are going to go back to their old ways,
even trying to circumvent and new policies and rules you have put forth in this
regard. Probably the only way that you
are going to get your employees to change is to reward them for good
behavior. It sounds like what a parent
would do to a little kid, but in this instance, you may not have much choice in
the end.
My Thoughts On This:
Believe it or not, there is a way to go 100%
passwordless. That is through the use of
Biometric technology, such as Fingerprint Recognition or Iris Recognition. Through one swipe of the finger, or one scan one
the eye, respectively, your employees can login within seconds that the time it
takes to enter in a password.
But this too will be a hard task to accomplish, because then
your employees will be worried about violations to their Civil Liberties and
Privacy.
Your best friend here is the Password Manager. With this, your employees can create all
kinds of crazy passwords and have them reset automatically by this software
package. Best of all, your employees
will not have to remember their passwords anymore, which will greatly reduce the
risk of the so called “Post It Syndrome”.
In fact, this may be the best route to go first, rather than
trying to adopt and implement 2FA and/or MFA.
But the irony here is that the Password Manager requires a password
itself so that your employees can log into it.
No comments:
Post a Comment