After a relatively quiet holiday on the data protection front (thank you, world, for no repeat of anything like last year’s Target® Stores data breach), a few things are starting to pop in the media the last few days. Some are expected annual summaries & reports, while some are from popular media. The latter comes from late night television – Jimmy Kimmel Live! ® aired a vignette of an on-the-street reporter asking passers-by for their passwords. This bit makes a nice bookend to a study done a decade ago, showing that more than two thirds of those asked would give up their password in exchange for a chocolate bar.
While so much has changed in the last ten years, some things remain largely the same. While it’s disappointing to see that many can still be tricked out of their passwords with very simple social engineering tactics, I find it encouraging that password security is becoming so commonly appreciated that it can be fodder for late night talk shows.
A couple of more serious reports announced align with this theme and both have the same flavor of being both encouraging and not. Cisco® published their annual security report, something I look forward to reviewing each January. The report has several interesting points to make, particularly including the role that social engineering has in the cyber-attacks. As has been speculated regarding the Sony Pictures breach, attackers are shifting focus from highly technical exploits of hardware and software vulnerabilities to activity meant to obtain network and system credentials from users, sometimes even highly placed technical staff. While you might believe that individuals at that level are informed and alert enough to escape compromise, that is not proving to be the case. This should only be expected, really, as pointed out in an earlier post – enterprise infrastructure is increasingly complex, requiring more individuals involvement with managing it and, as the Cisco report asserts, the senior managers responsible for protecting enterprises are overconfident in their technology and staff. It only takes one inattentive act by a highly placed admin to give attackers the wedge needed to invade the perimeter.Bookending that report is another we tend to see each year about this time, regarding the quality of passwords users select. For those who have followed this theme over the years, there is not a lot of new information. The report, published by password management application developer SplashData®, analyzed more than 3.3M leaked passwords from 2014, and listed the top 25 most commonly used. Unsurprisingly, sequential strings of numbers, “password” and characters from the top row of the QWERTY keyboard led the list. The bright spot is that only 2.2% of the passwords analyzed were from the top 25 list, the lowest percentage in years.
Considering the Kimmel video and the Cisco & SplashData reports, we have to conclude that users will be users and relying on them to generate long, strong, complex passwords may be part of the overconfidence identified in the Cisco report. I remain in the camp that this is unlikely to change, regardless of the amount of user education applied, and anticipating a time when all users select, remember, and protect perfect passwords is naïve. Resources hired into Accounting will and should focus more on balancing the ledgers than becoming password complexity experts; supply chain managers will and should focus more on ensuring required inputs arrive on time and are obtained at competitive price than on the vectors of the current highest risk cyberattack. What the industry needs is evolution away from relying solely on passwords as the means for authenticating users and solely upon users to generate the passwords or keys used for critical needs.
Fortunately, a better model is emerging with the increased support for standards like KMIP, Oasis® Key Management Interoperability Protocol, and for requiring two-factor authentication of users. KMIP gives the enterprise a single standard for integrating requests for, and application of, cryptographic keys, which may be used for standard cryptographic purposes or substituting for user-selected passwords for accessing critical systems. KMIP-compliant crypto key management systems, then, can be administered centrally, with data protection professionals establishing policies on key/password length & complexity, blacklists, and other attributes, so issues highlighted by the SplashData list are avoided. Combine that with user interfaces that require at least two-factor authentication (something you know, a password, plus something you have, a smart card, USB token, or even just a rotating, synchronized soft-token the user obtains from a source and must enter, in addition).
To learn more about KMIP and the role it can play for enterprises, click on the image below to register for Prime Factors’ January 29, 2015, webinar, “Obstacles & Opportunities for Centralized Enterprise Key Management.”