According to David McNeely, Vice President of Product Strategy at identity management and security vendor Centrify, passwords are past their ‘used by date’ and the biggest threat to organisations is that hackers now have new easy access to readily available, open-source attack tools like Kali Linux, Metasploit and Mimikatz.
“The real difference is they (hackers) can use these tools to get beyond what we typically used in the past for defence,” McNeely warns.
McNeely – on a recent visit to Australia – told iTWire that there is a potential for poor password practices to combine with online systems to pose “the greatest threat to our privacy that we’ve ever seen”.
"Implementing Multi Factor Authentication in the enterprise has been an uphill battle as it can create a burden for IT as an organisation needs back-end structure to support it.
“Users are sometimes not ready for it so they can resist if they find it too cumbersome. There's always a trade-off between convenience and security, so it can be too inconvenient for rank-and-file users."
McNeely explains Multi Factor Authentication this way: “MFA combines something you know (a username and password, for example) with something you have (a token, magnetic card or phone) or something you are (a fingerprint, iris or voice)”.
While there is initial resistance to MFA, McNeely says there’s now the same level of interest multi factor authentication in Australia “just like we are seeing in the US” and “Australia is probably more advanced than some of our European customers”.
McNeely warns that compromised credentials are the most common vector of data breaches around the world. “There's no easier way for a hacker to attack a network than masquerading as a legitimate user of that network - and you get bonus points if it’s that user has a privileged account.
‘The really important point is that we already have the solution - but many places are not stepping up to use it. Even if a person's credentials are compromised, Multi Factor Authentication can foil a bad guy attempting to use those credentials to compromise a network.”
And, according to McNeely, one way for an organisation to shore up its defences against hackers is to by minimising the privileges of IT system user privileges. “Least Privilege. Give IT staff only the specific set of rights they need to do their jobs. So if someone does steal accounts, the downside is minimised.”
“Combine three things - least access, least privilege and MFA. All taken together provide a very strong defence posture and the first place to start is Multi Factor Authentication because it is the most effective defence.
“Protecting your identity and your accounts are the keys to your defence. The most important thing to do is treat security like the bad people are already on your network. Then you have a better chance of defending against those attacks.”
And, in the face of the growth in cyberthreats, McNeely says he is now starting to see people in IT focus on security as an asset “rather than just something to do when they get around to it”.
According to McNeely, more organisations are now moving to a cloud-based infrastructure and he cautions that you “almost have to treat a cloud-based server like a laptop”.
“When you give employees a laptop with data, you know they will go beyond your network perimeter, so you have to start thinking about a lot of other things. The risk exists when you move a server from your data centre to, say, Azure.
“We are helping number of customers move out applications and secure their cloud servers as more customers adopt cloud-based applications to do things that they used to run in their data centres. These include applications like HR, email and IT Service Management.”
McNeely says Centrify is encouraging its customers – including those he spoke to in Australia - to take up Multi Factor Authentication (MFA).
“Other areas include Identity and Access Management - these are taking a higher priority now than updating firewalls and adding VPN infrastructure. This means we can defend against these new types of attacks.”