(July 24, 2023) Hackers seldom break in by busting down the door. They’re more likely to find the key hidden under the flower part and let themselves in.
Passwords are the key, and they’re often ridiculously easy to find. According to the 2022 Verizon Data Breach Investigation Report, more than 80 percent of all data breaches involve weak, default, or stolen passwords. A 2019 report found that a million passwords are stolen weekly. The use of stolen credentials is the second-most common data breach technique.
Multifactor authentication (MFA) solutions are essential for reducing reliance on passwords alone for network access control. MFA combines a password or PIN with other verification factors, such as a security token, mobile app, or biometric identifier. A hacker may be able to steal a password, but cannot gain access to the network without the second factor.
Chronic Password Problems
Poor password problems have played a role in key security breaches. One of the most notorious examples is the 2020 SolarWinds hack. Authorities believe a weak password — “solarwinds123” — may have exposed a company file server.
That was all the opening hackers needed to launch what Microsoft president Brad Smith has called “the largest and most sophisticated attack the world has ever seen.” Dozens of federal agencies, including the Pentagon, the Department of Energy, and the National Nuclear Security Administration, were attacked. So were hundreds of private companies, including Microsoft, Cisco, and Intel.
Analysts believe stolen credentials were also used in the Colonial Pipeline ransomware attack that crippled the largest fuel pipeline in the U.S. in early May 2021. Credential theft also played a role in the Microsoft Exchange attack in January 2021, when malicious actors gained unauthorized access to hundreds of thousands of Exchange servers worldwide.
The Federal Case
Poor password practices have long been an issue with the federal government. A 2018 WatchGuard report found that half of the accounts they examined used passwords that were easily guessed. The top two bad passwords in these accounts were “123456” and “password.”
In May 2021, President Biden issued an executive order mandating that federal agencies adopt MFA within six months. The order also notes that bolstering the nation’s cyber defenses will require better coordination between the government and private industry. In fact, it suggests that the government may stop working with private-sector suppliers and contractors that do not comply with new security recommendations.
The order outlines a process for incorporating the new security standards into the Federal Acquisition Regulation (FAR), the principal set of rules for government procurement. Since the government is an important customer for most of the world’s top software companies, FAR compliance requirements often become standard practices throughout the industry.
Implementing Multifactor Authentication
MFA can incorporate a number of different technologies that are used to authenticate users. For example, security tokens are small devices, such as smart cards and key fobs, that can be used to access a service. Software-based tokens, such as one-time PINs automatically generated by software and sent to mobile devices via text, are becoming more common.
There are also several biometric authentication technologies that can recognize an individual’s retina, fingerprint, facial features, and other characteristics. The user’s location and current time are sometimes considered the fourth and fifth factors for authentication.
One of the biggest obstacles to MFA adoption is the fear of employee backlash. Organizations are often concerned that MFA will add complexity and time to the process of logging in to the network and disrupt the user experience. Employees will resist using MFA or not use it at all.
Ultimately, however, organizations must weigh the perceived drawbacks of MFA against the risks of a security breach. Mainstream can help you assess your security posture and recommend technologies to better protect your IT infrastructure.
ABOUT MAINSTREAM TECHNOLOGIES
Mainstream Technologies delivers a full range of technology services in Arkansas and the surrounding region including managed technology services and consulting, custom software development, and cybersecurity services. We also offer industry-leading data center services in our Little Rock facilities. Established in 1996, Mainstream has earned a reputation for delivering quality, reliable, and professional technology services for public and private-sector customers across the United States.
IT Business Development Manager
(479) 715-8629 Office
(501) 529-0008 Mobile