Cyber-criminals have increasingly sought to leverage identity in order to gain access to organizations’ sensitive information over recent years. This can partly be attributed to enhancements in cybersecurity tools, making direct attacks against businesses harder, and also growing digitization, particularly since the start of COVID-19 pandemic, which provides more opportunities to compromise online accounts.
Despite this trend, poor access management practices remain prevalent, which make such approaches fruitful for cyber-villains. Just last week, a survey published by the UK’s National Cyber Security Centre (NCSC) found that large numbers of Brits use easily guessable passwords, such as pet names and names of family members: information that can often be discovered quickly online. Additionally, numerous studies have shown that within organizations, privileged access is given to a high number of employees who do not require it. This means if their accounts are compromised, high level data breaches can take place.
To raise greater awareness of these issues, the Identity Defined Security Alliance (IDSA) has launched the first ever Identity Management Day this year, taking place on April 13. This campaign aims to educate business leaders, IT decision makers and consumers on the importance of identity management and how to strengthen it, including governance and identity-centric security best practices. To discuss this new awareness event and some of the broader issues surrounding identity management, Infosecurity recently caught up with Julie Smith, executive director of the IDSA.
What inspired the IDSA to introduce Identity Management Day for the first time this year?
Identities are a gold mine for hackers. Rather than penetrating firewalls and staring at lines of code on a screen, today’s cyber-adversaries simply have to take advantage of individuals and businesses mishandling identity protection — a problem only amplified by the shift to remote work. The reality is that cyber-attackers no longer “hack” in – they log in using poorly managed and secured identities with weak, stolen or default passwords.
Recent research from the IDSA revealed that 79% of organizations have experienced an identity-related security breach in the last two years, and nearly all respondents believed their identity-related breaches were preventable. Additional research conducted by Centrify also revealed that 90% of cyber-attacks on cloud environments in the last 12 months involved compromised privileged credentials.
With this in mind, we decided to introduce Identity Management Day, in partnership with the National Cyber Security Alliance (NCSA), to educate business leaders, IT decision makers and consumers on the importance of identity management. Our hope is that the annual awareness day will ultimately prevent breaches from occurring and introduce best practices for organizations and individuals to bolster defense of identities throughout the year.
"Our hope is that the annual awareness day will ultimately prevent breaches from occurring"
How will the IDSA aim to raise awareness of identity management issues through this annual event?
Organizations and individuals can participate in Identity Management Day in a variety of ways, all of which are designed to raise awareness about identity management and security challenges and best practices. Businesses and individuals can submit their request to be recognized as “Identity Management Champions,” a title that echoes their promise to prioritize identity management and security. In addition, organizations and experts are encouraged to submit nominations for the inaugural 2021 Identity Management Awards, which recognize leaders who not only embody the importance of identity management and security, but also evangelize it as a priority and share best practices. While submissions are now closed, we look forward to receiving more in 2022!
Companies and individuals can also participate leading up to and on the day by using the hashtags #IDMgmtDay and #BeIdentitySmart on social media platforms. They can also send blogs on identity security and links to relevant studies, news stories and press releases to idmgmtday@idsalliance.org. On the actual day today, the IDSA, in conjunction with the National Cyber Security Alliance, is also hosting an Identity Management Day panel webinar, an SMB webinar, and a Twitter chat.
Anyone who would like to get involved to spread awareness about the importance of identity management, can visit https://www.idsalliance.org/identity-management-day-get-involved/.
What trends have there been in regard to identity-related breaches in recent years? Has COVID-19 exacerbated any of these trends?
The Verizon Data Breach Investigation Report consistently finds that about 80% of hacking-related breaches leverage stolen and/or weak passwords. Our research last year showed that over 90% of organizations have had an identity-related attack, a number which was echoed by Centrify’s research just last month.
COVID-19 has most certainly exacerbated the problem with over 60% of business decision makers anticipating COVID-themed phishing attacks to increase throughout the duration of 2021. Research has also shown that phishing, which can be a gateway to stealing legitimate users’ credentials, remains a big issue throughout the pandemic. More than three-quarters of individuals admit to opening emails from unknown senders, with over half blaming it on the fact that phishing emails are more realistic than ever. Combined with the fact that many security teams are still distributed, COVID-19 has made minimizing identity sprawl and protecting the identities themselves more challenging than ever before.
What technological solutions should organizations be looking to introduce to protect themselves against these types of attacks?
The IDSA and Identity Management Day Champions encourage all organizations to protect ALL digital identities (employees, contractors, third parities, consumers, customers, machines) through the following best practices, which may be enabled and enforced through multi-factor authentication (MFA) and other IAM security tools.
First and foremost, make the effort to use longer, stronger passwords that are easy to remember. Shorter, random passwords are secure, but very hard to remember. This can be solved by using a password manager, but often it’s just as secure to use a longer string of three unassociated words as a password that can be easily remembered. Never use the same password on different sites, never use easy-to-guess components like birthdays and kids’ names, and never, ever use ‘password.’ A password manager is a great way to keep long and strong passwords so you don’t have to log in. For enterprises, the same goes for using a password vault to lock up shared administrative passwords so they can be checked out, used once, and rotated after being checked in. The days of password spreadsheets in a drawer should be over.
Single sign-on (SSO) is another good technology to employ because it centralizes logins to multiple enterprise applications based on that user’s identity. Once properly authenticated, the user doesn’t even need to have a password for these apps – they get federated access, only to the apps they need and are entitled to use based on business function. A similar approach can be used for privileged identities, consolidating entitlements based on user identities so IT administrators simply log in as themselves and then get access to the systems they need to complete a task. This removes the need for static, shared passwords in a vault and increases accountability and auditing control.
Another ‘low-hanging fruit’ technology is MFA. Most people are now familiar with using MFA, and it’s just part of their daily use (using a PIN at ATMs, unlocking a smartphone with your face or fingerprint, etc.). When MFA is available, consumers and enterprise users alike should enable and use it. While some additional authentication factors such as SMS codes are less secure than biometrics or smartcards, any MFA is still going to be a significant identity security improvement over just using a username and password. In the enterprise world, MFA should be used whenever IT, security, and even developer personnel are accessing privileged systems and data, whether it’s at the vault, system login, privilege elevation, etc.
"More often than not, attackers will target individuals with access to the most sensitive information, so that they can do the most damage"
More often than not, attackers will target individuals with access to the most sensitive information, so that they can do the most damage. Attackers also use a compromised identity to infiltrate privileged, highly-protected systems and then move laterally gaining elevated permissions. In addition to following identity security best practices, organizations should also invest in a privileged access management (PAM) solution that allows for higher assurance during an authentication event based on the current profile of a user, the sensitivity of the data and the elevated permissions being used.
For more information on best practices, organizations can visit the Identity Management Day website to learn more.
What advice do you have for individuals to protect their digital identities? How can this information be effectively relayed to consumers?
There are several steps that individuals can take in order to protect their digital identities, according to the NCSA. Individuals must think before they click. Enticing offers via email or text might look convincing, but can easily be an attacker conducting a phishing attack. If individuals are unsure who an email or text is from. Even if the details appear accurate, they should not respond or click on any links or attachments because they might be infected with malware.
Individuals also must consider the information they are sharing online. Posts with revealing details such as addresses, birthdays, etc., can be used by adversaries to guess login credentials or answer security questions.
MFA is also key. MFA will act as an extra layer of security for any online accounts by requiring users to verify their identity with either something they own, such as an iPhone or laptop, or something they are, such as a fingerprint.
Keeping in mind simple, yet effective, “cybersmart” practices such as avoiding public WiFi hotspots, keeping all software and hardware up to date, and configuring privacy and security settings can also go along way in protecting digital identities.
To relay this message to consumers, organizations must make identity management a priority all year round and provide resources for their customers on social media, websites and more — regardless of the industry. One of the best ways to demonstrate the importance of identity security is to remind consumers of the unobtrusive and simple ways they already do it, such as using their face or fingerprint to unlock their phones, and encourage them to use similar features whenever available. When a consumer sees the brands they use and trust being champions of identity security and management, they are more likely to adhere to best practices.
Following the experiences of COVID-19, have you observed greater awareness of the importance of identity management in the past year from both organizations and individuals?
The pandemic has caused most people and organizations to examine ways they can more effectively use technology in their personal and professional lives, and that includes how they secure those devices, applications, and services. Organizations were left with distributed security teams due to the transition to remote work, and adversaries took advantage by launching attacks on businesses ranging from mom-and-pop shops to large enterprises. Cyber-attacks were collateral damage of COVID-19, and many individuals and organizations had their data compromised or stolen. With data being the foundation of consumer and companies’ digital identities, it woke everyone up to the importance of identity management.
It is our hope that with the introduction of Identity Management Day, we can keep identity management top of mind for organizations and individuals as we all move forward into the “new normal.”