Since the introduction of computers, usernames and passwords have been the primary method used for access control and authentication. However, as post-mortem analysis of most data breaches reveals, compromised credentials have become the primary point of attack for today’s cyber adversaries. In fact, a recent study by the Identity Defined Security Alliance (IDSA) reveals that credential-based data breaches are both ubiquitous (94% of survey respondents experienced an identity-related attack) and highly preventable (99%).
Nonetheless, many organizations are still lacking key identity-related security controls and the few forward-thinking companies that have started applying proper access controls are typically focusing on human users. This flies in the face of reality. With digital transformation initiatives that span DevOps, cloud transformation, Internet of Things (IoT), etc., the sheer number of non-human identities far outweighs human users. So, what does this mean for the future of passwords and how organizations approach controlling access to their sensitive resources?
For decades, users have been using static passwords to log in to various accounts and services. Unless mandated by policy, personal preferences, or in response to a data breach, the average password remains unchanged from the moment it is created. This makes it highly susceptible to threat actors, since a static password provides a low probability for verifying the authenticity of a user and can just as easily be a compromised credential purchased on the Dark Net.
Once in the hands of a cyber-attacker, a stolen password can provide unrestricted access to the compromised account, the ability to move laterally within the network and disrupt business processes or exfiltrate sensitive information. The impact is even more significant if the account belongs to a privileged user, who holds the “keys to the ki ..
Support the originator by clicking the read the rest link below.
