The cybersecurity landscape is complex and ever-evolving, but while there are many threats to an organization’s safety lurking in the shadows, there is also a wide range of platforms, processes, and strategies MSPs and resellers can leverage to better protect their clients.
Mike Greene, CEO of Enzoic, knows compromised credentials represent the biggest danger to enterprise security, which is why Enzoic has devoted its efforts to arming the industry with the tools to detect and stop weak or compromised passwords.
We connected with Greene about some of the most significant threats facing credential security, and how partners can take steps to prevent their clients from falling victim to them.
What are some of the most common mistakes you see employees making when it comes to their passwords?
The most common mistakes come from users not understanding that having a complex password is not enough and reusing passwords across accounts. Even though passwords can be complex and virtually impossible to guess- this becomes irrelevant once a password becomes compromised.
Additionally, humans are very predictable. We naturally follow predictable patterns, and hackers understand this. They know these patterns and how to exploit them with great success. Hackers have access to a huge library of common and breached passwords from countless sources. As passwords become compromised and users continue to reuse passwords on countless sites, those sites are now vulnerable and a target for a data breach.
The solution to this challenge involves helping users overcome these patterns and checking passwords against a database of previously exposed credentials.
What is the biggest external threat facing password security?
The biggest external threat to password security for any company is the data breaches that occur on third-party sites and services. If an organization’s employee had an account on a compromised site, there is a high probability that they are using the same or a similar password on the company’s site. This means the hacker has access to credentials that work on the company’s site.
Part of the problem is that organizations have no control over the security of the sites their staff visit on their personal time, so they can’t stop them from being impacted by a data breach. In many cases, they won’t even be aware a breach has taken place until it’s too late. To prevent this threat, companies need to know if their employees have – or attempt to create – a password that has been previously compromised as part of a third-party breach.
How can zero trust principles help defend against security breaches?
Zero trust principles can help prevent security breaches because it ensures that you have verified identity and authorization before giving anyone access to anything on the network. This is in contrast to previous approaches, which assumed that anyone inside the corporate network perimeter was trustworthy, and could be given full access to everything inside it.
Instead, zero trust continually verifies a user’s identity every time they attempt to access a new area or resource. This can be effective in preventing breaches from both internal and external threats. However, the principle of zero trust cannot work in isolation when a user’s authentication credentials can be found on the Dark Web or otherwise easily guessed by hackers.
What role should biometrics play in a strong security posture?
There are three potential types of authentication: something that you know (such as a password), something that you have (like a token device), and something that you are (for example, biometric information like your fingerprint). Unfortunately, each of these authentication factors has potential weaknesses.
Given the current state and nature of biometric technologies, the current version of the NIST 800-63B guidelines for authentication suggests only “limited use of biometrics” – and even then, only along with another factor of authentication. The best security posture comes from using a strong, secure password to protect corporate accounts and assets. In addition, many biometric systems have a password as a backup, which negates any perceived security advantages of these systems.
Are there any steps that organizations should take to ensure their most privileged credentials are protected?
Privileged accounts such as IT administrators or finance professionals present hackers with an incredibly tempting target, so it’s essential to ensure they’re as strongly protected as possible. A good first step is by limiting the number of these accounts to reduce the potential targets. Organizations can do this by using the principles of least privilege (PoLP) to identify which accounts actually require elevated permissions, and which can have their permissions scaled back in order to reduce the potential risk.
For those accounts requiring elevated privileges, there are defenses that can be put in place, such as ensuring each account has a secure password, as well as auditing the usage of these accounts to identify any potential compromise as early as possible.
How can MSPs and resellers help support their clients’ password authentication strategies?
Organizations rely on their partners to identify what really matters and apply common sense best practices for cybersecurity technology. While all companies should take an active interest in their own security, at the end of the day, they need to focus on running their business. That’s where MSPs and resellers can step in, leveraging their security expertise and broad industry knowledge to identify potential gaps in their clients’ defenses.
When it comes to credentials, partners can support their clients by following NIST authentication guidelines to eliminate the use of common, easy-to-guess or compromised passwords, and remove the periodic password change and password complexity requirements With weak and stolen credentials being the number one cause of hacking-related data breaches, MSPs and resellers can apply password-hardening solutions as a cost-effective way to keep their clients protected.
Enzoic’s real-time alerting and actionable intelligence play a pivotal role in enabling this proactive stance against password-related threats. Through our proprietary data systems, we gather, enrich, and deliver this data within a secure, highly available framework. Our tools provide automated remediation, automatically prompting a password reset when a password becomes compromised to ensure your clients’ defenses are not only reactive but also preemptively fortified against the latest breaches.