Employees have no qualms over selling corporate passwords
7 April 2015 | 0
Sudhakar agreed. A compromised password is just the first step, he said. “Bad guys establish a foothold within the enterprise, escalate privileges, move laterally to get at the data, maintain their presence until they can get at sensitive data and ex-filtrate the goodies,” he said.
Some argue that selling passwords is not as big a problem as weak passwords, because they are so easy to hack. Indeed, any password of fewer than 10 characters that is an actual word, even in reverse with a few upper-case letters thrown in, is like an unlocked door to hackers with even minimal skills and the right software. That, they say, makes for a sale price of next to nothing.
Loomis does not entirely support that assertion. He said offering passwords for sale does make it easier for criminals, since it eliminates them having to try even two or three times to gain access — an anomaly that security countermeasures could pick it up as suspicious.
Whatever their value on the market, a relatively new group, the Fast Identity Online (FIDO) Alliance, says it is one more reason to eliminate passwords entirely.
FIDO Vice President Ramesh Kesanupalli, also founder of Nok Nok Labs, said in a statement that, “enterprise users selling passwords demonstrates yet another example of how flawed and risky password-centric authentication is.”
FIDO, a non-profit formed in 2012, has developed a two-factor authentication system that, “exchanges cryptographic data with FIDO servers — not vulnerable personal information of any kind,” Kesanupalli said.
Still, even with authentication credentials much more secure than passwords, if people are willing to sell them, the problem remains, or perhaps could be even worse, since those credentials would likely be more valuable.
That, experts say, means the need for better security awareness training is essential. Frenz said it is important to let employees know that it is not just corporate data that is at risk. “Reminding people that work not only stores customer data but a lot of their personal data in the form of HR and payroll records can often help to put things in perspective,” he said.
And the web site Malicious Link, in a recent post, argued that enterprises need to understand the psychology of employees and to provide incentives for them not to be tempted to sell their credentials.
If security professionals become, “familiar with the emerging studies under the banner of cognitive psychology/behavioural economics,” they will be able to understand “irrationalities” in human judgment, and, “design better incentive systems and security control schemes,” the post said.
The good news, according to Sudhakar, is that even if people willingly sell or compromise their credentials, technology has gotten better at spotting the inevitable breach that follows.
“Innovations in data science and machine learning are improving early breach detection from compromised credentials or insiders gone bad,” he said.
That, combined with better training and an awareness of disgruntled employees, may be the best defence. As Frenz notes, passwords do have a major advantage over other, more secure, forms of authentication like biometrics.
“They are very easy to change once compromised,” he said.
Taylor Armerding, IDG News Service