For enterprises building a large part of their authentication strategy on passwords, this year's Verizon Data Breach Investigations Report has a clear message: Cut it out!
For those exploring multi-factor and other authentication alternatives - the message also is straightforward, bravo!
Weak and stolen passwords are the foundation for two out of every three breaches, and there were 1,367 breaches cited by the DBIR this year. That works out to 912 breaches involving stolen credentials, a number that points at the need for alternatives like the current trend toward two-factor and multi-factor authentication.
The report was clear on the future of passwords, especially as it relates to today's cloud computing.
"The writing’s on the wall for single-factor, password-based authentication on anything Internet-facing," the report concluded. The DBIR report went on to make specific recommendations to enterprises and service providers, "Even though it may draw you out of a known comfort zone, if you’re defending a web application seek out alternatives to this method (passwords) of identity verification. If you’re a vendor in the web application space, also consider mandating alternative authentication mechanism for your customers."
The report tagged Web applications the "proverbial punching bag of the Internet," pointing out they are most often compromised by exploiting a weakness in the application or by using stolen credentials to impersonate a valid user.
"Authentication credentials are useful in both the criminal underground and the shadowy world of the clandestine, and that demand is reflected here (see chart at right)," the report stated.
The report showed that Web application hacks have been trending upward over the past two-and-a-half years while attacks on point-of-sale terminals (despite recent publicized hacks re: Target) have actually been on the decline.
On the consumer side, the report said data shows that "passwords, usernames, emails, credit/debit card and financial account information, and Social Security Numbers are being compromised at a staggering rate, endangering the identities of consumers nationwide."
The recommendation to consumers is to "develop strong passwords. Don’t be like the millions of others who use “12345678” or “password.” Even when hashed, these passwords can easily be deciphered by data thieves."
Here were other recommendations made in the DBIR report:
- Make absolutely sure all passwords used for remote access to POS systems are not factory defaults, the name of the POS vendor, dictionary words, or otherwise weak. If a third party handles this, require (and verify) that this is done, and that they do not use the same password for other customers.
- Use two-factor authentication: Stronger passwords would cut out a huge chunk of the problem, but larger organizations should also consider multiple factors to authenticate third-party and internal users.
CrimeWare: (defined as incidents involving malware of varied types and purposes)
- Use two-factor authentication. Our results link CrimeWare to stolen credentials more often than any other type of data. This points to the key role of CrimeWare when the attack objective is to gain access to user accounts. Two-factor authentication won’t prevent the theft of credentials, but it will go a long way toward preventing the fraudulent re-use of those credentials.
- Stop lateral movement inside the network. After gaining access, attackers will begin compromising systems across your network. Two-factor authentication will help contain the widespread and unchallenged re-use of user accounts.