Guidance for All Industries
As tensions between the US and Russia escalate, organizations need to act fast to shore up digital defenses
In a just-released briefing from the White House, titled “Act Now to Protect Against Potential Cyberattacks,” authorities urged government facilities, healthcare organizations, and companies of all types, to lock down their digital systems–urgently. Intelligence indicates that Russia may be exploring options for potential cyberattacks, due to pressure caused by recent sanctions established by the United States.
What’s in the Briefing?
The brief outlines several directives, including suggestions like: mandate Multifactor Authentication (MFA), backing up your data frequently and securely, having a disaster recovery plan (and practicing it!), encrypting your data, providing staff training, and to “change passwords across your networks so that previously stolen credentials are useless to malicious actors.”
The suggestion to engage in a network-wide forced password reset is without the context that could be helpful to employers.
While this guidance from the White House is welcome overall, it doesn’t offer a full enough picture of the problems with resetting passwords in the current cybersecurity environment.
The reality of the situation is that organizations can tell people to change their passwords, and even require them to do so, but they can’t prevent them from turning around and immediately reusing another unsafe – and even a compromised – password.
In fact, research presented in the NIST 800-63B publication showed repeatedly that when people are required to change their passwords, they frequently make only minor variations on it, or otherwise fail to follow the government’s current guidelines for creating a secure password. Organizations can’t detect or prevent this.
While mass forced password resets are being actively recommended, are they enough? And if there are unsafe passwords in use that users are then forced to change, how would the organization have any way of enforcing legitimately safe, unique passwords?
What Additional Actions Can Organizations Take?
A more comprehensive approach is needed when it comes to reducing risks caused by unsafe password habits.
Step One: Information
You need to know just how expansive the problem of compromised passwords is within your own network. Starting with an audit to determine which passwords are compromised, common, or easy to guess, allows your team to have a full picture, before taking any other actions.
Step Two: Policies
Once you know the extent and the weak points of the existing passwords in your systems, you should establish a process that allows continuous monitoring for unsafe and compromised passwords. According to NIST, the list of blacklisted passwords needs to be dynamic and expansive, including compromised passwords pulled from both cracking dictionaries and previous data breaches.
Ideally, organizations should also use a customized banned list, so they can include things like variations on the company name, location, and related words that are more often used in their password spaces.
Step three: Action
Whenever compromised passwords are detected, several steps need to be taken: most urgently, the password needs to be changed. Automating this remediation process is the best-case scenario for organizations so that IT staff aren’t overburdened.
Secondly, the user needs to be prevented from creating a new password that is too similar to the old one. Tweaking existing password policies to align with NIST guidelines can be an excellent starting point.
While it’s excellent to see the additional focus on the looming cybersecurity risks the nation faces, additional considerations are needed for it to be effective. Taking human behavior and habits into account, and addressing the password problem head-on, will help organizations stay ahead of the curve, and prevent cyberattacks.