More than 80% of data breaches involve a stolen password according to Verizon’s Data Breach Investigation Report. So, the most important security action for any IT organization must be to mitigate this.
In a Forbes article from November 2020 Alex Weinert from Microsoft states:
“Remember that all your attacker cares about is stealing passwords...That’s a key difference between hypothetical and practical security.”
Although we can’t protect against all types of attacks then FastPass V4 complements the actions you most probably already have in place.
With new functionality in these 4 areas, you can make it very hard to steal users’ passwords:
- Upgrade the Password Policy to a higher level of protection
- Protect the password reset process in the service desk
- Provide new secure and easy authentication for self-service of passwords
- Maintain compliance and management reporting
These improvements are not only for your Windows passwords. The most valuable assets might be in SAP, Oracle, IBM, or other corporate systems, so FastPass V4 protects all your important passwords.
1.Upgrade the Password Policy
Hackers steal the passwords from data breaches of “public” databases. If a user reuses his corporate password in external databases, then the hacker, in many cases, can read even a hashed password. The mitigation is to prevent users from using popular passwords, which are the ones hackers can decode.
In FastPass V4, we prevent users from utilizing passwords that have been part of known data breaches, even including the hashed passwords from “IvebeenPwned.” We prevent it when users use FastPass self-service, but also when users change their Windows passwords with “ctrl-alt-del”.
If hackers don’t have breached passwords, they might guess and do a Spray Attack. In this case, the hackers bombard accounts with passwords they hope match someone’s passwords. It might include company names, product names, “summer,” “winter,” frequently used numbers, and many other popular themes. With FastPass syntax checking of passwords, you can prevent users from including such phrases in their corporate passwords.
To establish your own baseline for the Active Directory passwords, we urge you to use our free Password Audit Tool. This tool analyzes all your passwords and identifies any systematic issues that you might have with the AD passwords.
Some security experts suggest that a person’s passwords must be changed, if the user has been involved in a data breach somewhere. We offer you a service where we alert your organization, if users from your domain are identified on “haveIbeenPwned.com”.
The combined effect of the password initiatives, as part of FastPass V4, will make your organization’s passwords unattractive for hackers!
2.Protect the password reset process in the service desk
You know about e-mail phishing. It’s like a shotgun fired into a big crowd, in the hope that you hit something, even if you can’t have any idea if it is valuable or not. It the hacker wants a specific target, however, they must use a sniper rifle, which will be phone-based vishing. As the target probably won’t give away the password, the hacker will call the service desk, pretend to be the target person, and attempt to get a reset of the user’s password. According to a Service Desk Institute survey in 2018, 84% of service desk managers are afraid that a hacker can get a password from their service desk.
To prevent vishing attacks, the service desk must do a secure identity verification of persons calling in. This process must be a forced and mandatory workflow – there must be no way for the service desk supporters to circumvent the process.
FastPass V4 Identity Verification Manager (IVM) has a flexible workflow, which can be configured to reflect the security policy of any organization. The verification process includes many different types of tests based on secure and privileged information from different sources. Of special importance is the in-built dynamic and contextual information, which makes it practically impossible for hackers to cope with the tests.
IVM can be the core tool for any identity verification needed for employees phoning in to central departments to get anything!
As the well-known ethical hacker Kevin Metnik says: “Why waste days hacking your way in, if you can do it with a phone call!”
3.New secure general authentication for self-service of passwords
Self-service of passwords continues to be an important part of password security and productivity. In many situations, 2-factor authentication is required for self-service. But what do you do, if the user has lost his token or forgotten the answers to his personal question/answer process? We even see some organizations in which employees don’t have any tokens, so the only one-factor authentication is questions/answers. Some users, however, forget their answers and thus can’t do self-service. So, we need a new authentication method that can introduce additional security, without requiring a physical token.
FastPass V4 introduces Identity Verification by Manager or “Manager Approval”! This function can be extended to use by trusted colleagues for verification purposes.
With FastPass V4, the user can ask the manager to confirm that it really is the right user who gets a new password. Instead of calling the service desk, the problem can be solved inside the user’s own department. No one knows the employees better than the manager (or the trusted colleague), so this new authentication method adds a completely new level of security to self-service!
From customer statistics, we know that one of the main reasons for users’ failure to do self-service is that the user has forgotten the answers to his or her personal questions. If this happens, the user can then do Manager Approval, preventing calls to the service desk. reaching more than 90% user adoption and automation.
4.Compliance and management reporting
Decisions on security policies and processes are the basis for IT-security. But they can be valuable, only if your organization complies with the policy and processes.
Auditors, Data Protection Officers, and Compliance Officers demand proof that the organization complies with the policies and written procedures.
Many organizations implement SIEM systems for early alerts about threats, and FastPass has events that can give early warnings.
With FastPass Cloud V4, customers get a complete dashboard for security and performance reporting, like:
- Do we see an increase in password reset transactions? Where?
- High frequency of password resets from any individual users?
- Any supporters having a high number of password calls?
- How have we verified the identity in each case?
- What are the most used tests in identity verification?
Even analysis of self-service processes:
- What authentication methods are users utilizing? Which fail the most?
- Any users logged out of self-service?
- When are users using self-service?
- What is the financial value of FastPass self-service?
The automatic compliance reporting will save time and money. However, more importantly, it will give assurance that the processes are secure.
Integration and technology
Most enterprises have complex infrastructures and solutions from different vendors. Password policies are controlled by Windows/AD. The service desk processes are executed and manged by an ITSM suite. Information regarding Identity Management is in another application suite. Security Information and Event Management is handled by a SIEM application. Multifactor authentication is based on many different credential types like Smartcards, SMS, Authenticators, RSA devices, and Bio-identification
FastPass is designed to use general commercial multi-factor credentials and easily integrate with data and processes from other applications.
FastPass V4 can be implemented as an on-premise solution or from FastPass Cloud (AWS), with both based on low subscription fees per user. Many managed service providers (MSP) offer FastPass from their private cloud, and FastPass V4 is available as a multi-tenant solution for service providers.
Passwords are here to stay for some years to come! As long as this is the case, we must fight to prevent hackers from stealing users’ passwords.
FastPass V4 brings comprehensive password protection to secure organizations. Making passwords complex, avoiding the use of dictionary passwords and popular phrases as part of the password, changing the password regularly, and protecting the password processes will make your organization unattractive to hackers. It will be easier for them to attack your neighbor!
With compliance reporting, management and external auditors will approve.
With new productivity in the self-service of passwords, you will even have more funding.
Contact us or your FastPass partner to learn how you can protect your organization immediately. Start with the free Password Audit Tool.