Halloween is finally here — a time of the year for costume parties and frightening fun. It’s also the time many of us face the things that scare us the most. The beginnings of Halloween go all the way back to the Celtic culture of 2000 years ago when November 1 was their new year and a time when they believed that the spirits of the dead would rise and walk among the living. Spooky indeed. What’s this have to do with identity management though?
Quite a bit when you think about it.
Personally, Halloween has always been a holiday in which I tried to learn from facing things I fear — and striving to improve myself in some way by being less fearful. Sometimes I would learn to eliminate fears, and in other cases, the lesson was my coming to grips with and accepting what I can’t control.
That is where identity management comes in. When it comes to identity management, just like life, there are many things security professionals can’t control. A good example is how users treat their passwords. The fact that so many users still write down their passwords at work is downright terrifying. But by understanding some of the more fearsome aspects of identity, organization-specific steps can be taken to reduce and better manage risk.
With that in mind, below is a handful of the spookiest aspects of identity I could think of:
How users treat their passwords is truly ghastly.
While passwords are among the most used enterprise defenses, they remain one of the most abused by workers. According to SailPoint’s 2016 Market Pulse Survey, a ghastly 62 percent of workers share their passwords with coworkers, while 42 percent admit that they would sell their password to a third-party. Some would do so for less than $100!
From the same survey — and I think the respondents performed some mischief with their answers here — a surprisingly low 16 percent said they use one password across multiple applications. Now, we all know, or can strongly suspect, that the actual statistic is much higher than that. At least that 16 percent minority was being honest and fully transparent about their actions.
Ghosts of ourselves lurk in the dark web.
Billions of records have been stolen in recent years. All of those data and exposed records — breaches from credit bureaus, corporate personnel files, caregiver medical files, retailers, federal agencies, and so on — lurks within the dark web. With all of that information on the dark web, it’s a snap for criminals to collect and use as part of an identity-based attack. Your date of birth, mother’s maiden name, the town where you were born, and such data follow you around like your shadow on a night with a full moon.
Attackers take possession of their targets through weak or stolen credentials.
While most attacks rely on any number of common tactics, whether it’s phishing, social engineering, malware, exploiting vulnerable software, and so on — the most common and persistent attack techniques is the use of stolen or weak credentials. The most recent (2017) Verizon Data Breach Investigations Report found, in fact, that 81 percent of all of the attacks they examined this year utilized stolen or weak credentials. Astoundingly, Verizon found credentials to be involved in four out of five breaches this year.
Here’s another eerie identity fact: according to the 2017 Market Pulse Survey, 86 percent of respondents admit that they only have partial visibility into the access contractors have to their corporate systems and the sensitive data that lies within.
Privileged accounts torment security professionals.
Privileged accounts are those accounts that provide the account user enhanced, and often super-user, access. Enhanced access could be accounts that provide a lot more access than typical users, but the account owner is a business user and not an IT user. While so-called super-user accounts are accounts that are used to administer systems, such as local admin accounts, domain admits accounts, as well as system/machine accounts such as those used by applications or devices to interact with other systems and devices. There are other types of privileged accounts, but you get the idea: these are accounts, because of the level of access they provide, that are very bad to have breached. It’s also why it’s no surprise that survey and report after survey and report find privileged access involved in the majority of data breaches.
Orphaned access credentials and the walking dead.
While it’s fun to think of ghosts and the dead coming back to hang around with the living on Halloween — it’s most certainly not fun when it comes to access credentials. We don’t want access credentials that should have been long buried to suddenly rise from their digital graves. These are accounts for workers who have left an organization, or their roles have changed, and their access privileges for their previous roles remain intact. Downright chilling. Still, from SailPoint’s 2016 Market Pulse Survey, 42 percent of respondents said they could access their corporate accounts and data after their job was terminated.
If enterprises want to be less fearful throughout the year, it’s important that those manage access credentials and make sure there are no ghosts in their machines.