Intelligent CISO Issue 39 | Page 69

decrypting myths accounts , criminals can access corporate infrastructure quickly ," he said . " Once they have this access , it ’ s then fairly easy for them to use those credentials to escalate permissions until they have administration privileges , which grant them access to the gold they ’ re looking for – sensitive assets and information ."

Belgrove iterated that other verification methods are needed on top of MFA .

" Its success does rely on organisations securing and verifying biometric credentials to ensure they cannot be seized , modified or duplicated by attackers , as it ’ s impossible for any of us to change our own retinal scan or fingerprint ," he said .

" There have been instances where retinal and fingerprint scanners have been fooled into giving access , which is why MFA – and the additional layer of security it provides – is generally far more preferable than Two-Factor Authentication ( 2FA )."

Managing machine security is important too

While MFA is crucial to bolster security defences , Checkmarx ’ s SCA and Open Source Evangelist , Robert Haynes , believes organisations should look beyond human password use .

He said : " It ’ s important for organisations to think about how passwords and other credentials are stored in IT automation systems like Infrastructure as Code and container build files ."

In Haynes ’ experience , machines as well as people have often exposed credentials , causing security compromises . " The same level of attention , therefore , should apply to how passwords and secrets are managed by our processes , instead of just by our people ," he said .

" The risks are similar and the results of exposure can be just as serious ."

David Higgins , CyberArk ’ s EMEA Technical Director

Haynes said a secret management tool – similar to a password manager – can help organisations combat threats , while also performing routine scans of infrastructure .

Buying our time with better passwords

If passwords are at the root of many security challenges , when can we give them up ? F5 ’ s Global Head of AI , Shuman Ghosemajumder , asked that exact question . He believes passwords are " inconvenient and create numerous security vulnerabilities .” So why can ’ t we just replace them ?

" The short answer is : there ’ s not a better method – yet ," said Ghosemajumder . " Companies are beholden to their users and while most users claim to value security over convenience , their actions speak otherwise .

“ Even when users ’ accounts are taken over , fewer than one out of 10 will adopt MFA because of the associated complexity and friction ."

According to Ghosemajumder , we ’ ll replace passwords when we find a solution that matches their usability , security and deployability . He also said we may find future hope in invisible MFA , which requires factors invisible to the user . But this will not replace passwords yet .

" In the interim , businesses should outlast attackers by denying them their most precious resource : time ," Ghosemajumder said .

" If an organisation can significantly increase the time it takes criminals to monetise their attacks , most cybercriminals will abandon the pursuit in favour of weaker targets .

“ Businesses must upgrade password security methods to something secure like bcrypt to slow attackers down before even launching an attack ."

While some have suggested the security industry needs to move on from passwords , it ’ s clear they are still a crucial ingredient in the security pie .

Part of that mixture must be filled by MFA , according to Higgins and Belgrove . IT teams must also seek to verify both human and the increasing number of automated accounts operating on our networks .

Cybercrime is a business , Ghosemajumder added as a parting note .

“ Attacks are organised based on a predictable rate of return and until a better method is developed to replace passwords , the most effective preventative measures organisations can put in place are ones that slow attackers down .” u

69