Every year the Verizon Data Breach Investigations Report researches data breaches that occurred throughout the year along with trends and reasons behind those breaches. We know that breaches are on the rise. The Target breach got everyone’s attention and it was only one of a long string of incidents reported throughout a variety of industries.
According to the report, the hospitality industry had the highest number of breaches among all the industry segments measured in both 2011 and 2012. That’s ahead of financial services, healthcare and retail, industries which obviously could provide higher financial rewards for attackers than hospitality. Despite all the money being spent on security measures from endpoints to data leak prevention to database security, the single largest vulnerability continues to be passwords. To be specific, 76 percent of all industry breaches over the past few years were based on weak or stolen password credentials.
Numerous implementations of password management solutions showed a major success in a very short period of time. And, the success of these implementations can be measured financially through improved operations and through improved security. An organizational password management implementation involves a number of key elements consisting of a blend of technology and internal business processes, such as composing hard-to-guess passwords, changing and reusing passwords, intruder detection and lockout, synchronizing passwords, and the art and science of keeping passwords secret, among other things.
Based on hospitality breach statistics, it may be time to evaluate your maturity against some of the top practices defined below to ensure you improve security and lower operational costs.
Tip No.1:
Multiple Passwords Can Be Inhumane
The problem with passwords in a large enterprise is that people generally require so many different accounts and corresponding passwords to access the expansive list of both cloud and on-premise systems and applications, that sometimes it feels humanly impossible to remember them all. And just about the time you feel you have them all memorized, they then need to be changed. So what is the natural reaction of a worker who needs to efficiently accomplish all their tasks across a number of different systems? They start to develop a host of insecure behaviors around password management including: writing passwords down, using passwords that are simple and easily compromised, contacting the help desk constantly when they forget their password (contributing to 30 percent of all help desk calls), or reusing old passwords as often as possible.
These behaviors creep into the workplace because workers want to avoid downtime and the hassles that go along with it. The solution to the entire password management problem incorporates three critical components: an easy self-service password reset capability to ensure people can reset their own passwords, a synchronization solution that changes passwords across all of a user's systems and a single sign-on solution to limit the number of sign-ons required.
Tip No.2:
Compose Passwords That Are Difficult to Crack
All it takes to understand the glaring issue of password strength is to see the 25 worst passwords and their current ranking based on use (thanks to Splashdata who measures them). The top 10 are listed in the sidebar.
At least "password" is no longer No.1. The solution to this overly simple problem is to prevent your users from being able to use simple, easy-to-guess passwords. Controls around password strength have been around for a long time, and most software and operating systems provide a way to prevent weak passwords from being used if configured correctly. Unfortunately, some organizational legacy system baggage prevents setting stringent controls holistically at the target system, so software solutions have been created to help enforce password policies and prevent poor password decisions at the time the password is set and then synchronized across systems.
Tip No.3:
One-to-many Corporate Password Policy
There is no reason to have numerous password policies across your system environment. Identify the strength, expiration and aging requirements of your organization, and implement that same policy on all of your systems. This does not take a massive amount of effort to accomplish, and it ultimately improves security while reducing support hassles. If your users know that they always need to choose a password that has at least one upper case character, one lower case character and a number, that they can not reuse that password for five password changes and that they need to change the password every 60 days on every system within the company, they will not need to remember so many different password types or go through the hassle of being rejected when entering a weak password on a strong policy system.
A solid password management solution can unify your password policies by ensuring users select a password with all of the strength requirements across a variety of system policies. While the active directory domain may require three of four character types (upper/lower/numeric/special character), your SAP system may only be set to take upper, lower and numeric values. It is best to identify a single corporate password policy and implement that same policy across all of your systems while using a password management tool to help block easily guessable passwords regardless of the strength requirement.
Tip No.4:
Change Every Password but the Kitchen Sync
Password synchronization can solve many issues around password management. Syncing passwords ensures users only need to remember one core password when logging into corporate systems, which ultimately prevents writing down passwords. It also helps solve the password expiration problem since the passwords will all be changed at the same time.
The latest solutions can map usernames across systems and still sync passwords successfully. For instance, my AD account may be RYANW, but my AIX Unix password is WARDR. A password management solution keeps track of those mappings and automatically knows to change my password for both AD\RYANW and AIX\WARDR. Synchronization can now also work with cloud-based applications such as Salesforce.com, Google or Office365, so security is strengthened by regularly changing cloud-based applications that in the past were typically left unchanged or had longer expiration windows.
Tip No.5:
Embrace Self-service
As stated earlier, the volume of service desk calls relating to password issues is massive, and service desks obviously have better things to do than handle these types of calls. The return on investment (ROI) of self-service password management solutions is lightning fast and easy to calculate. If you know the cost per ticket of a password call, simply multiply that by the number of calls and the percentage that would be automated via a self service (such as 90 percent).
ROI of self-service password management
$10 per ticket X 10,000 tickets
X 90% self-service = $90,000 saved
If you steer end users to handle their own password issues, you will have a clear justification to purchase a solution, and the ROI typically occurs within six months.
Tip No.6:
Using Single Sign-on
Single Sign-on (SSO) as a form of password management simply because it eliminates the number of times a user needs to use a password. After logging in with a core directory username and password, a worker leveraging single sign-on in the enterprise is then trusted to access a variety of other applications they use since they have already been successfully authenticated.
The beauty of an enterprise-class SSO solution is that you can combine it with password management and identity management capabilities to create a unified security approach for authentications across critical applications. The password management solution should be able to sync passwords to the cloud apps transparently, improving security. An identity management solution could automatically provision and deprovision access to SSO apps which also improves security. Finally, having visibility to SSO application usage provides a great way to monitor license usage and costs.
Tip No.7:
Auditing, Intrusion Detection and Security Features
Once a single enterprise password management solution is implemented, it is then possible to have a holistic view of all password management activities. This includes all user activities as well as administrative actions against the system. Security enhancements around intrusion detection are also improved with this type of solution, and your end users and administrators can actually be notified if a hacker is attempting to authenticate against the system inappropriately. Notifying the target user when password-related changes occur is the best security mechanism as they would be best suited to detect if they were actually the cause of the password-related issue or not. Accompany this type of rollout with a security awareness campaign to promote password practices and security-related notifications that will accompany the new solution.
These simple additions will go a long way in securing your organization. By keeping your passwords secure and your users engaged, the chance of a security breach is significantly reduced.
Ryan Ward is CIO at Avatier Corp., a world leader in risk-driven identity management software. He is a Certified Information Systems Auditor (CISA) and a Certified Information Systems Security Professional (CISSP).
The full list of the top 25 worst passwords of 2013 can be found at www.hospitalityupgrade.com/Top25-Worst-Passwords-of-2013.