We’ve all seen the classic hacker movie set-up.
A master cyber-criminal breaks into a network using his superior skills and top-notch equipment.
This is the type of story that’s really fun to watch. But it’s also science fiction.
In the real world hackers usually don’t orchestrate elaborate hacks to penetrate systems. They aim to steal credentials. Why hack when you can simply login?
They Never Knew What Hit Them
This security reality actually ends up creating a funny problem for organizations targeted by hackers.
When cybercriminals get their hands on passwords, they can waltz right into a network, execute whatever illicit actions they had planned–from data theft to money transfers–without triggering any alarm bells. What this means is that the biggest issue for a breached enterprise is not necessarily the breached data itself. It’s knowing that the breach took place to begin with.
When an attacker gains credentials he’s basically stealing the digital identity of a legitimate user. All actions taken on the network are then associated with that compromised user, leaving administrators none-the-wiser anything has gone wrong.
In fact some of the most notorious hacks in history were left unknown by the victims for years. The infamous Yahoo data breach of 2014 was discovered two years following the initial breach. More recently, the Marriott-Starwood breach which exposed a whopping 500 million user accounts, was reported years after hackers managed to penetrate the company’s systems.
The Human Factor and Its Vulnerabilities
What makes all of this possible is the one major weak-link in conventional security equations: the human factor.
The human factor represents the single biggest attack vector cybercriminals seek to capitalize on when they set out to breach a system. Don’t get me wrong, I love humans. Some of my best friends are humans. But from a security perspective, humans are a wildcard, whom when entrusted with sensitive information, tend to forget it, leave it exposed, or otherwise share it unintentionally.
To be fair, it is the very nature of contemporary authentication that puts humans in this compromising situation. It is shocking to contemplate, but it 2019, the outdated and outmoded password still remains the basis of most digital verification platforms. Passwords set up human users for failure. In order to remember long complicated passwords, users will jot them down on post-its and leave them out in the open–or to begin with, just create oversimplified passwords that can be easily guessed by a would-be intruder. Users will “share” their passwords with friends and colleagues, or reuse them for multiple accounts (Whenever we actually manage to remember a complicated password, we use it more than once. We’ve all done it. Don’t pretend like you’ve never done it).
An Exercise in Futility
To defend networks from all the weaknesses of the current digital authentication model, companies resort to a slew of cumbersome and expensive strategies. They purchase firewalls, antivirus measures, endpoint protection, and even apply blanket encryption to their entire system. But as long as passwords remain part of the picture, alas, the efforts of management to protect the network will be all for not. When Janice in accounting chooses the Password123 (the most popular password of 2018) the entire enterprise security effort becomes akin to securing a bank safe with a bike lock.
Coming to Terms
Until the robots take over, network security will still have to worry about the vulnerability of human users. Verifying their identities will remain a vital part of the security picture.
So how do we address these unavoidable human tendencies when developing our network architecture?
The true solution to this challenge will go way beyond password managers and complicated password policies. A new age is coming. And it’s completely password-less. The authentication of the future will be 100% human proof. Human approved access will replace human memorized access, leaving networks immeasurably safer and user experience exponentially enhanced.