COVID19 is driving a spike in phishing attacks that exploit the uncertainty and anxiety brought on by these truly unprecedented times. With unemployment rates skyrocketing and many companies furloughing their employees, attackers are taking advantage of financial and career fears. State-backed hackers are also on a rampage, attacking pharmaceutical companies and research institutions working on treatments for the novel disease, trying to get their hands on valuable intellectual property. US drugmaker Gilead Sciences, maker of Remdesivir (seen as a potential treatment for COVID19) provided a great example when it was targeted by a hacking group linked to Iran using the oldest, and most effective trick in the book – a fake email login page designed to steal passwords.
Closures and social distancing are also driving a peak need to remotely access company IT resources via cloud services, VPNs, and virtualization tools. It is no longer just the road warriors working this way – it is everyone. A well-executed and maintained remote access infrastructure allows users to connect to internal enterprise network assets from outside the premises, wherever they are, and at any time. For most enterprises, this is a crucial expansion of common web applications used by employees to access their emails, company CRMs and ERPs, and file hosting systems.
Couple the surge in work from home with increasingly sophisticated social-engineering campaigns and you have the perfect storm. The combination of employees inexperienced in remote access methods and the unprecedented stress on businesses brought on by COVID19 is proving to be a jackpot for attackers and a nightmare for companies. Navigating a new terrain, employees new to working from home are not well trained in distinguishing between what is legit and what is fraudulent, and therefore a lot more likely to be duped by bogus requests asking for their credentials or imposter websites posing as the real thing. For attackers, it is like taking candy from a child.
With compromised credentials in hand, attackers can easily access company resources and systems, moving freely within the enterprise network. Stealing credentials to a VPN account means an attacker is in your network. Matters can’t get much worse from a security perspective. A VPN breach is about as bad as you can get because it means that the attacker is in the company network, able to move about, exploit additional systems and hunt for sensitive data. Once there, a skilled attacker can also establish persistent access to the system for future use, by themselves or their paying “customers”.
The potential damage is not limited to internal systems. Stolen credentials to a public-facing cloud application put the app’s data and capabilities at risk. Passwords to a CRM app, for example, compromises sensitive (and heavily regulated) customer data. Credentials to a web mail app lead to business email compromise and all the attack opportunities that it enables. And if the accessed app is poorly built, then a skilled adversary can exploit it to access the underlying infrastructure as well.
It’s time to stop this madness. It’s time to replace passwords with a better, phishing–resistant means for authenticating users. It’s time to go passwordless.
Passwordless authentication technology is mature and available. Going passwordless is no longer just for businesses on the bleeding edge of technology. With the right solution, businesses can retrofit passwordless authentication on top of existing legacy systems that were not designed to accept anything but a password. Just as with modern apps, all that is required is an easy process of deployment and configuration to stop using passwords altogether and become a fully passwordless enterprise instead.
And while most things in life are a tradeoff, in the case of passwordless authentication there is an exception. There are no pros and cons – it is simply a superior alternative to passwords. It offers better security, better user experience and is cheaper to own and operate.
- Better security. Passwordless authentication is actually the safer, more conservative solution security-wise when compared with traditional passwords. It is phishing resistant and offers better protection against other forms of credential access attacks, including man-in-the-middle, keylogging, credential stuffing, password spraying, and more.
- Better user experience. A passwordless authenticator removes the need to recall and key-in passwords, which translates into quicker logons and less failed attempts. And because there are no passwords to forget or reset, there is less downtime due to lost or forgotten passwords.
- Cheaper to own and operate. Passwords create a significant load on helpdesks. Users forgetting their passwords or losing their authenticators quickly make their way to the helpdesk for assistance in recovery. Alternatively, self-service password reset systems need to be acquired, deployed and operated to help users perform these recovery operations on their own.
- Another significant cost associated with password-based authentication is the need to educate users and protect them from phishing. Phishing prevention solutions need to be deployed to try to catch as many phishing attempts targeting users from all channels – web, email, business chat applications (i.e. Slack), and more. Training systems to help employees avoid phishing scams also need to be acquired, deployed and operated.
It’s time for action. Password vulnerabilities have made security headlines for many years and discussed ad nauseam by all media outlets. Daily postings report on recent attacks and their costly outcomes, and regurgitate analyses for all the different ways passwords can be exploited by attackers. Yet passwords remain a cornerstone of almost every business’s security strategy and protection barrier.
Time to get rid of passwords and deploy a passwordless solution that will keep you safe and your team will love.