Passwords have come in for a lot of stick recently. According to President Obama's top cyber-security adviser, Michael Daniel, the days of using a password to access bank accounts or mobiles will soon be a thing of the past.
And it's easy to see why he might make such claims. Every time we hear of new cyber-attacks, which unfortunately are becoming a more frequent occurrence, we're threatened with saying goodbye to passwords, and saying hello to more sophisticated identification technology – including biometric scanning devices.
Passwords are still the primary network security method used the world over, and it's true to say that they have their flaws.
Our recent report From Brutus to Snowden: A study of insider threat personas showed that as many as 23 percent of desk-based workers in the UK and the US have shared their work-related password with one or more colleagues. And this speaks to the real flaw in the password; the user. If we can address user behaviour, and educate them in the necessity of good password practice and why restrictions on sharing them are in place, the password stands to be the central pillar of our security systems for a good while yet.
Long-live the password
Another statistic our research has revealed is that around 300,000 internal security breaches occurred in UK organisations last year. Insider threat is rampant, and currently the password and user login is our first line of defence.
This is the reason that all login rights must be controlled and monitored according to the business requirements and role of the user. By monitoring networks in real-time and searching for irregular access behaviour, IT departments have the ability to act instantaneously at the sign of any breaches. Good security is about applying the appropriate measures to mitigate as much as possible against the potential risks, not rushing to apply new and unproven technologies.
Different levels of login limitation can be given to each user to allow them sufficient access rights to carry out their day-to-day tasks but nothing more. Limiting or preventing concurrent logins will also add to network security, discouraging users from sharing passwords as someone else using their access limits their own.
However, controlling behaviour can only go so far. Organisations must educate employees as to why security is so important. They need to encourage better behaviours by explaining the consequences of their actions and remind users why such policies are in place. This will act as a deterrent to users acting against company policy. Furthermore, security tools can help organisations encourage this ‘good' employee behavior and underpin their security policies. For example, by being able to alert users when their credentials are being used both protects against compromised password attacks and helps reinforce user's security education.
The modern mode of security is about adding layers; restrictions to location, time and device are all layers of security that we can apply to a network. At some point, biometrics may become another layer, to be applied where appropriate. But if and when that is the case, it will be in addition to, not instead of, the password.
The biometric proposition
Biometrics is simply a different approach to passwords. Passwords are something you know, whereas biometrics is something you are and cannot be changed with both having their own set of advantages and disadvantages. A fingerprint cannot be shared but you can trick fingerprint scanners. Then comes the issue of permanence, which is both an advantage and a disadvantage; if a password is compromised, you have the ability to change it. You can't change a compromised fingerprint.
So it would seem reasonable to assume that biometrics won't be used as a security measure in isolation. Apple, which has already implemented fingerprint scanning into its technology, requires users to continue using passwords in combination with its ‘Touch ID' solution. For example, you will need to enter your iTunes password if attempting to make a purchase after your phone has been switched off and on. The biometric technology is there as another security layer, not as a replacement to your password.
With this said, coupled with the fact that biometric security technology is still relatively untested, and undoubtedly expensive to implement within organisations, the case for the continued use of the password seems clear. If good password practice is followed, concurrent logins stopped, login sharing stamped out, regular changes implemented and access monitoring and restrictions in place, there is no reason why the password is not up to the job.
Once the issue of ‘user error' is addressed and organisations do everything within their power to strengthen network security, the war on internal security breaches will land in the favour of the organisation rather than the threat.
Contributed by Francois Amigorena, CEO, IS Decisions