Password hygiene is a huge priority for Managed Service Providers
Every organization is at risk for cyber attack, but MSPs have emerged as a top target. This is because threat actors can use a vulnerable MSP as an initial access vector to multiple victim networks, with globally cascading effects.
In May of 2022, CISA, the FBI, and a group of other international cybersecurity firms released an advisory on protecting MSPs. In addition to the immediate difficulties associated with data breaches (for example, financial repercussions and loss of sensitive data) MSPs face the added pressure of fallout from the client and vendor community.
Addressing Password Hygiene
The major aspect of password security that IT teams cannot control is human behavior. And unfortunately, a majority of cyber incidents that lead to breaches and ransomware are due to human error and specifically password hygiene. As researchers have understood these issues, they’ve been able to identify password sharing, weak password creation, and password reuse as serious security concerns.
These common habits, specifically password reuse, are rampant across the population. Even when users admit to “knowing better” they still use the same password, or tiny variations on a password, across their accounts and for both work and personal devices.
For example, 91% of respondents in a LogMeIn survey claim to understand the risks of reusing passwords across multiple accounts, but 59% admitted to doing it anyway.
Periodic Resets are Out
In the past, organizations addressed the theoretical issue of compromised passwords by requiring periodic password resets whether or not the password was detected as compromised.
But NIST guidelines on password security have changed. The recommendations for increased password protection include the elimination of periodic resets. Research showed that forced resets caused users to access IT help desks more often because they forgot their passwords more frequently. Research also showed that the resets promoted users to stick with a ‘root password’ that they favored and could then make small changes to, in order to satisfy requirements.
With these risks associated with resets and reused passwords, organizations must now focus on securing employee accounts from the start.
What to Do
The most efficient way to take protective measures while acknowledging the inability to address user behavior is to scan for compromised credentials at the point of creation and on an ongoing basis. By checking proposed passwords against a database of known, exposed passwords, MSPs can obtain much more comprehensive protection while also eliminating the resource and financial burden of password resets and arbitrary complexity requirements.
When a compromised password is detected, organizations can take immediate automated action to secure the account – like forcing the user to reset their password – before additional damages can occur.
This recommendation is in line with others provided by the recent CISA advisory:
“Prevent initial compromise by implementing mitigation resources to protect initial compromise attack methods from vulnerable devices, internet-facing services, brute force and password spraying, and phishing.”
The advisory also recommends ongoing monitoring and logs, enabling MFA when possible, developing a backup and recovery plan, and working to protect supply chain risk.
Scanning for compromised credentials is more accessible and more user-friendly than some organizations might imagine—and it’s a truly crucial step to protecting a business.