Cyberattacks attacks are on the rise once again. High-profile targets like the World Health Organization (WHO) and their top officials are a lucrative target for hackers. Also, hackers got hold of 500,000 Zoom user passwords.
“This is unprecedented for everyone here. We’re doing what we can to mitigate it” is a direct quote from WHO’s chief information officer (CIO), Bernardo Mariano. He also stated that they have doubled the size of the security team and increasing collaboration with security vendors. All commendable actions by the organization.
In this case it turns out that the WHO security systems were not compromised per se. Yet, Australian cybersecurity expert, Robert Potter was able to get a hold of a list of leaked WHO credentials and said he was able to verify that the WHO email addresses and passwords were real.
How is this possible? The answer is simple: many WHO employees were using their company credentials to create accounts on other services, outside the WHO ecosystem or the organization’s security perimeter.
The same is true for the Zoom case. “Bear in mind as well that these credentials were not from any breach at Zoom itself, but rather just broad collections of stolen, recycled passwords.”
Potter also calls the WHO’s password security ’appalling‘, citing examples like 48 instances of ’password‘, ’changeme‘, or even their first names. He said the exposed login information seemed to have originated from a hack in 2016.
To summarize these two cases:
We’ve quoted this before but it bears repeating: The Verizon Data Breach Investigations Report inidcates that 80% of hacking-related breaches still tied to passwords. How to go forward, then?
The short answer: not really. We believe it’s time to acknowledge a few points:
We believe it is time to stop perpetuating the password problem: it only increases our unhealthy obsession and dependency on them and makes us password-a-holics. The same goes for credentials in general.
Managing access is more critical, rather than managing passwords or credentials.
Basically, you can define two user groups accessing your systems: regular business users and privileged users (IT professionals).
See how we can help you with both user groups:
Our recommendation is that if you need to prioritize. Start with your IT teams, since they have access to the beating heart of your digital business and operations. They should go passwordless and credentialess ASAP.
We are not alone on this. For example, Microsoft now recommends passwordless strategies. Gartner has also stated that ‘standing privileges’ are a risk – even when stored or vaulted in their report ‘Remove Standing Privileges Through a Just-In-Time PAM Approach’.
There are also (in)famous cases where privileged credentials were involved, like the Snowden case, the Sony breach or when a disgruntled ex-employee shut down the entire North American Citibank network in 2 minutes.
Our solution, PrivX, can offer you a more modern and secure approach where:
Instead, you can get:
These are just some of the security benefits of our PrivX solution. It is a quick-to-implement and scalable privileged access management (JIT-PAM) solution for establishing secure remote access to hosts, network devices or web applications and managing third party access.
Learn more about the product that is a great alternative to VPNs or jump hosts, can be set up remotely and requires virtually no maintenance.
Or see how it works below:
You can also sign up for the PrivX test drive to play in your own PrivX sandbox in a browser or contact us here to request a demo.
Stay safe!