You probably use hundreds of different applications and programs to carry out every day tasks. Each one of these applications present some level of risk to your network security, and as result every employee is required to set secure passwords to verify their access to them, from logging on to their computers, to opening their email accounts.
However, even secure passwords are no longer considered best practice network security. In 2019, Alex Weinert, The Director of Identity Security at Microsoft announced that pa$$words don’t matter, and advised that access to all systems should be backed up by a form of multi factor authentication (MFA). He argued that accounts using multi factor authentication as well as passwords are 99.9% less likely to be compromised. And now he has moved the MFA agenda forward again by saying that while any form of MFA is better than no MFA, SMS and voice call based MFA should be avoided at all costs.
Why secure passwords don’t matter for network security
Secure passwords have long been accepted as the standard form of protection for all online accounts, and an integral part of all network security practices. However they can be easily compromised, usually by some form of human error, whether from within an organisation, or outside of it.
Hackers have endless tools at their disposal to discover passwords, but often users make it easy for them to obtain and use them. Just some of the insecure password practices in circulation include:
- Not changing the default password on systems and applications
- Setting very simple passwords such as ‘password’ or ‘123456’ (don’t believe us – check this out!)
- Reusing passwords across different accounts
- Keeping the same password for months or even years without changing it
- Writing down passwords on pieces of paper
All of these and more allow hackers to easily break into accounts.
Multi factor authentication – the present and future of network security
In response to these insecurities, many companies use multi factor authentication to verify user accounts and protect their network security. Multi factor authentication (also known as two-step verification) requires a second form of identification, usually in the form of a temporary code. One of the greatest benefits of multi factor authentication is that it is an accessible and inexpensive way to bump up user account security. But not all forms of MFA are created equal.
The most commonly used forms of multi factor authentication are SMS or phone calls over the mobile phone network. This is an easy way to get MFA buy-in, but it is also the most insecure format of multi factor authentication. SMS and voice calls rely on mobile phone networks for delivery to users. These networks are not encrypted, making it possible to intercept them en route. In addition, if mobile network coverage is patchy, they may never get there at all. This form of authentication can also be compromised by attacks on the publicly switched telephone networks and their staff, which give malicious actors access to the channels.
The alternative to phone based multi factor authentication is to use purpose built app-based authenticators. These authenticator apps are encrypted, meaning that even if they are compromised, the attacker will not be able to access the code. Authenticator apps generate codes on the device only, limiting the chances of them being compromised. And because they are mobile phone based, they can also use biometrics in order to access them in the first place. In short, they increase user security immensely.
Other forms of multi-factor authentication can include biometrics such as requiring a fingerprint scan in order to open an app or turn on a computer.
Maximising your network security
Ensuring your network is properly secured requires a combination of a strong password policy, clear access control policies (including multi factor authentication), and a comprehensive network security policy incorporating good technological controls to reduce reliance on individual users setting passwords in order to secure networks.
Utilise technology to protect your network security:
Implement perimeter and event monitoring that will detect and alert for unusual behaviour, including multiple attempts to enter a password, log in attempts from unexpected locations, and alerts when MFA is incorrect. Once detected, systems can be disconnected to prevent the attack from escalating or being successful.
Create strong access control policies
The more people who have access to a system, the higher the risk of compromise. An access control policy will ensure that guidelines are set for who accesses which systems, and also for ensuring that the accounts of employees who have left the organisation are closed to avoid them being compromised.
The principle of least privilege should be utilised to identify the systems that each individual needs to access in order to do their job, and only give them access to those systems.
Encourage secure passwords to improve protection against attack. The elements of a strong password policy include requiring users to change from default passwords, encouraging them to update it regularly (although not too often), information and advice about how to set secure passwords, banning simple passwords and more. And of course, implementing multi factor authentication.
Use other forms of authentication including biometric authentication using fingerprint, voice, or face recognition. These are stored on devices, making them impossible to crack.
Whatever you do, ensure that your network security is not compromised by human error alone, because at the end of the day, your pa$$word doesn’t matter.