Phone Number +1-202-802-9399 (US)

Thycotic PAM, IT and Cyber Security Podcast
Listen on-demand

401 Access Denied Podcast

Welcome to the 401 Access Denied Podcast, where we dissect what’s really going on in today’s world of cyber security. Topics range from finding a job in cyber security, to dealing with insider threats, to going inside the mind of a hacker, and more.

Bi-weekly, Thycotic’s ethical hacker Joseph Carson and the cyber security training experts from Cybrary will share their insights along with our special guests.

Want to give input on our next cyber security podcast? Give us your topics

Subscribe or listen now on your favorite podcast app:
Apple | Spotify | iHeartRadio | Google Podcasts

Thycotic produces this podcast in partnership with Cybrary, the cyber security and IT career development platform.

401 Access Denied

Episode 9

Password Rules You *Have* to Break

EPISODE SUMMARY

Passwords, passwords, passwords! They are annoying but increasingly necessary for everything we do. Today Joe Carson and Mike Gruen cover the worst password habits out there, plus how to balance usability vs. security for our wifi and email passwords, and more. And do we really have to start worrying about our kid’s passwords?!

Browser-stored passwords make it easy for hackers to get inside your network.

Pinpoint risky stored passwords in minutes

Our free Browser-Stored Password Discovery Tool finds those sneaky passwords

Free Tools

Take the first step to protecting your privileged accounts with Thycotic educational resources and free PAM software products.

→ See All Privilege Management Tools

Secret Server Icon

Secret Server Free

The perfect password management starter tool. 10 Users, 250 Secrets.

Icon - Audit

Password Security Policy Template

Icon - Project

Privileged Account Discovery for Windows

Icon - Test

Customizable Incident Response Template

Icon - Virus

Weak Password Finder for Active Directory

Joseph Carson

  • Chief Security Scientist at Thycotic
  • Over 25 years' experience in enterprise security
  • Author of "Privileged Account Management for Dummies" and "Cybersecurity for Dummies"
  • Cyber security advisor to several governments, critical infrastructure, financial and transportation industries
  • Speaker at conferences globally
mm

Mike Gruen

  • Cybrary VP of Engineering / CISO
  • Manages Cybrary’s engineering and data science teams, information technology infrastructure, and overall security posture
  • 20+ years of experience developing and overseeing the implementation of complex, secure, and scalable software solutions and products
  • Previously served as VP of Engineering and VP of Product & Platform at RedOwl
  • B.S. in Computer Science from the University of Maryland at College Park

Intro:

Invest in yourself today with our Insider Pro product which gives you the career path to reach the next step in your cyber security journey. Joined today on Cybrary.it using the discount code podcast.

Mike Gruen:

You're listening to the 401 Access Denied podcast. I'm Mike Gruen, VP of engineering and CISO at Cybrary. Please join me and my co-host, Joseph Carson, Chief Security Scientist at Thycotic as we discuss the latest news and attempt to make cyber security accessible, usable, and fun. Be sure to check back every two weeks for new episodes.

Joseph Carson:

Hi everyone. Welcome to another episode of 401 Access Denied. We're really excited to be back with you to share some more interesting discussions …  another educational format for you … a different approach at the beginning of this week's episode to really introduce your hosts and give you a little bit more background. So, you'll get a little bit more familiar with who we are and what we do.

So, my name is Joseph Carson. I'm actually based in Tallinn Estonia. It's a small country on the other side of the world. And my role is I'm the Chief Security Scientists and Advisory CISO at Thycotic. And really what I'm doing a lot of research, sometimes getting involved in penetration testing.

I've been in the industry now for more than 25 years so this is where a lot of these gray hairs and wrinkles come from is a lot of the wars and the experiences I would say and the lessons learned over the years.

So, really in-depth in the security industry. And I worked for many years in different capacities. But really my goal is to share my experience and knowledge with you.

So, I'm one of the co-hosts of the show. I'm really excited to also have Mike Gruen, who's another co-host with me. And so Mike, if you want to give a little bit of background about yourself and share with the audience.

Mike Gruen:

Yeah definitely. So, Mike Gruen. I'm the VP of engineering and CISO at Cybrary. Like Joe, I've been in the technology space for over 25 years. I don't have all the gray hair to show for it but definitely have been doing it.

I started as a software developer and have always been in sort of cyber security adjacent spaces. My last company was doing user entity behavioral analytics. So, a security platform. And so, it's sort of a natural fit as I came here to take on more and more of a security role in addition to managing the engineering team and all the technology that we have here.

So, I'm really excited that we're doing these podcasts. I love talking to Joe and look forward to getting started.

Joseph Carson:

Awesome. And today's topic is one that's probably been a pain during our entire career.

Mike Gruen:

Right, yes.

Joseph Carson:

It's one that is really repetitive and we don't seem to get away from it is the … and passwords. Passwords … pick up so many bad habits through the years. And we seem to get in this rut. And there's been numerous discussions. Passwords are going to go away. They're going to disappear. And we've been hearing that for the last 20 years at least repetitively.

And I don't feel in my jobs and roles and what I do, I honestly don't feel that we're getting any further away from them. What I do feel is I'm less let's say typing them in or interacting with them rather than what I would have been before as having to keep trying to remember and reset and so forth.

But there's a lot of bad habits out there. So, Mike what's your experience and what bad habits have you seen in the industry?

Mike Gruen:

Yeah, I mean, my experience is similar to yours in that I think with all of the tools we have now between SSO and password managers and things I am happy that I only have to remember like a handful of passwords. I think it's down to three or four and then everything else is remembered for me. And a lot of just sort of clicking and saying yes.

But in terms of bad habits I've seen, I mean everything from patterns I know ... Not even on personal passwords. I remember working at companies where the Wi-Fi password was spring2017, fall2017. That was their rotation. It's sort of like what's the point of rotating it if it's going to be something that we can all guess after we leave the company. That type of stuff.

And you know there's the typical password reuse. I think one of the ones that's most common is ... and we were talking about this just as we got started ... when you're signing up for a service and it's asking for user and password. And maybe your password manager doesn't pop up to automatically fill it in. So, you're like, "Oh, I'll take care of this later and whatever." You put in some password and maybe you don't ever get back to it. Maybe you don't have a password manager and it's just like you use some sort of default. Like, oh, easy to remember password.

I think those are some of the most common bad habits we've seen. I'm curious what your experiences are.

Joseph Carson:

I mean I agree. One of the things I think that have probably changed over the years in my view as well is we used to have the thing about people writing them down on paper as well. Putting them on the post-it notes.

I used to remember going around. I worked in foreign exchange, and money markets, and trading floors. And we'd simply just have to lift up the keyboard, look underneath. Or behind the monitor and you would find passwords written down.

And even I remember doing penetration tests on maritime vessels. And on a lot of ... systems on the bridge and a lot of computer systems that's on the bridge of the ship it was simply there'd be a post-it note with four numbers written and stuck to every device so the crew would be able to know what it was so they had easy access.

But my view on that that has simply changed a bit is I think for the average person that's at home that is tech-savvy is putting them down. Not keeping it … . I think that's one of the problems is putting them in maybe a locked draw or locked location, or somewhere that's harder for people to gain access to.

So it really comes into there's some bad habits that have changed over the years but I think even to the point where even the password reuse, that's the one that we need to get … of. Is where people continue reusing the same password. And even to the point where they're just even simply using those small variations.

I went to a lot of hotels, even airports, where the password has been the same for like three or four years. No one's ever changed it. And that means that what's the point of having it if it's something that becomes static and even public searchable as well.

So, there's a lot of bad habits that people have out there. And I think my goal eventually is I separate them into two different buckets. Is the one that use as humans. And the ones that we use in systems and automation. And I think we had to treat those differently.

The ones that we used in systems automation can be very complicated and complex and long, and can be rotated very frequently. But the ones that we enter as humans I think we need to get to the point where humans have to less enter them in or use them. Or even they should not even be creating them in the first place.

So, that's something that I would like to see moving forward.

Mike Gruen:

Yeah, I agree. I mean I think about my own Wi-Fi password at home, which I went through the process of setting up profiles I could push out to all my iOS devices or I could go with a really complicated Wi-Fi password. And then as soon as we had guests coming over my wife was like, "How do I get people on our Wi-Fi?" And I was like, "You kind of don't because it's really long."

And so, having to set up a separate VLAN for guest. And again it's coming up with a password that's easy for us to remember, that's good for our guests, we probably don't rotate it nearly enough because we give it to friends and family.

But I think about those things as well. I think those are some ... The more we can sort of move towards devices remember passwords and having more complicated passwords I think the better off we are. Even for the ones that are ... Let's try and identify the ones that we don't have to enter as humans and try and limit it to just that few. That's always my goal. Is to limit the number of passwords I have to remember.

Joseph Carson:

Yeah, and limit the amount that we have to manage them as well. We want systems to do it in the background for us so we don't have to. I think the less humans interact with them the safer we … And the least the risk of them becomes reduced.

Even to your point, when I tell my family and wife gives, "Oh, hey, guess what's happening this weekend. We're changing the home Wi-Fi password." It's not the most exciting time of the week.

And I do change it on a regular basis. And it does mean that it's a pain to reconnect some things again. It's a real pain in order to get devices which you have to sometimes even reset them to factory settings so that you actually get to the point where you actually re-add them back to network.

And that becomes very problematic. And even for you mentioning about your guests coming over and they want to have Wi-Fi access. In Estonia we have international guests more frequently where it's all about, okay, if you're in-country and you have 4G whatever and your phone is perfectly fine. But if you have people coming internationally then it costs money for them to use mobile internet. So they're like, "Okay, I need the Wi-Fi password." And you're like, "Okay." …

Mike Gruen:

Exactly.

Joseph Carson:

Because I have segregated networks at home and then you're like, "Okay, now I need to open up a guest network." And then so you open up a guest network for those guests and then you have this very simple password. Or you can have a complicated password and have it as a QR code that they can scan. And have the QR code well hidden away.

So, you need to get to a point where it is simple enough for people to use and gain access. But at the same time making it secure and safe, and protecting what matters to you. So, it's a challenge between usability and security. That's something we always have to find that kind of middle area.

Mike Gruen:

Yeah, and I think another thing ...

Mike Gruen:

No, I was just going to say, I think one of the things, and we've talked about in the past, which is people not really realizing how much depends on their email. And how important a strong email password and multifactor authentication and things like that are for email given that any website you go to you can use forgot password.

And so, even if you are being really good about not reusing passwords the only password that really matters in a lot of cases is the one to your email account. And so just making sure that that one's being changed regularly and that you enable whatever you can to multifactor, as I said, to protect it.

Joseph Carson:

Absolutely. One of the things is that I look at different accounts from different risk factors of what they're protecting. Because not every password's equal. That's the most important thing is that not all passwords are equal. And not all accounts we are protecting is equal.

And I look at different things from whether it be my Twitter account where it's just about my opinions and thoughts. Or I look at my email account, as you said, could be much more sensitive information such as my location or my ad preferences or my contact details or messages I've been sending with friends and contacts.

And also password resets. I've even heard a lot of people just email themselves their passwords so they can remember and their email account becomes the password manager because they simply search for, "Where's my user name and password." And they find it.

And also the bank account as well. So you have to look at them that not all accounts are equal. Not all passwords are equal. So therefore I classify them. I always have them classified in this separate classifications or risk meaning that the ones that I don't care about, they're just these one time only or the information mine is not so sensitive, then the password itself it just needs to be a complicated password. You know, something that's complex.

And I prefer even not to have to type if in so I do use password managers to mean that I only need to know a few very long, complex, good passwords which I rotate typically ... Not every 30 days or every three months because that just becomes over undated.

But my password routine is that the password rotation is between six months and a year. And it means that at least ... Because I look at it from the algorithm mathematical perspective is that if my passwords are long and strong and good and unique then any password cracking technology some of the best out there it could take up to a year to crack. So my threshold is that none of my passwords should be longer than a year and I have that kind of routine of every periodic is saying that I have a report which passwords are aged and then I go in to rotate them. And that's from my personal side.

So, even from a corporate side, of course, going beyond password managers and using things like privilege access where it even separates authentication and the authorization side. And adds much more control such as multifactor authentication. … sign on. Reducing even the times where I need to change the passwords itself it will change it for me so I never need to do that.

So there's different things. You shouldn't treat them all equally and should look at it from a risk perspective. It's like I guess the cards in your wallet. You've got loyalty cards which you don't mind if somebody gets access and swipes because they're adding points to your system. And then you get things where the loyalty is money. And then you get your bank card. And how you protect each of those is probably very different.

Mike Gruen:

Yeah definitely. And I think things that I take into consideration and that sort of when I look at risk is anything that's really tied to my identity, even if it is just thoughts and ideas, the idea that it is my identity is definitely in a very high category. Right up there pretty close to banking and other things because if someone is able to impersonate me that's not good.

And so, it sort of goes from there all the way down to like, "Do I really care if somebody were to get access to this game that I play? There's nothing tied to it."

But, yeah, it's definitely ...

Joseph Carson:

Yeah, there's no major impact other than losing points.

Mike Gruen:

Exactly. Maybe. Unless they're really good and they want to get my high score up there. But, yeah, it's one of those ... I think it's assessing risk is one of those areas, you know, it's adjacent to passwords. And I think it's one thing that humans are notoriously bad at. I think trying to assess risk in a reasonable way, there's a lot of people who overdo it. I probably fall into that category.

Mike Gruen:

And then there's people who totally underestimate. So I think the risk assessment is one of the harder ones and maybe something for a future podcast. Not that this is all about identity but I think you'd mentioned the whole credit rating and stuff.

I think people don't realize that as soon as their kid gets a social security card, that there's the potential that they have their identity stolen before they even go to get their first credit card and stuff like that. It's just tough to manage and tough to stay on top of.

But, yeah, I think we …

Joseph Carson:

Yeah, one of the things related to that I remember I did research. I did a project. It was called Back to Schools in Estonia. And it was me going into schools and I thought I was going to educate kids. But I learned more from that project from the kids that taught me.

Mike Gruen:

Oh, interesting.

Joseph Carson:

And one of the things I realized was, and I was looking at what age group ... When I originally went in I thought it was around the 12 and 13 year-olds where I could have the most impact. That I could actually go and make the most influence. And when I actually went in and did the education, I found that I was already too late. I was actually already getting to the point where they already had bad habits.

They were actually not password protecting anything. Everything was unlocked. Their friends knew their passwords. They were reusing passwords all over the place, if they even had one. And it became a really bad habit and bad trend.

And I decided that I wanted to find out how young I needed to go to in order to be able to change the feature rather than reeducate. And what ultimately ended up happening was it was six years old. That's where basically that you need to get too. And actually cyber criminals, that's where they're targeting kids is actually at the age of six.

Because at that point in time if they do identity theft of a six or seven-year-old or eight-year-old ... whatever it is ... they've got one is good credit rating. And it's identity theft. And the parents will not know that their identity's been stolen until they're about 15 or 16 when they start getting a bank account opened or start going and doing maybe a scholarship or something, applying for universities and colleges. That's when they find out when they start looking at that.

No, once they start getting social security numbers they start applying for other types of identities. And that's when they find that the identity's been stolen.

And it gives the criminals years of staying hidden and abusing that before it gets detected.

Mike Gruen:

Yeah, absolutely. You know, it's funny you mentioned the whole kids thing because I get a little frustrated. I mean, I have younger kids in elementary school and middle school. And do a pretty a good job with passwords. I think for them it's writing it down on a piece of paper and keeping it some place in a locked drawer. It's important just because my wife and I need to be able to access it for them because they can't remember passwords.

But what I hear goes on at school is interesting where they have Chromebooks and they have their Google classroom accounts and so on and so forth. And all the administrators of the school, their teachers, whatever have access to their accounts. That's fine, they have their passwords. And they have their passwords written down on a long sheet of paper for all the kids because they might forget their password.

And my son coming home and telling me he changed his password and then it stopped working because they had changed it back to the one that the teachers used. And it went back to whatever the standard one is. And I think that that's in some way sort of teaching a little bit of a bad habit.

Like here's a kid who took the initiative to go ahead and change his password. I get why they probably but if they had administrative privileges clearly they could get into the account if they needed to because they were able to change the password. So, not exactly sure what the rationale behind that was.

But, yeah, I think we need to do more than just educating kids. I think we need to make sure that we're also educating the people who are educating kids.

Joseph Carson:

Absolutely. That was one of the things as well is that as I was doing that research and projects, I was learning a lot from doing that project. It did teach me a lot that actually you need to go ... And it gets into the parents as well. It gets into the teachers and into the influence.

Because ultimately if we're talking about bad password behavior that's where it starts. It starts at school. It starts in the education system. If we want to make a difference we need to make sure that it's the beginning. That they start really early and that they actually get good hygiene. And if you're getting to the point where the teachers are getting them simple passwords and writing it down, and having it all on a piece of paper and on the table, then that's setting a wrong example to begin with.

We really need to look at how can we make sure that one as we start making sure that from the early age that there is good practices that they can get into. Because even the same with my kids as well, which I'm even surprised that they choose wise passwords as well. I've taught them well.

But at the same time if they do forget it then resetting it the process is somewhat sending it in an SMS or sending it in text, if you start looking at yourself they go, "Okay, we're already going down a bad path in that perspective."

To really start repairing and getting away from the past with bad habits that we have a result in the workplace today, it does need to start in the education system. It needs to start really, really early.

Mike Gruen:

Yeah, I totally agree. And getting back to our earlier point about getting away from people remembering passwords. I know we've talked to you in the past. I know you have a lot of opinions about moving to what's password less and what does that mean.

It's a topic that's come up at Cybrary a couple of times as we look ahead to how we want to do authentication. And I'm curious what your thoughts are on sort of trying to move to password less thing. And maybe you could explain what that means.

Joseph Carson:

Sure. I mean, I'm very passionate about the terms. The way I look at password less. To me, I've had a lot of discussions with journalists over the years and we've had back and forward when they're asking about password-less and new technologies comes up. And for it's not password-less. What it is is less passwords. We have the right words just in the wrong order.

And what it means is that humans are entering passwords less. They're doing it less frequently. I think passwords will eventually turn into not the password function that we use it today for authentication. It will be mostly used for a backup as a recovery password that allows you to type in but you won't use it frequently.

I think the iPhone example's probably the best example where they're using a less password feature when they're using biometrics. So when you basically start up your iPhone and you enter your passcode or passphrase that allows you to unlock the phone, then you can do all the functions. But when the iPhone gets rebooted it will ask you again for that passcode.

And I think that's the example where I think it's really good for those to really understand it. It's not removing the passcode. And I remember recently listening to a podcast that actually took a person through creating a fingerprint biometric on a phone. And they were like, "Oh, why do I need to put a passcode in?" And it was because of that rebooting ability. Or that you go to do maybe a pay function that it will request you additional security.

And I think that's where the password's going where we talked about password less. It's less interactional passwords. But the password will become a backup recovery in the future. We still need to have some type of either reprovisioning purpose or that the security risk has changed so therefore you really need to make sure that person is the authenticated person. And therefore, it does become a recovery key in some regards.

Mike Gruen:

Yeah, I mean. And the context that came up at Cybrary is as we are adding more and more sort of SSO capabilities and social login, at what point do we hit a percentage of our users that don't need to use a username and password to authenticate into our system? Where we've offloaded that whole process to whether it's their company's SSO or to Google, Facebook, Apple. There's a bazillion of them.

And so, at what point can we just have a totally ... You know what? There's no password. And for those users that don't want to use those systems maybe it is just a put in your email address and we'll send you a magic link, and that will get you access for some period of time. That type of system.

And then it really offloads a lot of responsibility from us. Like, great we get hacked ... well, not great ... but if we do get hacked we don't have to worry about some password table that just also gets exploited and sort of limits our risk as well.

Joseph Carson:

For the setting up of accounts I really love the magic links concept. The ability to do that one time only link. But it means that you have to really protect your email account.

Mike Gruen:

Yes, absolutely.

Joseph Carson:

Your email account becomes a much more security needed control. So it means that, yes, you may not want your email account to be just protected by a password by itself. You may want to have additional multifactor into that account. That account becomes almost equal to that of a bank account in regards to its risk.

So, I do like the ability to have password-less provisioning and the ability to set those up. But at the same time it means that the risk is offset at your location.

Mike Gruen:

Yeah, and I think to counter that. I mean, we're already at that point where your email address is, as we said earlier, right, anybody can use it if they get into your email and they use a forgot password that risk is already there. We already have that in our system today.

There's actually plenty of systems. It's funny, there are things that never made it into my password manager for whatever reason. Like the syncing didn't work out and so I don't know what the password is. It doesn't show up in my password manager. It's clearly something hard. And where I just use forgot password and that's it. I have to access those systems so infrequently that I don't even bother putting the password into the password manager at this point. So, I'll just use forgot password every time.

Joseph Carson:

Yeah. It becomes an easy workaround. People also will do that as well. I'll access an email. I'll just use my email as my password manager and that becomes the reset. And it just becomes that frequent reset where all of a sudden now ...

And that's where the bad habit gets into even reuse of passwords. Now I do password reset it gives me a link and now I have to create a new one. I'm like, "Ooh, well. I don't want to forget it again. So I may as well use the one I remember." And it's the last one that you created for another site. So it gets into a lot of bad habits.

I think that we need to have ... And then people get into even started using browsers to store passwords as well. So there's a password manager in the browser. And that worries me as well. But I think there has to be a balanced trade-off between usability and the risk for offsetting.

Maybe for the consumer and the average person that isn't technical, storing it in the browser, as long as they're making complex, unique passwords using that function it might be okay. But for organizations that are protecting sensitive systems, that's definitely not a good habit to get into. And they always definitely needs to make sure ... Because if an attacker all of a sudden installs a compromised browser extension and now that browser extension can access their full hard drive and they compromise their local account now you have access to all those passwords that are stored in the browser.

So, there's a lot of ways around that. So it means that, yes, there has to be this trade-off/balance between what is the risk we're protecting. And should that even be a possible work, let's say bypass that attackers should be able to use. How do we protect it?

It means that, yes, now you have to think about, "Okay, I have a password now for logging into my laptop. I know I need a password for logging into my browser password manager. And I now need another ..." So it becomes the incremental increase of passwords.

Mike Gruen:

And I think the other thing that's related to that is people not really realizing that if somebody has physical access to your computer that means that they can, unless you encrypt the hard drive, they have access to everything that's on there. You can pull the hard drive and you can plug it in, and if it's not encrypted then anything that's on there is also readable.

And so, when you're getting rid of a computer making sure to wipe it, I mean just generally using full disk encryption. It's a little frustrating that computers don't ship with ... you know, operating systems don't just enable that by default. That it's still on the user to check that box.

But I think people sort of forget about physical access.

Joseph Carson:

Yeah, that's where some password managers getting is between password managers that people are still accountable for responsibility for doing it themselves and for making the selection. They're responsible for rotating them, they're responsible for managing them, responsible for keeping them tidy, keeping them unique, choosing the right complexity. … organizations and businesses are looking to really get away from beyond password managers and moving into access management because that's where it starts getting into more centrally controlled. It gets into more central policies. And it takes away the responsibility, accountability from the user themselves. So, it allows more centralized, more consistent controls. And it takes away that password hygiene problem from actually having ...

And this is where we get into is that the less we have people to think about and need to be securing and focusing on security is we take that pain away, the more secure that actually they become over time.

Mike Gruen:

I agree although I do think that there's plenty of companies and corporations that put these password policies in place that don't even realize that they're actually counterproductive. "Hey, we're going to make you rotate your password every 30 days or every 90 days. And it's going to have to have this complexity." You know. You start putting all these rules in place the next thing you know the passwords are hard to remember, easy for a computer to crack and having to change them all the time just leads to other bad habits.

And I think it's one of those things that's definitely a pet peeve of mine when I'm filling out these security questionnaires from various companies and they're like, "What's your password policy? Does it have this, this and this?" And it's like, "Well, actually I think ours is better than that." And then I have to go and sort of explain it to someone about what we actually do.

So, I think that we're still operating from these ideas that were born in the 80s and 90s, especially the 90s, that need to be revisited I think. And I think a lot of people have and I know that even NISS put out the new standard around password and policies. But people are still slow to adopt.

Joseph Carson:

I agreed with some of NISS' recommendations but I also disagreed with some … . There's still a … as well.

Mike Gruen:

Yes.

Joseph Carson:

The difference between today is that, yes, the password rotation was originally designed when we only had one password to remember. Not when we had 30 or 40 or 100.

Mike Gruen:

And it was a maximum of eight characters.

Joseph Carson:

Yes, and we had a maximum of eight characters, correct. And that complexity meant that, yes, it was much easier for people to remember and use, and that was acceptable. But now it's not scalable in how we use them today.

And what they made the changes to as long as you use multifactor authentication and you have a long password, it doesn't matter in complexity, you don't need to change it. And that's where I think some of these security industry, including myself, we're kind of like we're drawing … . No.

And this is where I've learned even. I did a recent webinar that was based on instant response and how do you detect that you've been breached. And one of the methods that I find is that if you're unpredictable. And that means that you may not change all passwords every X amount of time, but there's certain accounts that you might decide that let's do a random password change, and 5% of our system accounts or service accounts passwords. Let's just do random.

And that random check and random change, which is unpredictable and planned can actually sometimes uncover and surface up undetected breaches that you may have not been aware of.

So there's a different debate out there that I think that never-changing passwords until you have been breached is not a good-

Mike Gruen:

No, agree.

Mike Gruen:

As you said earlier you have to take the mathematics into account, right. If the password can be cracked in a year or six months or whatever it is that's how you have to rotate it.

I do like your random thing. I also do that but mostly to find out who has access to an account. Sometimes you can't get around there's certain systems that still have the one service account and it's a shared username password. There's nothing we can do about it. And we use password managers to sort of help manage that in our SSO system.

But changing that every now and then just to see who reaches out to me, and like, "Hey, I can't log in. Did somebody change the password?" It's like, "Yeah. Actually I did. And I didn't know you knew."

Joseph Carson:

Yeah, the shared passwords, that's always a major challenge. And I think it's more frequently not so much for internal systems but it's got more frequent things like cloud-based applications. That's where it's become. Things like social media PR accounts.

Mike Gruen:

Yeah, absolutely. That's what I'm talking about.

Joseph Carson:

Shared drives. But it gets a bit concerning as well.

Mike Gruen:

Yep, absolutely. It's those things that just weren't initially designed for multiple users to use. And so, there's only the one account because it's just the one account. It is what it is. And trying to secure those is always a challenge. And the sharing passwords, it's inevitable and the next thing you know somebody is like, "This person's on vacation and I need access to that." So that password gets shared a little bit beyond who the scope was originally intended for and stuff like that.

Joseph Carson:

Absolutely. And it gets into even auditability. Takes some companies Twitter accounts where you've got X number of people that are actually using those. Or even the company marketing accounts or the Word Press accounts. And you get into people resharing and using. And they don't want to log in just because it sometimes saves time. And just make sure that they have consistent access.

And you get into, well, okay. When you go the auditing not everything looks like your Word Press admin account. It looks like the same account is logged into Twitter all the time. And you're going, "Who is the person behind that?"

And to your point, yes, some of those accounts when you reset the password and people come to you that's when you find out. But that's what privileged access is all about. Is about having the separation between the authentication and the privileged account. And that's where it turns into Joe Carson is root account. Or Joe Carson is the admin account. Not that I had to find out who is admin and try to backwards that. But it actually reveals, it uncovers, it provides that accountability and transparency.

And I think that's where definitely when you're using shared accounts privileged access almost becomes mandatory in those regards to make sure that you have that consistent accountability.

Mike Gruen:

Yep, definitely. And auditability.

Joseph Carson:

That's it for me. Visibility is the important part. That you know and you can account that this person was actually ... Joe was the root account on this system at this time. Or you might find that, okay, there's two users on the system this time. And now I should have accountability not just to their using root but what actions they're also performing at that time as well.

So I can say, "Joe was installing this application. And another person, whatever, John's doing patch upgrade of this particular application." They might be doing two different service desk tasks at the time. But you can now have that kind of complete accountability in regards to who was doing what with what and how. And what's the accountability of that.

Mike Gruen:

I mean, when you talk about like AWS and some of the stuff. Or just those sort of being able to do things as a role for some temporary period of time. I think those are some of the important things where you can sort of give someone access a system. They're still authenticating themselves but they're acting in this role. Sort of the pseudo if you will.

And so, I think those are ... I would love to see the Twitters and Facebooks of the world try and figure out a way to sort of solve that so that we can have multiple people authenticate into those.

I do at least appreciate the ones that have the, hey, here are the different devices that have logged in. And you can actually do different sessions, and you can go in and audit that and log those out. I at least appreciate when that's available to me.

Joseph Carson:

That's important. I think that's when we really get into the ability of applying use privilege to things like cloud and SaaS based applications. Where you start with not having full access. Things might be blurred out and you might have little buttons that says, "I want to access this so I need to now provide justification."

So this is where it gets into use privilege everywhere. Not just an on-premise, not just in laptops and desktops or in servers. It's cloud applications, it's web interfaces that now that we have to ... If we want to do something, I might be logged in as the administrator but things might be not visible until I provide some type of justification. And that really provides that accountability.

And it even gets to the point where if you might be sending all of this off to a ... , and now the analyst is looking through the SEM logs and they say admin, admin, admin. And you're going, "Who is admin? What does that mean in my log files?" And this provides that ability to back trace and say, "Well, he was on the system at this time. And this is the user." If you checked out who accessed that account during that time. So going back to that accountability and auditabilty especially when you're doing … .

Your security analyst filters through the logs. If those log files don't have any tie-back then they become almost useless.

Mike Gruen:

Yep.

Joseph Carson:

So, I'm hoping that the audience is really getting that a guess that this is a big problem.

Mike Gruen:

Exactly, yeah.

Joseph Carson:

It has many different facets that it goes into. And I think that all of us need to probably take a step back and think about maybe even just ... I really like when we get into hack yourself type of thing. And I think about, "Okay, what's my security control of myself?" And then find out what comes back.

We need to do that kind of audit on our password hygiene. Is there accounts out there that you forgot about? Is there passwords that you've reused many locations? Have you even went to places like Have I Been Pawned to check if accounts used have actually been compromised?

Mike Gruen:

It's funny that you mention that because that was one of the websites I was going to recommend is Have I Been Pawned. I mean, like for a company we have ourself set up as a domain so we get periodic emails from them when there's a new breach. And then for my own personal I check it pretty regularly.

So, yeah, I think looking for those and when it comes to accounts you may have forgotten about or accounts you don't use anymore I think it's easy to add things, it's tough to remove things.

You know what? One of the nice things about JDPR is right to be forgotten. There's probably a bunch of accounts you don't need anymore and you can just go ahead and delete, and feel pretty comfortable that if they're JDPR compliant that they're going to remove everything about it. And I think going through and looking for those is another great way to sort of reduce your risk and reduce your exposure.

Outro:

Learn how your team can get a free trial of Cybrary for business by going to www.cybrary.it/business.

This podcast is also brought to by Thycotic, the leader in Privileged Access Management. To learn more visit www.thycotic.com.