Seemingly everything has an online account. Work. Financials. Fantasy sports. Recipes. Online accounts are often the wallet clutter of an e-life, occasionally useful, but usually just scraps of data, and, stacked upon themselves, the cause of many pains in the rear.
But if online accounts are the hallmarks of digital life, why are they mostly protected by technology that's been around since Ali Baba socially engineered his way into a mountain cave?
Q Let's start with a broad assessment. What is the state of securing online accounts?
A There's plenty of interest in the subject, but on a macro level, I don't think the global community has found religion on the subject yet. Users shrug off account compromises and continue to use weak passwords, while companies mostly have not been materially impacted even with all the recent data breaches.
Q As you note in your white paper, end users often get blamed as the reason for a breach. Is this fair?
A Users certainly share in the burden of online account protection, but too often poor passwords are used by the media as the sole reason accounts are compromised. IT personnel and how they handle account credentials are the other half of the story. Maintaining any account credentials in cleartext means account compromises happen even when users have implemented strong passwords.
Q What else should organizations using account access do?
A System admins need to become more cyber cognizant and take seriously their role in preserving the privacy of all online data. Many organizations have insufficient IT staff to dedicate someone to cyber security issues. All IT staff need to consider cyber as one of their part-time responsibilities.
Q One concept you touch on in your white paper is that end-users often don’t really know that much about what’s happening, both because companies aren’t disclosing how they protect your account access, and as you write, breaches so often happen without heavily impacting the end user. Do we need more transparency for account holders?
A It would be great if companies were more transparent and would share information on how they protect their online accounts, but this is a double-edged sword since threat actors would also have access to that information. It would also be great if companies saw providing 'extra' cyber protections as a competitive advantage and used that to differentiate themselves in the marketplace.
Q Did you come away from your research with an idea that one party or the other deserves more or less of the blame for breaches?
A All data breaches are the responsibility of the organization entrusted to protect that data. That includes the physical protections they wrap around their IT assets as well as all the personnel who are entrusted to enable security controls across the organization's IT infrastructure. Blaming users for having weak passwords is an often referenced crutch. Users have a right to data privacy from all organizations they entrust with their information.
Q You write about levels of security in password handling, from cleartext through salted hashing. Why do all companies not use salted hashes? Should they?
A Many organizations do not have dedicated cyber personnel interested in locking down all intellectual property assets. Instead, many IT organizations are focused on other issues -- internal user satisfaction, maintaining system up time, thwarting phishing attacks, etc. More companies need to embed strong cyber defense mechanisms into their DNA. Of course, strong controls incur costs, which is another impediment.
Q What is the most important takeaway from your white paper?
A That the future is promising. New advanced mechanisms will come online that tilt the balance of protection back to the account holder and away from the account attacker. NIST is working hard on a National Strategy for Trusted Identities in Cyberspace (NSTIC) which shows strong promise.