Is "password periodic change" still "unnecessary" in the prosperity of telework?Think from the attacker's point of view

Solving business issues by integrating IT and management

What is Business + IT?

Login

E-mail newsletter registration

What is Business + IT?

Sales Strategy

Cost reduction

Organizational reform

Production / manufacturing

crisis management

compliance

Energy saving and environmental friendliness

By industry / scale

Core system

Information system

Operation management

Security

network

mobile

hardware

development

Related genres

Is "password periodic change" still "unnecessary" in the prosperity of telework?Think from the attacker's point of view

Whether regular password changes are valid? ──There is a certain conclusion about this argument as “No”, but if the password is stolen without your knowledge by phishing or targeted attacks, change it frequently. The measures to be taken seem to be effective. In fact, there are also experts who advise on regular changes. Now that cloud computing and telework have become widespread, isn't it possible that their claims are no longer a mistake? I would like to verify the password again from the attacker's point of view.

Freelance writer Shinji Nakao

Freelance writer Shinji Nakao

Freelance writer and editor. From editing ASCII books to O'Reilly Japan, he translates, writes, and interviews both on paper and on the Web. He has a lot of IT, but occasionally writes in automobile-related media. I've been using the internet (though I didn't say it) since UUCP.

1. The situation has changed, but the meaning of the measures has not changed.
2. Is regular change valid for Zero Trust Network?
3. How an attacker can get credentials
4. Brute force attack with high attack effect
5. Hash values ​​are also targeted for attack
6. The aim is not just the administrator account
7. Risks of increased use of IoT and cloud
8. Reality that cannot be protected by password alone

The situation has changed, but the meaning of the measures has not changed.

Many corporate systems also require "regular password changes", but the effects have long been questioned. Comprehensive evaluation of the use of easy-to-remember passwords triggered by regular changes, reuse of the same passwords, the trouble of thoroughly implementing and managing change rules, the increase in the burden on the original work and the reduction of efficiency, etc., is due to regular password changes. There is no merit. The perception that it is rather harmful is the view of many experts. However, cyber attacks are evolving day by day. Considering recent ransomware attacks, targeted attacks, supply chain attacks, IoT-related attacks, and the expansion of telework after the pandemic (VPN, remote connection, cloud use), this situation will not change. Is it? In conclusion, it doesn't change. Because the purpose of changing the password is not directly related to the change of attack actor or attack vector. This is because the essential meaning of password change is not prevention / defense, but countermeasures after system breach. In this regard, it is essential to change the password promptly in the event of an attack or information leakage. Alternatively, if it is necessary to share the password for business purposes (think that the password has been leaked in a pseudo manner), it makes sense to change it regularly. If there is a change or retirement of the manager, the change will be necessary as well.

Is regular change valid for Zero Trust Network?

The National Institute of Standards and Technology (NIST) has also given some views on this issue based on research papers. According to this, the Ministry of Internal Affairs and Communications and major companies are increasingly canceling regular password changes. Even so, there are still many companies and organizations that have adopted the regular password change rule. Before the pandemic, I've heard a marketer from a well-known overseas security vendor lamenting, "We still have rules that need to be changed on a regular basis." Some companies that have left the rules may still make regular changes based on their own standards and policies, even after understanding the NIST report. Since the business content differs depending on the company or organization, it is difficult to judge the legitimacy of that fact from the outside. However, it is dangerous if it is operated simply because "it may be less effective, but it is not zero, so it is not enough to change the regular change rule". In the Zero Trust Network, users need to perform authentication and access control on the premise that they have least privilege or no privilege by default. Under this circumstance, it makes sense to change passwords (authentication information) frequently. There is some reason, but in this case, introducing one-time passwords and two-factor authentication (2FA) would be the correct solution.

How an attacker can get credentials

Most password leaks were collected directly from phishing sites. Skillfully guide victims to phishing sites by spoofing emails from banks, mail orders, and courier services. After that, ask the person to enter the correct ID, password, card number, etc. The account information collected in this way is published and sold on the dark web. If the correct authentication information is passed by phishing, isn't it valid to change the password regularly? You might think. The criminal's phishing credentials are stored in a database, sold or released on the dark web, and another attacker who purchases it attempts to break in. If the timing of regular password changes comes during this time, it may be possible to prevent intrusion. However, attackers also use the information collected by phishing as data for dictionary attacks and list attacks. In short, it is used as matching data for performing brute force attacks (brute force attacks). Changing the password of a stolen site can be used to break into another site that uses the same or similar password, or someone else's account that happens to have the same password. To deal with this problem, if passwords for all sites are changed regularly, the original function of passwords, which is authentication by memory, becomes vague. In the first place, it can be said that it is a bad security measure because the availability of the system drops to each stage. In the case of targeted attacks such as spear phishing (targeted phishing attacks), the stolen authentication information is immediately abused, so there are situations in which regular changes are almost meaningless. [Next page] Periodic password changes may give hints and information to attackers.

Security Strategy Genre Seminar

To List

Security Strategy Genre Topics

To List

IT introduction support information of security strategy genre

To List

PR

SB Creative Co., Ltd.

Business + IT is operated by SB Creative Corp. of SoftBank Group.

By registering as a business + IT member, you can subscribe to member-only content and e-mail newsletters, and invite you to special seminars!

• How to change your laptop password

Copyright © 2023 digitalnotebook.online. All rights reserved.