Changing passwords frequently has become less important when securing information now means a multi-faceted approach, password management provider LastPass has told sales prospects in a webinar.
Alex Cox, information security director at LastPass, said the US National Institute of Standards and Technology (NIST) no longer recommends frequent password changes.
“They basically say don’t change your password unless you know it’s been compromised,” Cox said. “Monitor the breach landscape for the data, those password lists, and if your password shows up there, then you change it.”
A key reason is because of the additional work this puts on users and IT support, he said.
For example, LastPass itself has regularly found that people forget the changes and end up having to call the help desk.
“From a support standpoint, that’s huge,” Cox said. “So the industry is kind of moving to that right now.”
Instead, organisations should already be employing a range of other practices and policies to protect user access. One example is using a password manager tool so users don’t actually need to remember or type in as many credentials.
Go beyond changing passwords
Stephanie Schneider, cyberthreat intelligence analyst at LastPass, explained the need for more comprehensive protection measures.
Examples included multi-factor authentication (MFA) and dark-web monitoring on top of robust password management.
“This year, there’s been a lot of password spraying or credential harvesting attacks that have led to massive impact,” said Schneider.
“A lot of companies have gotten popped with info-stealers, and didn’t know it, so that info was out there on the dark web. Info-stealers are really quiet and very widespread.”
Schneider also pointed to a social engineering attack on Okta, involving the Scattered Spider cyber-crime group. Such groups continually evolve their tactics. Right now, there’s a focus on SaaS and high-level permissions to deploy ransomware, she said.
“[Scattered Spider] is well known for, phone calls and text messaging, Telegram messages, impersonating IT staff to victims and to providing credentials on a phishing site, or downloading and installing management tools,” Schneider said.
“Once the group gets access to the network, they can steal data, deploy ransomware, encrypt all network devices, and also use stolen data to extort victims.”
Reducing risk from info-stealers
According to Schneider, info-stealers a responsible for a lot of the data available on the dark web. In addition, even if you only know someone’s phone number, telephony analysis can enable “a lot of bad stuff”.
“From reconnaissance and just finding the exposed credentials online, threat actors are able to just simply use those credentials to log in,” she said.
MFA helps but is similarly not enough on its own, she emphasised.
“Companies need a solution to both manage passwords while also monitoring for potential exposure on the dark web, whether that’s via info-stealers or other means,” Schneider said.
“And just knowing what is the attack surface that’s out there, where are your vulnerable points – address those.”
In addition, organisations should monitor for third-party vendor issues so they can address business connections that may create exposure in a timely manner, she added.
Watch the LastPass webinar on demand (58min).
( Photo by Towfiqu barbhuiya on Unsplash )
