On March 21st, President Biden issued an urgent warning to the public sector on the need to immediately strengthen their cybersecurity. Since Russia certainly has the expertise to target a nation like the United States, and with hospitals historically susceptible to cyber-attacks, what can we do to protect our organizations?
Today, I’m going to talk about passwords.
Every article I have read states multi-factor authentication (MFA) is a must. And I agree, MFA is necessary. However, I disagree MFA is the first place to build a healthy information security program.
For a user (or perpetrator) to get an MFA prompt, they must enter a password; however, the information security world seems to have waived the white flag on increasing password strength. There are two key reasons this is problematic—password complexity and rotation:
Both these commonly held password complexity and rotation policies are outdated, established decades ago, and nowhere near sufficient for battling the complexities of 21st-century cyber threats.
In addition, MFA can only easily deploy to so many places, and while it may stop an attacker from quickly gaining access via a VPN connection or Citrix, it does not prevent a phishing attack.
MFA also requires human interaction, which creates a small productivity hit.
I would never say MFA isn’t a necessity; it certainly is. MFA reduces risk. But without the backing of a policy that champions password complexity under high rotation, MFA cannot eliminate the potential of a break-in.
To achieve speed at cracking passwords, bad guys use pre-computed password hashes (scrambled representations of passwords) stored in databases. This is called a rainbow table. How do we knock the legs out from under that table?
If we can reduce the need for an employee to generate or utilize a password on their own, we can significantly increase productivity while having a broadly deployed control system.
Let’s say a worst-case scenario happened, and we lost all password hashes in a domain. Let’s also say we required 20-character randomly generated passwords for all employee and service accounts. The likelihood of a password being pre-computed is difficult at best. A larger number of characters with randomization takes away the easiest path for an attacker.
Now consider an eight-character password. It is almost a guarantee pre-computed hashes for most users will exist.
Changing a password every 90 days is just poor guidance. For server or administrator passwords, I believe they must be rotated weekly at a minimum, and for some accounts, after every use.
I would rather have a long, complex password with no rotation than a short, guessable password rotated quarterly for less secure accounts. I have never worked with a paid penetration tester who required a full business quarter to infiltrate a network successfully. You can be assured that a well-trained adversary won’t need that much time either.
To produce the long and complex passwords necessary to stump the automated cracking programs used by cybercriminals, hospitals, and other potentially vulnerable organizations must invest in password vaults. Allowing users to select and input their active directory password (AD) via a vault means they don’t have to know their password.
In addition, tools such as Windows Hello allow users to log on to a Windows workstation without knowing their password. Imagine no longer typing a password into the computer multiple times per day. Add a layer of multi-factor authentication to that process, and you are creating a situation where attackers have to work much harder to compromise an infrastructure.
By forcing the attacker to work harder, information security resources have an improved chance of finding an irregularity earlier in a compromise, decreasing damages and costs to remediate.
Password complexity with regular updates is a core tenant of cybersecurity at MEDHOST. Adherence to strict cyber security measures is something we employ in all the EHR environments we manage and a best practice we recommend to all our hospital partners.
To learn more about how MEDHOST can help secure your critical healthcare data, please reach out to us at firstname.lastname@example.org or call 1.800.383.6278.