There must be something you appreciate about the humble password, right? Tell us what you think.
As World Password Day fast approaches, the passwords of the world have nothing to celebrate.
Those poor, miserable, unloved masses of passwords. They remember the days when they were so cool! The days when merely knowing a password made you cool. When a mysterious, croaky voice muttering “What’s the password?” was the truest sign that one was about to have a very memorable evening.
Now though … now everyone says there are too many passwords! They say passwords can’t be trusted! They say we should get rid of passwords altogether!
Well, OK. Move to “passwordless authentication” if you must. But why not raise a glass and say a few kind words for the humble password before you lay it to rest?
Send us your thoughts at [email protected] with the subject heading: “Why I like passwords,” and they may appear in an upcoming Dark Reading article. If you would like to share but remain anonymous, please note that in your message. (Notes from “a secret admirer” will still be considered.)
The Edge is Dark Reading’s home for features, threat data and in-depth perspectives on cybersecurity. View Full Bio
Attackers are exploiting the ProxyLogon Microsoft Exchange Server flaws to co-opt vulnerable machines to a cryptocurrency botnet named Prometei, according to new research.
“Prometei exploits the recently disclosed Microsoft Exchange vulnerabilities associated with the HAFNIUM attacks to penetrate the network for malware deployment, credential harvesting and more,” Boston-based cybersecurity firm Cybereason said in an analysis summarizing its findings.
First documented by Cisco Talos in July 2020, Prometei is a multi-modular botnet, with the actor behind the operation employing a wide range of specially-crafted tools and known exploits such as EternalBlue and BlueKeep to harvest credentials, laterally propagate across the network and “increase the amount of systems participating in its Monero-mining pool.”
“Prometei has both Windows-based and Linux-Unix based versions, and it adjusts its payload based on the detected operating system, on the targeted infected machines when spreading across the network,” Cybereason senior threat researcher Lior Rochberger said, adding it’s “built to interact with four different command-and-control (C2) servers which strengthens the botnet’s infrastructure and maintains continuous communications, making it more resistant to takedowns.”
The intrusions take advantage of the recently patched vulnerabilities in Microsoft Exchange Servers with the goal of abusing the processing power of the Windows systems to mine Monero.
In the attack sequence observed by the firm, the adversary was found exploiting Exchange server flaws CVE-2021-27065 and CVE-2021-26858 as an initial compromise vector to install the China Chopper web shell and gain backdoor ingress to the network. With this access in place, the threat actor launched PowerShell to download the initial Prometei payload from a remote server.
Recent versions of the bot module come with backdoor capabilities that support an extensive set of commands, including additional modules called “Microsoft Exchange Defender” that masquerade as legitimate Microsoft product that likely takes care of removing other competing web shells that may be installed on the machine so that Prometei gets access to the resources necessary to mine cryptocurrency efficiently.
Interestingly, newly unearthed evidence gathered from VirusTotalartifacts has revealed that the botnet may have been around as early as May 2016, implying that the malware has constantly been evolving ever since, adding new modules and techniques to its capabilities.
Prometei has been observed in a multitude of victims spanning across finance, insurance, retail, manufacturing, utilities, travel, and construction sectors, compromising networks of entities located in the U.S., U.K., and several countries in Europe, South America, and East Asia, while also explicitly avoiding infecting targets in former Soviet bloc countries.
Not much is known about the attackers other than the fact that they are Russian speaking, with older versions of Prometei having their language code set as “Russian.” A separate Tor client module used to communicate with a Tor C2 server included a configuration file that’s configured to avoid using several exit nodes located in Russia, Ukraine, Belarus, and Kazakhstan.
“Threat actors in the cybercrime community continue to adopt APT-like techniques and improve efficiency of their operations,” Rochberger said. “As observed in the recent Prometei attacks, the threat actors rode the wave of the recently discovered Microsoft Exchange vulnerabilities and exploited them in order to penetrate targeted networks.”
“This threat poses a great risk for organizations, since the attackers have absolute control over the infected machines, and if they wish so, they can steal information, infect the endpoints with other malware or even collaborate with ransomware gangs by selling the access to the infected endpoints,” she added.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has disclosed details of a new advanced persistent threat (APT) that’s leveraging the Supernova backdoor to compromise SolarWinds Orion installations after gaining access to the network through a connection to a Pulse Secure VPN device.
“The threat actor connected to the entity’s network via a Pulse Secure virtual private network (VPN) appliance, moved laterally to its SolarWinds Orion server, installed malware referred to by security researchers as SUPERNOVA (a .NET web shell), and collected credentials,” the agency said on Thursday.
CISA said it identified the threat actor during an incident response engagement at an unnamed organization and found that the attacker had access to the enterprise’s network for nearly a year through the use of the VPN credentials between March 2020 and February 2021.
Interestingly, the adversary is said to have used valid accounts that had multi-factor authentication (MFA) enabled, rather than an exploit for a vulnerability, to connect to the VPN, thus allowing them to masquerade as legitimate teleworking employees of the affected entity.
In December 2020, Microsoft disclosed that a second espionage group may have been abusing the IT infrastructure provider’s Orion software to drop a persistent backdoor called Supernova on target systems. The intrusions have since been attributed to a China-linked threat actor called Spiral.
Unlike Sunburst and other pieces of malware that have been connected to the SolarWinds compromise, Supernova is a .NET web shell implemented by modifying an “app_web_logoimagehandler.ashx.b6031896.dll” module of the SolarWinds Orion application. The modifications were made possible by leveraging an authentication bypass vulnerability in the Orion API tracked as CVE-2020-10148, in turn permitting a remote attacker to execute unauthenticated API commands.
An investigation into the incident is ongoing. In the meantime, CISA is recommending organizations to implement MFA for privileged accounts, enable firewalls to filter unsolicited connection requests, enforce strong password policies, and secure Remote Desktop Protocol (RDP) and other remote access solutions.
China-based Spiral group is believed to be behind year-long attack, which exploited a flaw in SolarWinds Orion technology to drop a Web shell.
Members of an advanced persistent threat (APT) group, masquerading as teleworking employees with legitimate credentials, accessed a US organization’s network and planted a backdoor called Supernova on its SolarWinds Orion server for conducting reconnaissance, domain mapping, and data theft.
The attackers had access to the network for nearly one year, from March 2020 to February 2021, before they were discovered and blocked, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) said Thursday in a report summarizing the findings of its investigation into the incident.
The report is the latest involving SolarWinds and its Orion network management server technology. However, the Supernova tool and the APT group behind it are separate from the group that used legitimate Orion software updates to distribute malware dubbed Sunburst to 18,000 organizations around the world. Last week the US government formally attributed that widely reported attack — described by many as one of the most sophisticated ever — to Russia’s Foreign Intelligence Service, SVR.
CISA’s malware analysis report, which includes indicators of compromise and mitigation recommendations, did not attribute the Supernova attack to any specific group or country. However, others such as Secureworks that have investigated similar intrusions lately have ascribed Supernova and its operators to Spiral, a believed China-based threat group. Only a small handful of organizations are known to have been infected with Supernova, so far at least.
In its report, CISA describes the incident as likely beginning last March when the attackers connected to the unnamed US entity’s network via a Pulse Secure virtual private network (VPN) appliance. CISA’s investigation showed the attackers used three residential IP addresses to access the VPN appliance. They authenticated to it using valid user accounts, none of which were protected by multifactor authentication. CISA said it has not been able to determine how the attackers obtained the credentials. The VPN access allowed the attackers to masquerade as legitimate remote employees of the organization.
Once the attackers gained initial access to the victim network, they moved laterally on it to the SolarWinds Orion server and installed Supernova, a .Net Web shell, on it. As was the case with the handful of other breaches involving Supernova, the attackers appear to have exploited an authentication bypass flaw (CVE-2020-10148) in SolarWinds Orion’s API to execute a PowerShell script for running the Web shell.
“CISA believes the threat actor leveraged CVE-2020-10148 to bypass the authentication to the SolarWinds appliance and then used SolarWinds Orion API to run commands with the same privileges the SolarWinds appliance was running (in this case SYSTEM),” CISA explained.
Unlike the Sunburst backdoor associated with the Russia campaign, the attackers did not embed Supernova into the Orion technology. Instead, they installed the malware on servers running Orion by exploiting CVE-2020-10148. Once installed, the attackers used the Web shell to dump credentials from the SolarWinds server. Weeks later the adversary again connected via the VPN appliance and tried using the stolen credentials to access an additional workstation. On another occasion, the threat actor used Windows Management Instrumentation and other legitimate utilities to gather information about running process to collect, archive, and exfiltrate data.
Consistent With Other Attacks Don Smith, senior director with Secureworks’ counter threat unit, says the timing, tools, tactics, and procedures that CISA described this week are consistent with the company’s own findings from its investigation of two intrusions at a customer location.
The report corroborates “our assessment that the two intrusions we responded to at the same organization were both perpetrated by the same threat actor, [(Spiral aka Bronze Spiral],” Smith says.
Those TTPs included initial access through exploitation of vulnerable Internet-facing systems, he says. It also includes “deployment of the Supernova Web shell, credential theft, ongoing access through VPN services using legitimate credentials, the deployment of other tools renamed to disguise their function, and the use of compromised infrastructure for command and control,” Smith says.
The Supernova campaign was highly targeted and appears to have impacted only a very small number of organizations. However, it does serve as an example of how adversaries are constantly looking to exploit vulnerabilities they can exploit for initial access. Once established on a network, such threats can be hard to eliminate, Smith notes.
“We should also remember that it does not take long for other, more opportunistic threats like ransomware operators to seize on exploits once they become public and look to use them for their own gain, at which point any organization is a potential target,” he says.
Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio
The National Security Agency (NSA) recently issued a warning to private industry about four zero-day vulnerabilities in Microsoft Exchange Server versions 2013, 2016, and 2019 used on-premises. The NSA recommends immediate patching of the vulnerabilities before they are exploited by threat actors.
The vulnerabilities could lead to remote execution of code that would allow threat actors to take full control of the Exchange Servers and have access to, and control of, entire networks. Two of the vulnerabilities can be exploited remotely without any user interaction (which means that there is no need for phishing or other types of scams to get employees to do something to introduce the code into the system). The NSA has rated the vulnerabilities as highly critical.
Following the discovery of the vulnerabilities, the Cybersecurity and Infrastructure Security Agency ordered patching of all federal agency on-premises affected Exchange Servers and has instructed agencies to remove from federal networks any servers that are unable to be patched.
Patches for the vulnerabilities were released this week by Microsoft on Patch Tuesday. IT professionals may wish to consider the warning by NSA when prioritizing those patches.
The Houston Rockets NBA basketball franchise recently announced that it is investigating a ransomware attack that was partially prevented by internal security tools. According to the team, “unknown actors attempted to install ransomware on certain internal systems at the Rockets. However, our internal security tools prevented ransomware from being installed except for a few systems that have not impacted our operations.”
It has been reported by Bloomberg that the hacking group responsible for the attack is Babuk, which earlier claimed on its dark web page that it would publish 500 gigabytes of the Rockets’s data that it exfiltrated unless the Rockets pay an undisclosed ransom for its return. The message is reportedly no longer present on Babuk’s dark web page.
The sprawling SolarWinds cyberattack which came to light last December was known for its sophistication in the breadth of tactics used to infiltrate and persist in the target infrastructure, so much so that Microsoft went on to call the threat actor behind the campaign “skillful and methodic operators who follow operations security (OpSec) best practices to minimize traces, stay under the radar, and avoid detection.”
As further proof of this, new research published today shows that the threat actor carefully planned each stage of the operation to “avoid creating the type of patterns that make tracking them simple,” thus deliberately making forensic analysis difficult.
By analyzing telemetry data associated with previously published indicators of compromise, RiskIQ said it identified an additional set of 18 servers with high confidence that likely communicated with the targeted, secondary Cobalt Strike payloads delivered via the TEARDROP and RAINDROP malware, representing a 56% jump in the attacker’s known command-and-control footprint.
The “hidden patterns” were uncovered through an analysis of the SSL certificates used by the group.
The development comes a week after the U.S. intelligence agencies formally attributed the supply chain hack to the Russian Foreign Intelligence Service (SVR). The compromise of the SolarWinds software supply chain is said to have given APT29 (aka Cozy Bear or The Dukes) the ability to remotely spy or potentially disrupt more than 16,000 computer systems worldwide, according to the U.S. government.
The attacks are being tracked by the cybersecurity community under various monikers, including UNC2452 (FireEye), Nobelium (Microsoft), SolarStorm (Unit 42), StellarParticle (Crowdstrike), and Dark Halo (Volexity), citing differences in the tactics, techniques, and procedures (TTP) employed by the adversary with that of known attacker profiles, counting APT29.
“Researchers or products attuned to detecting known APT29 activity would fail to recognize the campaign as it was happening,” said Kevin Livelli, RiskIQ’s director of threat intelligence. “They would have an equally hard time following the trail of the campaign once they discovered it, which is why we knew so little about the later stages of the SolarWinds campaign.”
Earlier this year, the Windows maker noted how the attackers went to great lengths to ensure that the initial backdoor (SUNBURST aka Solorigate) and the post-compromise implants (TEARDROP and RAINDROP) stayed separated as much as possible so as to hinder efforts to spot their malicious activity. This was done so that in the event the Cobalt Strike implants were discovered on victim networks; it wouldn’t reveal the compromised SolarWinds binary and the supply chain attack that led to its deployment in the first place.
But according to RiskIQ, this is not the only step the APT29 actor took to cover its tracks, which included —
Purchasing domains via third-party resellers and at domain auctions under varying names, in an attempt to obscure ownership information and repurchasing expired domains hitherto owned by legitimate organizations over a span of several years.
Hosting the first-stage attack infrastructure (SUNBURST) entirely in the U.S., the second-stage (TEARDROP and RAINDROP) primarily within the U.S., and the third-stage (GOLDMAX aka SUNSHUTTLE) mainly in foreign countries.
Designing attack code such that no two pieces of malware deployed during successive stages of the infection chain looked alike, and
Engineering the first-stage SUNBURST backdoor to beacon to its command-and-control (C2) servers with random jitter after a two-week period, in a likely attempt to outlive the typical lifespan of event logging on most host-based Endpoint Detection and Response (EDR) platforms.
“Identifying a threat actor’s attack infrastructure footprint typically involves correlating IPs and domains with known campaigns to detect patterns,” Livelli said.
“However, our analysis shows the group took extensive measures to throw researchers off their trail,” suggesting the threat actor took extensive measures to avoid creating such patterns.
Web sites for customers of agricultural equipment maker John Deere contained vulnerabilities that could have allowed a remote attacker to harvest sensitive information on the company’s customers including their names, physical addresses and information on the Deere equipment they own and operate.
The researcher known as “Sick Codes” (@sickcodes) published two advisories on Thursday warning about the flaws in the myjohndeere.com web site and the John Deere Operations Center web site and mobile applications. In a conversation with Security Ledger, the researcher said that a he was able to use VINs (vehicle identification numbers) taken from a farm equipment auction site to identify the name and physical address of the owner. Furthermore, a flaw in the myjohndeere.com website could allow an unauthenticated user to carry out automated attacks against the site, possibly revealing all the user accounts for that site.
Sick Codes disclosed both flaws to John Deere and also to the U.S. Government’s Cybersecurity and Infrastructure Security Agency (CISA), which monitors food and agriculture as a critical infrastructure sector. As of publication, the flaws discovered in the Operations Center have been addressed while the status of the myjohndeere.com flaws is not known.
Contacted by The Security Ledger, John Deere did not offer comment regarding the bulletins prior to publication.
Sick Codes, the researcher, said he created a free developer account with Deere and found the first myjohndeere.com vulnerability before he had even logged into the company’s web site. The two flaws he disclosed represent only an hour or two of probing the company’s website and Operations Center. He feels confident there is more to be found, including vulnerabilities affecting the hardware and software deployed inside the cabs of Deere equipment.
“You can download and upload stuff to tractors in the field from the web. That is a potential attack vector if exploitable.”
Ag Equipment Data: Fodder for Nation States
The information obtained from the John Deere websites, including customer names and addresses, could put the company afoul of data security laws like California’s CCPA or the Personal Information Protection Act in Deere’s home state of Illinois. However, the national security consequences of the company’s leaky website could be far greater. Details on what model combines and other equipment is in use on what farm could be of very high value to an attacker, including nation-states interested in disrupting U.S. agricultural production at key junctures, such as during planting or harvest time.
The consolidated nature of U.S. farming means that an attacker with knowledge of specific, Internet connected machinery in use by a small number of large-scale farming operations in the midwestern United States could launch targeted attacks on that equipment that could disrupt the entire U.S. food supply chain.
Agriculture is uniquely susceptible to such disruptions, says Molly Jahn, a Program Manager in the Defense Sciences Office at DARPA, the Defense Advanced Research Projects Agency and a researcher at the University of Wisconsin, Madison.
“Unlike many industries, there is extreme seasonality in the way John Deere’s implements are used,” Jahn told Security Ledger. “We can easily imagine timed interference with planting or harvest that could be devastating. And it wouldn’t have to persist for very long at the right time of year or during a natural disaster – a compound event.” An attack aimed at economic sabotage and carried out through combines at harvest time in the midwest it would be “devastating and unrecoverable depending on the details,” said Jahn.
However, the Agriculture sector and firms that supply it, like Deere, lag other industries in cyber security preparedness and resilience. A 2019 report released by Department of Homeland Security concluded that the “adoption of advanced precision agriculture technology and farm information management systems in the crop and livestock sectors is introducing new vulnerabilities into an industry which had previously been highly mechanical in nature.”
DHS Report: Threats to Ag Not Taken Seriously
“Most of the information management / cyber threats facing precision agriculture’s embedded and digital tools are consistent with threat vectors in all other connected industries. Malicious actors are also generally the same: data theft, stealing resources, reputation loss, destruction of equipment, or gaining an improper financial advantage over a competitor,” the report read.
The research group that prepared that report visited large farms and precision agriculture technology manufacturers “located throughout the United States.” The report concluded that “potential threats to precision agriculture were often not fully understood or were not being treated seriously enough by the front-line agriculture producers,” the report concluded.
Jahn said the U.S. agriculture sector has emphasized efficiency and cost savings over resilience. The emergence of precision agriculture in the last 15 years has driven huge increases in productivity, but also introduced new risks of disruptions that have not been accounted for.
“We have not thought about protecting the data from unwanted interference of any type,” she said. “That includes industrial espionage, sabotage or a full on attack…I have consistently maintained cyber risk on the short list of existential threats to US food and agriculture system.”
Goodness is hard to measure. More so in the field of Cybersecurity. In the physical world, if you possess something, say a $1 bill, you have it. If you spend it, you don’t have it. If someone steals it, you don’t have it, either. The digital world is quite different. Digital copies are the same as the original – exactly the same. Each replicated copy is at least as original as the original original. “Can you send me a copy?” can only be answered, “No, but I can send you an original.”
You know all that.
A non time-sensitive digital asset that could be infinitely replicated was itself of little value. It could be replicated many times and in theory “spent” many times. But of course, there were no buyers. Enter cryptocurrency, Bitcoin for an obvious example. A Bitcoin aspires to be a digital $1 bill that can neither be double-spent nor infinitely replicated. How do those two miracles occur? Blockchain.
Data’s Deep Fake Problem
What else can we do with this marvelous technology that allows us to prove in the digital world that if I have something, I really have it, and if I do not have it, I really don’t have it?
The first digital image ever created was of Russel Kirsch’s son, Walden, scanned from a photograph in 1957. (Source: Wikipedia.)
More than 60 years ago, the first digital photograph was created. Businesses missed the implication. Film-based photographs were hard to manipulate; not so digital photographs which can be easily manipulated. The implication is that the integrity of the photographic data on which a business decision was being made had very substantially degraded. And, no one seemed to notice… for a while.
When businesses did notice, they just started to drop photographs from their business processes. Rightly so. The integrity of the data was highly suspect and nowhere near the quality for a serious business decision. Enter blockchain once again. Blockchain enables the data to be “frozen” at the “moment of creation.” The integrity of the data is preserved and actionable business decisions can be made by responsible people.
How do we think about this? What is the right way to analogize what we know? For illustration and conversation, the present authors offer the table below, the Data Integrity Scale, in the hope of making levels of “goodness” contributory to decision support. Availability has metrics – downtime can easily be measured – but, until now, Integrity has not had a firm scale to measure with.
A Scale for Data Integrity
Most current systems are not designed to protect the Integrity of the data from the moment of creation until the point of use. Protect its Confidentiality? Yes. Protect its Availability? Yes, again. The more we depend on data to drive processes of increasing complexity, the more Integrity supplants Confidentiality and Availability as the paramount goal of cybersecurity.
The Cyber Integrity Question of 2021
The table attempts to correlate the measures of trustworthiness across the domains of Law, Accounting, and Business. The sort of question that jumps out from the table might be:
Since I require the proof of a person’s identity (credentialing) be above the red bar before I would let him or her act on the company’s data, why should I not also require that data be above the red bar before I allow it to act on other company data?
“Data integrity is the maintenance of, and the assurance of the accuracy and consistency of data over its entire life-cycle, and is a critical aspect to the design, implementation, and usage of any system which stores, processes, or retrieves data.” … It is at times used as a proxy term for data quality.”5
But “quality” without a way to define and measure it, is an ephemeral term. One common definition of quality is “conformance to requirements.” Here, we might require that the Integrity of data be “above the bar” on the Data Integrity Scale.
A report from Deloitte (PDF) indicates that Data Integrity violations account for over 40 percent of pharmaceutical warning letters issued globally.
The historical methods of chasing Visibility and Context through Data Governance down a long chain-of-custody/audit trail are now outdated techniques (and not very reliable in any event – too many steps along the way). A registered “record copy” via blockchain technology is a far better solution. Businesses that are assiduously checking for viruses (aka automated tampering), should also ensure the data they actually use for major decisions has Integrity and is not the result of automated or physical tampering. Blockchain technology allows photos, videos, and other data to jump “above the bar.”
Back to the Future
Roll back those 50 years – actually to 1957 – when the world encountered the first digital photograph. A person needed the skills of a professional photographer to fake a photograph. There was a general feeling of “trust” in what was depicted in a photograph. That was then and this is now, but with adroit use of blockchain technology it is once again possible to have “trust” in photographs and videos, and restore Integrity
What can you do with that “trust?” Business decision makers no longer have to deal with information along a previously believed continuum of certitude; “through a glass darkly,” but rather can see clearly the demarcations where information is useful and not useful.
The rapid digitalization of business processes has caused a greater need for accurate data as there are no longer humans further upstream in the process to keep the low-quality data from infecting the automated business decision process.
Now is the time to align the ordinal scales of jurisprudence and accounting with each other and with like-minded ordinal scales for business processes. We offer a first cut at that necessary advance; we hope that it is sufficient to purpose and self-explanatory, and will allow this advancement in technology to open new markets with innovative products.
“Beyond a Reasonable Doubt.” Whitman J. (2005) The Origins of Reasonable Doubt, Yale University Press.
“Clear and Convincing Proof.” Colorado v. New Mexico, 467 U.S. 310, 467 (1984)
“Preponderance of the evidence.” Leubsdorf J., (2015), The Surprising History of The Preponderance of the Standard of Civil Proof, 67 Fla. L. Rev. 1569
“Substantial Evidence” Richardson v. Perales, 402 U.S. 389, 401 (1971)
“Probable Cause” United States v. Clark, 638 F.3d 89, 100–05 (2d Cir. 2011)
“Reasonable Suspicion” Terry v. Ohio 392 U.S. 1 (1968)
“Mere Scintilla” Hayes v. Lucky, 33 F. Supp. 2d 987 (N.D. Ala. 1997)
“In all material respects” Materiality considerations for attestation engagements, AICPA, 2020
“Reasonable Assurance” Guide to Financial Statement Services: Compilation, Review, and Audit. AICPA. 2015 AU-C 200: Overall Objectives of the Independent Auditor. AICPA. 2015. AU-C 240: Consideration of Fraud in a Financial Statement Audit. AICPA. 2015
“Substantial Authority” “Realistic possibility “Reasonable basis” “Frivolous or Patently Improper”
Interpretations of Statement on Standards for Tax Services No. 1, Tax Return Positions, AICPA (Effective Jan. 1, 2012, updated April 30, 2018,)
NIST Special Publication 800-63 Revision 3 June 2017
Photos and Videos
“SOC2” AICPA -Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy. Updated January 1, 2018
“ISO 270001” is an international standard on how to manage information security. Revised 2013. The International Organization for Standardization is an international standard-setting body composed of representatives from various national standards organizations.
“GDPR” The General Data Protection Regulation is a regulation in EU law on data protection and privacy in the European Union and the European Economic Area. Implementation date: 25 May 2018
There are many labor-intensive tasks that the IT service desk carries out on a daily basis. None as tedious and costly as resetting passwords.
Modern IT service desks spend a significant amount of time both unlocking and resetting passwords for end-users. This issue has been exacerbated by the COVID-19 pandemic.
Causes of account lockouts and password resets
End-user password policies, such as those found in Microsoft Active Directory Domain Services (ADDS), typically define a password age. The password age is the length of time an end-user can keep their current password.
While new guidance from NIST recommends against the long-held notion of forced password changes, it is still a common and required security mechanism across other compliance standards and industry certifications such as PCI and HITRUST.
When the password age is reached for the user account, the user must change their account password. It is generally prompted at the next login on their workstation. This scenario creates a series of likely events. Many end-users procrastinate changing their password, even if they are notified ahead of time.
Users also have various mobile devices connected to their accounts. If a user does not synchronize all device passwords when the account password is eventually changed, this will create issues that can lead to a lockout. It can create further confusion as the end-user may be using the correct password on their workstation.
What are the costs of account lockouts and password resets?
It might seem like a simple password reset is a trivial matter with no actual cost to the business. However, the data shows otherwise. A study by the Gartner Group found that between 20-50% of all service desk calls were for performing password resets. Forester Research adds to this finding by research showing the average help desk labor cost for a single password reset can cost upwards of $70 or more.
You may wonder, how is this possible?
First, suppose the organization is conscious of best practice security processes (which they should be) before a password can be changed for an end-user. In that case, the identity of the user requesting the password change must be verified. Why is this? An attacker may use social engineering tactics to persuade the service desk to change a legitimate user’s account password. This scenario hands an attacker legitimate credentials, which leads to a compromise of the environment. The process to verify end-user identity by manual means can be time-consuming.
Next, businesses may still be using interconnected legacy systems that require manually changing passwords in multiple places rather than a single change flowing across the environment seamlessly. The manual process required for the helpdesk team to ensure a password is changed correctly may be labor-intensive.
It can require the helpdesk team to log in and use many different tools for changing a password in multiple systems for a single user account. Finally, the end-user may be “dead in the water” waiting on the IT service desk to assist with unlocking a locked user account or resetting a password. The time spent where an end-user is locked out and unable to perform their work duties in itself will result in impacted business processes and will ultimately cost the business.
What tools reduce the cost of account lockouts and password resets?
Organizations looking to reduce the cost of account lockouts and password resets can significantly benefit from Self-Service Password Reset (SSPR) tools. Much as the name implies, an SSPR solution allows end-users to unlock their account and reset their passwords using a self-service workflow.
End-users have to enroll or be enrolled by system admins ahead of time in the SSPR solution for onboarding purposes. The user-led enrollment process allows the end-user to configure the various multi-factor identification methods needed to verify their identity to perform the self-service actions. It may include setting up synchronization with an authenticator app such as Google Authenticator, mobile verification by text or phone call, or other means. If led by the admin, this can require pre-filing the required verifier information in users’ Active Directory profiles.
Once the end-user enrolls/is enrolled in the solution, they can visit a web portal to begin the workflows to unlock their account or reset their password. They can do this without any involvement or intervention from the IT helpdesk. As you can imagine, this can reap tremendous benefits in terms of offloading the workflow from the service desk and allowing the end-user to take care of triaging their account issues.
SSPR solutions are only as good as the number of end-users who are enrolled. A good SSPR solution allows administrators to have the tools needed to onboard users programmatically. This capability includes pre-enrolling users, which doesn’t require effort from admins or end-users as the system would rely on existing Active Directory identifier data to enable users to use authentication methods that rely on that data. When this option is present in SSPR solutions, it can dramatically increase the adoption of the SSPR solution across the board.
Lowering password reset costs with Specops uReset SSPR
An effective SSPR solution provides the tools and capabilities needed for businesses to quickly give end-users easy enrollment capabilities and perform self-service account workflows. Specops uReset is a robust Self-Service Password Reset solution that effectively allows companies to eliminate password reset calls to their IT helpdesk.
It provides the following capabilities:
Enables users to reset their Active Directory passwords securely
Users can use any device and can reset their password from anywhere
Users can initiate the password reset process from a browser, mobile device, or right from the Windows logon screen
It allows companies to implement a series of multi-factor authentication requirements that align with the business cybersecurity policies
It includes geo-blocking
Administrators have access to PowerShell scripts to quickly onboard users into uReset.
Specops uReset self-service workflow
When users are locked out of their account or have forgotten their password, the Specops web portal allows them to unlock their account quickly.
Specops uReset allows quickly unlocking accounts and resetting passwords
The end-user is asked to verify their identity using the first of the configured multi-factor verification methods.
Mobile Code verification in Specops uReset
The user is prompted for the second form of multi-factor authentication configured. If you notice below, Specops uses a means to accumulate the required number of “stars” using the multi-factor authentication mechanisms configured. Below, three stars are needed for verification. However, this is configurable and can include multiple verification methods.
A second form of multi-factor authentication is needed for identity verification
The end-user enters the code from Google authenticator.
Entering the code from Google authenticator
Specops uReset mandatory enrollment
Specops provides effective tools to enforce end-user enrollment into Specops uReset. One of those tools is the Enrollment reminder mode. Organizations can implement mandatory enrollment using the option Start unclosable fullscreen browser.
With an unclosable browser window, end-users will be helped/mandated to enroll into uReset. This setting can then be “assigned” to all users via an Active Directory Group Policy object.
Setting the enrollment reminder mode with Specops
Account unlock and password reset activities are incredibly costly to IT helpdesk operations. According to researchers, these activities can add up to over $70 per password reset. Self-Service Password Reset (SSPR) solutions provide the means to allow end-users to perform these activities themselves without involvement from the service desk.
Specops uReset is a robust SSPR solution providing the tools needed for organizations to effectively implement self-service capabilities for end-users to triage their account lockouts and password resets without helpdesk involvement.
It offers robust capabilities, including easy onboarding, configurable multi-factor authentication, enrollment enforcement, geo-blocking, and many other capabilities.