The World Economic Forum reported a rise in cybercriminal activity during the COVID-19 pandemic as more people become dependent on digital infrastructure. Federal agencies are more vulnerable than ever as the systems providing citizens services and holding their data become the target for attack.
Stolen credentials, especially passwords, are still one of the easiest ways for bad actors to access a government system. Stolen credentials are more difficult to flag as a threat and can allow an unauthorized user to access a system undetected for a longer amount of time. Stolen credentials are especially harmful when they provide access to privileged accounts that provide access to an organization’s most sensitive data.
Realizing the gaps created by passwords, many organizations are considering alternatives and the concept of a passwordless future is beginning to seem like the best option for dependable security.
Best practices that will better secure agencies in a world that depends on passwords can actually be important steps regardless of how identities are secured. First, agencies must provide strong, consistent messaging and training on identity management, ensuring all employees understand the value of their identities – and the risk of not protecting them.
Second, agencies should reassess the level of access and authentication required for all their users and administrators. Access should only be given to those who need it, when they need it. Any additional users or additional levels of access that are no longer relevant should be audited and removed. That way, agencies can balance the level of organizational risk they are taking in regard to access and authentication.
Privileged accounts should be reviewed and properly managed as those accounts are even more likely to be targets for bad actors. For many agencies, leaders can look to an automated system to flag any unnecessary access in order to lessen the burden on internal IT. Privileged access management solutions can automate the auditing process and increase visibility for system administrators. These solutions can flag when passwords are changed, notice any harmful commands, alert unusual user behavior and more. PAM solutions can often be key to determining the root cause of a breach during or after it occurs.
Finally, if they’re still using passwords, agencies should enable multi-factor authentication (MFA) on their networks. This significantly reduces the risk of misused stolen credentials, which is one of the most popular hacking methods. All remote staff should use MFA and additional security should be on the admins and IT teams who are remote as they hold even more value to bad actors. Many agencies have implemented some sort of MFA, but should move to strengthen it. The Department of Defense moved from a single-authentication factor to a two-factor authentication approach and is now looking to add additional security to credentials with a constant or continuous evaluation-like process.
These best practices will strengthen an agency’s cybersecurity posture but, as long as the concept of requiring a person to remember a word is a major part of agencies’ security strategies, risks remain. Individuals are asked to have unique passwords for each system, application, merchant and account, remember them and never write them down. Inevitably this leads to overuse of the same password and other risky practices. In today’s world there are many ways to identify a person and prove who they are, or find ways to trust other authenticators which will enable trust, stronger security, and enhance the user experience without compromise.
Instead of passwords, agencies can use behavioral biometrics for identity access and authentication purposes. There are two types of biometrics: physiological and behavioral. Physiological biometrics are well known, based on physical traits like fingerprints or retina scans. Alternatively, behavioral biometrics are based on actions like mouse movement and typing rhythm. These traits are more difficult to imitate and provide continuous authentication of the user.
In addition to providing continuous monitoring, behavioral biometrics can detect abnormal user behavior in real time with reasonable accuracy. Using machine learning to identify a baseline of user behavior, the system can flag when a user deviates from their typical behavior and take immediate action to determine whether to freeze access. Behavioral biometrics and their analytics shorten the time to detect a security incident.
Depending on the nature of the information an agency uses and owns the necessary layers of security will vary. The more sensitive data such as Social Security information, military movements, and classified research and development, the more factors or levels of security, while data sets like weather patterns may not need as comprehensive of an approach.
IT teams are often tasked with fixing urgent problems to secure an agency’s network, solving problems manually and reactively instead of proactively. Moving away from passwords will help these teams develop a more proactive posture. Combining consistent messaging to employees, access and authentication practices, auditing and behavioral biometrics creates a strong cybersecurity defense for agencies and will be fundamental to a passwordless future for the government.