STE WILLIAMS

Two leading certificate authorities this week had changes in ownership of their business.

Private equity firm Francisco Partners acquired a majority stake in Comodo’s digital certificate business for an undisclosed sum while rival DigiCert announced the completion of its previously announced $950 million purchase of Symantec’s troubled CA operations.

Neither development is likely to have much of a direct impact on customers of these businesses in the short term. But for both the companies themselves, the changes present new opportunities at a time when cloud, mobile computing, and the IoT are driving massive demand for digital certificates and related management services.

Comodo currently is the leader in the market for high-assurance SSL certificates. Data published by market research firm w3techs.com shows the company currently holding a 38.7% share of the market for digital certificates that are used to authenticate website identities and to encrypt information on the Web.

The number is marginally lower than the 40% share that Comodo held last year at the same time and about 7% higher than its closest rival, IdenTrust, a CA managed by a banking consortium. Comodo says it has issued over 91 million SSL certificates—over 55 million of them this year alone—to some 200,000 organizations in 150 countries.

For Comodo, the acquisition by Francisco Partners will allow the parent company to focus more on new opportunities in the security industry, while the certificate business gets a sharper focus, says Garrett Bekker, an analyst at 451 Research. “I think it makes sense for both sides of Comodo—Comodo CA and the parent company,” he says.

“Comodo CA gets to focus on digital certs and gets financial backing to tackle IoT opportunities, while Comodo parent gets to focus on newer stuff they have around endpoint protection,” Bekker says.

Industry veteran and former Entrust COO, Bill Holtz, who has been hired as the new CEO of Comodo CA says his immediate focus is on turbocharging the digital certificate business with the involvement of Francisco Partners. Melih Abdulhayoglu, founder and CEO of the Comodo Group will remain a board member of Comodo CA and hold a minority stake in the business, Holtz says.

“Moving forward, Comodo CA will be laser-focused on the certificates business, including leveraging our certificate management capabilities to drive innovation in IoT,” Holt says.

For DigiCert meanwhile, the Symantec CA business will give it a chance to acquire a much larger share of the market. W3tech’s numbers show the company currently holding a 2.2% share compared to Symantec’s 13.1% presence.

But the company faces a massive challenge overcoming issues of trust with the digital certificate business that it acquired from Symantec.

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Organizations such as Google and Mozilla have very publicly expressed their misgivings over the manner in which Symantec has handled the digital certificate issuance processes. Google has claimed that an investigation it conducted showed Symantec had issued as many as 30,000 digital certificates over the past few years, without the kind of vetting expected of a certificate authority.

Both Google and Mozilla have said their browsers will soon stop trusting all Symantec-issued certificates and they have insisted that things will remain that way until Symantec moves to a more trusted and verifiable certificate issuing infrastructure.

Symantec’s decision to sell its CA business to DigiCert is designed to address those concerns. But the company still holds a 30% stake in the business. In a statement, DigiCert said it has worked to address the concerns that have been raised by browser makers. The company said it would replace all affected Symantec certificates at no cost and without any disruption for customers as part of a bid to regain trust.

Not everybody is convinced that the moves are enough. “Mozilla’s Root Store Program has taken the position that trust is not automatically transferable between organizations,” Mozilla engineer Gervase Markham said in a blog this week, referring to the DigiCert and Symantec deal.

“It would not be appropriate for a CA to escape root program sanction by restructuring, or by purchasing another CA through MA and continuing operations under that CA’s name, essentially unchanged,” Gervase said.

Gervase said Mozilla would be concerned if the combined entity continued to operate significant portions of Symantec’s old infrastructure, or if Symantec personnel continued to be involved in certificate issuing without proper retraining. Mozilla would also be concerned if Symantec management were to control the CA business in the merger, he said.

Bekker echoes some of the concerns. “I think there is a lot of concern in the industry about how successful DigiCert will be in addressing Symantec’s issues, and legitimate questions about how quickly and effectively a smaller company like DigiCert can fix Symantec’s problems,” he says. “DigiCert will have to do more, since there is so much concern about how customers will be supported in the transition and uncertainty about potential disruptions to business.”

Related content:

• Digital Certificate Security Fail
• Symantec Sells Digital Certificate Business to DigiCert
• Google Slams Symantec for ‘Failures’ in SSL/TLS Certificate Process
• How to (and Not to) Make the Online Trust Honor Roll

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/cloud/will-new-ownership-open-new-opportunities-for-digital-cert-vendors/d/d-id/1330302?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Justin Shattuck also contributed to this article. 

In a recent post, our colleague David Holmes answered the hypothetical board question “Are we doing anything with Bitcoin?” by slamming the door on a technological trend that is not only underway but is rapidly expanding. (Heck, Bitcoin itself is “old news” now.)

Still, the question about cryptocurrencies should be on every CISO’s brain. Even if CISOs don’t need to talk to a board or board members, they should be advising CFOs about cryptocurrency. More and more organizations, both in real life and online, are evolving and adapting to accept cryptocurrencies like Bitcoin. Here are answers to five of the most common concerns.

1. Volatility — as Compared to What?
Yes, right now Bitcoin is five times more volatile than gold, but it is relatively new. The concept of Bitcoin was announced in October 2008, and its first open-source release followed in January 2009. The very volatility engendered by Bitcoin’s newness has the potential to produce substantial wealth. More importantly, as cryptocurrency spreads and becomes ingrained into how we do business, we can expect its volatility to damp down. One thing to remember ics that Bitcoin has a built-in transparent mathematical mechanism to limit its inflation, whereas other currencies are left to the mercy of governments and the commodities markets. Finally, as with any currency, the value of Bitcoin is largely dependent on what we humans ascribe to it. Cryptocurrency is now recognized as a major player across the globe, so don’t expect it go away anytime soon. Who knows? In a few years, government-backed currencies could become even more volatile than Bitcoin.

2. Maturity
Yes, cryptocurrencies are new, and legislatures are grappling to deal with them. Guess what? So is the Internet and our entire way of living, immersed in an online world. However, unlike most new technology, Bitcoin is secure by design because of math—and mathematics is thousands of years old. Because of its transparent design, researchers have been able to examine and track any potential vulnerabilities in bitcoin. There aren’t any esoteric control mechanisms being driven by politics like “Bretton Woods” or T-bills that we find in “mature” financial systems. Also, the cryptocurrency concept isn’t limited to blockchain. Monero (XMR), introduced in 2014 and based on the CryptoNote protocol, possesses significant algorithmic differences relating to blockchain obfuscation. There will be advances and new directions in this market as it really catches on.

3. The Nation-State
True, there is no nation-state that backs Bitcoin—and that’s a good thing. We have plenty of government-backed currencies, and some of them aren’t doing too well. That’s why crypto-currencies offer a stable alternative not tied to political machinations. Bitcoin is decentralized and considered largely unregulated in the United States, and so can be insulated from these kinds of shocks. Large markets like Coinbase (a digital asset exchange company) are responsible for disclosing coin purchases from users. Additionally, companies like Coinme, a licensed Bitcoin ATM operator, have been working with legislatures and the Securities and Exchange Commission (SEC) to ensure current and future compliance.

Blockchain is open source, so anyone with a better idea can have a go at developing a more stable, more useful cryptocurrency. New features are being added to Bitcoin, which is why there are two forks. The community was divided, and ultimately the community decided which direction to go (Bitcoin vs. Bitcoin Cash). Read that again. The community decided. Not some politician or bureaucratic wonk. The community. Then the community members chose which one of the two standards to use. That’s a nice alternative to where we are with the nation-state-based currencies that we are stuck with.

4. All Those Flipping Thefts
First off, you cannot “steal” bitcoins. What you can do is gain control of a wallet (a private key running in software) and counterfeit transactions of that identity. Granted, the Bitcoin value is stolen in such cases, but because transactions are recorded in a public blockchain ledger, you can easily see where those fraudulent transactions have gone—which is why criminals have created “tumblers” to launder their transactions. You want to talk about volatility? The biggest launderer of Bitcoins unexpectedly shut down of couple months ago, and now we have companies set up for the sole purpose of tracking Bitcoin transactions. So, yes, you can steal, but you can’t easily hide.

5. Quantum Expiration
Someday, quantum technology will shatter the cryptography implemented in current blockchain algorithms. This is probably decades off, but once it starts to become a reality, how many Bitcoins do you want to bet that cryptocurrencies will evolve their execution methods to adapt to the threat? Did we mention that blockchain is open source? That means anyone can propose a solution to quantum attacks. Oh, wait—someone already did.

Cryptocurrency is more than Bitcoin
Due to Bitcoin’s popularity, there are now more derived “alt-coins” (Coins that are meant to be alternatives to Bitcoin.) than anyone could have imagined. However, thanks to Bitcoin’s tremendous success, you can see how everyone wants to be a “whale” and get rich quick off of cryptocurrency. Of these alt-coins, there are a handful that have enough significant differences from Bitcoin to be considered viable by their respective communities: Litecoin (LTC), Etherium (ETH), Dash (originally Darkcoin), Zcash (ZEC), Monero (XMR), Doge, Ripple … and the list goes on. The reality is, there are more than a handful of coins available for use, and CISOs are going to need to have knowledge (or at least people around them with knowledge) of what is happening in the crypto-coin space so that organizations can properly advise their financial teams.

Blockchain is More than Cryptocurrency
People are now adopting blockchain itself and the technology behind it, not just the currency. There are untold new markets like contract law, health care, and real estate for blockchain and cryptocurrency to disrupt. It’s going to be an exciting future, and CISOs need to be ready for it.

Get the latest application threat intelligence from F5 Labs.

Raymond Pompon is a Principal Threat Researcher Evangelist with F5 labs. With over 20 years of experience in Internet security, he has worked closely with Federal law enforcement in cyber-crime investigations. He has recently written IT Security Risk Control Management: An … View Full Bio

Article source: https://www.darkreading.com/partner-perspectives/f5/5-reasons-cisos-should-keep-an-open-mind-about-cryptocurrency-/a/d-id/1330261?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Unlike in a courtroom, the defense never rests when it comes to enterprise cybersecurity. And for good reason: successful hackers are constantly devising new ways to penetrate vulnerabilities in company networks and gain access to critical data, finances, intellectual property, and all sorts of other valuable information. IT security teams can never be comfortable because a malicious intruder only has to be right once, while we on the blue team must be right 100% percent of the time.

In an increasingly wired world, cybercrime is big business and attacks are always on the rise. According to Anti-Phishing Working Group, there were more than 1.22 million phishing attacks in 2016, a 65% increase compared to the year before. What’s more, damages caused by ransomware are expected to reach $5 billion by the end of 2017, a 15-fold increase over two years. If your company is unable to respond immediately to phishing, ransomware, and malware threats, business productivity and the bottom line suffers for days or weeks on end.

Unfortunately, even the most comprehensive response means little if too much time passes between a successful intrusion and its detection. With enterprises constantly under attack, all security teams seem to employ spam filters, antivirus software, security firewalls, and a host of other measures to combat potential threats. Nonetheless, attacks happen, and when they do many companies are ill-equipped to adequately respond.

There are also limits to employee awareness training that put employees on guard against the latest dangers that can cripple their devices and spread like a plague throughout the company. Should a user land on a website that “smells phishy” or suspect anything untoward on their computing device, it’s important for them to proceed with caution and immediately alert others, including managers and IT personnel. But with targeted attacks increasing in frequency and sophistication, there is only so much a basic tools-and-awareness approach can do before an intruder solves a firm’s perimeter and endpoint defenses, and then threatens to steal your data or infect your network.

Learn more from Sam about “Targeted Attacks: How to Recognize Them from the Defender’s Point of View” on November 30 at the INsecurity Conference, sponsored by Dark Reading. Sam will describe a step-by-step process, including information correlation, effective mitigation, and future strategies. 

For security experts and engineers who defend against cyberattacks for the blue team, these threats come in many forms. Sometimes it’s a server sending encrypted traffic to a known malicious website, or it could be suspicious DNS queries or user names and passwords entered “in the clear.” Perhaps most commonly of all, the first signal comes in the form of odd traffic flow patterns, including those to and from foreign countries. Upon discovering such instances, organizations need to undertake an immediate investigation that can quickly determine the nature of the threat — and avoid an overly extensive hunt down a non-malicious trail of innocuous alerts and false positives that can prove quite costly in its own right.

Bottom line: even the best security engineers and experts can be helpless without the right security tools and processes at their command. It takes both human and machine intelligence working in combination to adequately defend corporate data, finances, and intellectual property.

Related Content

• It’s Time to Change the Cybersecurity Conversation
• New Dark Reading Conference Will Focus on Defense
• Dark Reading INsecurity Conference Registration Now Open

Sam McLane leads security engineering at Arctic Wolf, bringing over 20 years of security experience to the team. Prior to joining Arctic Wolf, Sam led product management and other sales functions for Blue Coat Systems’ cloud security services business. Before Blue Coat, Sam … View Full Bio

Article source: https://www.darkreading.com/-what-blue-teams-need-to-know-about-targeted-attacks-/a/d-id/1330284?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A new attack targeting financial institutions is leveraging techniques similar to those used by the Carbanak hacker group, report Kaspersky Lab researchers. The “Silence group,” as it’s being called, deploys the Silence Trojan after spending long periods of time in a target organization.

The goal is not to target the banks’ customers, but the banks themselves, for financial gain.

Silence gains entry into financial businesses by tricking employees with spearphishing emails. Attackers often use email addresses belonging to employees of organizations they previously infected, and ask victims to open an account. From a legitimate address, it seems unsuspicious.

Bundled with the email is a malicious attachment, which attackers exploit to run payloads once the victim clicks it. This prompts a series of downloads and executes the dropper, which communicates with the CC server and downloads and executes malicious modules to monitor victims through screen recording, data upload, credential theft, and remote control access.

The “monitoring and control” module records the victim by taking multiple screenshots of their active monitor to provide a real-time stream. A “screen activity gathering module” uses the Windows Graphics Device Interface (GDI) and Windows API to capture screen activity, putting together collected bitmaps to create a “pseudo-video stream” of the victim’s activity, researchers explain.

From there, attackers lie in the network long enough to obtain sufficient data to steal money.

The Silence Trojan employs monitoring capabilities similar to those used by the Carbanak group, a cybercrime organization based in Eastern Europe. Carbanak also used spearphishing campaigns to target financial institutions, mostly in Russia with some in Denmark and the United States.

Using a remote Trojan backdoor, Carbanak spied, stole data, and gave remote access to infected machines. Spying gave the group information it needed to steal about $1 billion over two years from 100 different banks in 30 countries. Sergey Lozhkin, Kaspersky Lab security expert, compares the two:

“These operations utilize the following similar technique: they gain persistent access to internal banking networks for a long period, monitor its day-to-day activity, examine the details of each separate bank network and then use that knowledge to steal as much money as possible,” he says.

“One strong similarity to Carbanak is the persistence to understand the victim’s day-to-day activity and obtain enough information for eventual monetary gain.”

Based on the language found during their research of the attack, experts conclude the threat actors behind Silence speak Russian. Most of Silence’s victims have been Russian banks, though it has also infected businesses in Malaysia and Armenia. The attacks are still ongoing.

“The Silence Trojan is a fresh example of cybercriminals shifting from attacks on users to direct attacks on banks,” says Lozhkin in a blog post on the discovery. “We have seen this trend growing recently, as more and more slick and professional APT-style cyber-robberies emerge and succeed.”

This isn’t the first time attackers have used strategies similar to Carbanak’s. In October 2016, Symantec found a group of hackers targeting the SWIFT payments network with an advanced Trojan called Odinaff. The “Odinaff group” attempted to infiltrate several financial services and banking businesses. Some of their tools and infrastructure were similar to those in Carbanak campaigns.

Similar targets aside, the Odinaff group used three command-and-control IP addresses associated with old reported Carbanak campaigns. Experts said the Odinaff attackers could be part of Carbanak, or the two could be loosely affiliated.

“The best way to prevent attackers from finding and leveraging security holes, is to eliminate the holes altogether,” Kaspersky researchers write, highlighting the common flaws of improper system configurations and errors in proprietary applications.

Researchers did not confirm whether the Silence Trojan was created by a spinoff of the Carbanak group, or another group copying its tools and techniques. The discovery also did not imply any direct connections between Carbanak and another threat actor group.

Related Content:

• iPhone 7, Samsung Galaxy S8, Others Hacked in Pwn2Own
• How to Make a Ransomware Payment – Fast
• 10 Scariest Ransomware Attacks of 2017
• Phishing Kits Regularly Reused by Cybercriminals

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/silence-trojan-mimics-carbanak-to-spy-steal-from-banks/d/d-id/1330301?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Two leading certificate authorities this week had changes in ownership of their business.

Private equity firm Francisco Partners acquired a majority stake in Comodo’s digital certificate business for an undisclosed sum while rival DigiCert announced the completion of its previously announced $950 million purchase of Symantec’s troubled CA operations.

Neither development is likely to have much of a direct impact on customers of these businesses in the short term. But for both the companies themselves, the changes present new opportunities at a time when cloud, mobile computing, and the IoT are driving massive demand for digital certificates and related management services.

Comodo currently is the leader in the market for high-assurance SSL certificates. Data published by market research firm w3techs.com shows the company currently holding a 38.7% share of the market for digital certificates that are used to authenticate website identities and to encrypt information on the Web.

The number is marginally lower than the 40% share that Comodo held last year at the same time and about 7% higher than its closest rival, IdenTrust, a CA managed by a banking consortium. Comodo says it has issued over 91 million SSL certificates—over 55 million of them this year alone—to some 200,000 organizations in 150 countries.

For Comodo, the acquisition by Francisco Partners will allow the parent company to focus more on new opportunities in the security industry, while the certificate business gets a sharper focus, says Garrett Bekker, an analyst at 451 Research. “I think it makes sense for both sides of Comodo—Comodo CA and the parent company,” he says.

“Comodo CA gets to focus on digital certs and gets financial backing to tackle IoT opportunities, while Comodo parent gets to focus on newer stuff they have around endpoint protection,” Bekker says.

Industry veteran and former Entrust COO, Bill Holtz, who has been hired as the new CEO of Comodo CA says his immediate focus is on turbocharging the digital certificate business with the involvement of Francisco Partners. Melih Abdulhayoglu, founder and CEO of the Comodo Group will remain a board member of Comodo CA and hold a minority stake in the business, Holtz says.

“Moving forward, Comodo CA will be laser-focused on the certificates business, including leveraging our certificate management capabilities to drive innovation in IoT,” Holt says.

For DigiCert meanwhile, the Symantec CA business will give it a chance to acquire a much larger share of the market. W3tech’s numbers show the company currently holding a 2.2% share compared to Symantec’s 13.1% presence.

But the company faces a massive challenge overcoming issues of trust with the digital certificate business that it acquired from Symantec.

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Organizations such as Google and Mozilla have very publicly expressed their misgivings over the manner in which Symantec has handled the digital certificate issuance processes. Google has claimed that an investigation it conducted showed Symantec had issued as many as 30,000 digital certificates over the past few years, without the kind of vetting expected of a certificate authority.

Both Google and Mozilla have said their browsers will soon stop trusting all Symantec-issued certificates and they have insisted that things will remain that way until Symantec moves to a more trusted and verifiable certificate issuing infrastructure.

Symantec’s decision to sell its CA business to DigiCert is designed to address those concerns. But the company still holds a 30% stake in the business. In a statement, DigiCert said it has worked to address the concerns that have been raised by browser makers. The company said it would replace all affected Symantec certificates at no cost and without any disruption for customers as part of a bid to regain trust.

Not everybody is convinced that the moves are enough. “Mozilla’s Root Store Program has taken the position that trust is not automatically transferable between organizations,” Mozilla engineer Gervase Markham said in a blog this week, referring to the DigiCert and Symantec deal.

“It would not be appropriate for a CA to escape root program sanction by restructuring, or by purchasing another CA through MA and continuing operations under that CA’s name, essentially unchanged,” Gervase said.

Gervase said Mozilla would be concerned if the combined entity continued to operate significant portions of Symantec’s old infrastructure, or if Symantec personnel continued to be involved in certificate issuing without proper retraining. Mozilla would also be concerned if Symantec management were to control the CA business in the merger, he said.

Bekker echoes some of the concerns. “I think there is a lot of concern in the industry about how successful DigiCert will be in addressing Symantec’s issues, and legitimate questions about how quickly and effectively a smaller company like DigiCert can fix Symantec’s problems,” he says. “DigiCert will have to do more, since there is so much concern about how customers will be supported in the transition and uncertainty about potential disruptions to business.”

Related content:

• Digital Certificate Security Fail
• Symantec Sells Digital Certificate Business to DigiCert
• Google Slams Symantec for ‘Failures’ in SSL/TLS Certificate Process
• How to (and Not to) Make the Online Trust Honor Roll

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/cloud/will-new-ownership-open-new-opportunities-for-digital-cert-vendors/d/d-id/1330302?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Employees use an average of 191 passwords to enter 154 times in a given month, racking up an estimated 36 minutes of password data entry during that time, according to a report released today.

The Password Exposé report, based on aggregated and anonymized data from over 30,000 LastPass customers, found that other industry reports often underestimate the number of credentials used and put the figure closer to an average of 27 passwords per employee.

In addition to enterprise apps, employees often use dozens of other apps while at work, such as advertising and analytics platform apps as well as demonstration apps, the report notes.

Meanwhile, companies and employees do not get full relief by using single sign-on (SSO) technology.

Although a number of enterprise apps have SSO capabilities, more than 50% of the most popular websites and services, such as Box, MailChimp, and LinkedIn, do not support SSO out of the box, the report states.

As a result, companies are left to put a business password manager in place to ensure all of those websites and services are “captured” and managed by IT policies, says Rachael Stockton, director of product strategy at LastPass.

Password vaults with multifactor authentication are enabled in 26.5% of the companies included in the report, a level that lacks broad enough adoption to offset the problems that enterprises face with passwords, according to the report.

“Multifactor authentication isn’t supported widely enough across Web services, and isn’t adopted frequently enough by businesses, to offset the risks that passwords pose,” Stockton says. “While the business community is moving in the right direction, change is happening too slowly. Until universal coverage with multifactor authentication (or even behavioral or contextual authentication) is available, companies need to invest in strengthening the password-protected services in use across the entire organization.”

Another recent study found that while corporate America’s use of passwords remains prevalent, multifactor authentication is showing some signs of growth in the enterprise. Javelin Strategy Research’s 2017 State of Authentication Report found 100% of enterprises continue to use passwords, despite industry calls to ditch them all together or at least bolster security through a combination of passwords and other measures, such as biometrics and public key infrastructure.

Password vaults also grow exponentially, the study found. The average employee starts with 20 credentials in their password vault and within three months that number doubles, according to the report. LastPass, in a report from last year, found that 91% of users were aware of the risks of reusing passwords, yet 61% continued with the practice.

Business and Personal Password Use Intermingled
Roughly half of the top 36 popular websites that employees access for work are consumer solutions, such as Dropbox, Google, and Evernote, the report states. But the owners of these accounts are likely the employees, even though sensitive work-related data is likely stored on these accounts.

“The line between ‘business’ and ‘personal’ apps is a blurry one. People are often using personal accounts in the workplace, and may even be doing work or sharing work data in those personal accounts,” says Stockton.

The report also points to a recent Ovum study that found 23% of workers will use their social media credentials to log in to business systems and applications, as well.

“It was very surprising to learn that businesses were allowing access to their data through sites protected only by personal passwords that they have no control over,” Stockton adds.

In citing the problems with this practice, Stockton says the first one is control. When an organization allows an employee to log in via Facebook, then it is leaving all the password policy control, such as two-factor authentication, password rotation, and number of characters to the end user and raises the risk that a weak password is protecting access to critical business data, she says.

The second risk, Stockton observes, is that social media credentials are often reused and not very secure.

“If one social media website has a security incident, there’s increased risk that attackers will find re-used credentials to access corporate accounts,” she says. “You are basically outsourcing the password security for your company to another website.”

Related Content:

• Why Relaxing Our Password Policies Might Actually Bolster User Safety
• PassGAN: Password Cracking Using Machine Learning
• 30% of Major CEOs Have Had Passwords Exposed

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET’s … View Full Bio

Article source: https://www.darkreading.com/endpoint/average-employee-manages-nearly-200-passwords/d/d-id/1330304?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple