Sanjay Aurora wrote an interesting blog post about using the immune system as an analogy to inspire CISOs to rethink how we do cyber security:

By understanding and continuously refining our grasp on what is inside us — the “self” and what is “normal” — the human body can detect abnormalities and respond in real-time to anything it identifies as a threat.

…We do not expect our skin to protect us from viruses — so we should not expect a firewall to stop advanced cyber threats which, in many cases, originate from the inside in the first place.

…Enterprises that have been successful in mitigating threats have acknowledged that security professionals cannot be expected to do all the heavy lifting. It is impossible to manually track and secure every part of an organisation’s network. Hence, they have turned to unsupervised machine-learning technology that mirrors the mechanism of the human immune system, allowing them to eliminate more than 18,000 serious early-stage threats globally in the past two years.

Aurora addresses two types of threats that we must identify with cyber security immune system: trust attacks and insider threats:

Today’s most savvy attackers are moving away from pure data theft or website hacking, to attacks that have a more subtle target — data integrity….attackers will use their ability to hack information systems not to just make a quick buck, but to cause long-term, reputational damage to individuals or groups by eroding trust in data itself.

Let’s not forgot the potential impact of these “Trust Attacks”:

The scenario is worrying for industries that rely heavily on public confidence. A laboratory that cannot vouch for the fidelity of medical test results, or a bank that has had account balances tampered with, are examples of organisations at risk. Governments may also fall foul of such attacks, as critical data repositories are altered and public distrust in national institutions rises. Local firms will not be immune from such attacks, especially as they digitise and consequently become more reliant on online data.

The threats within are:

…often the source of the most dangerous attacks. They are harder to detect, because they use legitimate user credentials. They can do maximum damage, because they have knowledge of and privileged access to the information required for their jobs, and can hop between network segments. A disgruntled employee looking to do damage stands a good chance through a cyber attack.

But insider threats are not just staff with chips on their shoulders. Non-malicious insiders are just as much of a vulnerability as deliberate saboteurs. How many times have links been clicked before checking email addresses? Or security policy contravened to get a job done quicker, such as uploading confidential documents on less secure public file hosting services?

The Takeaways from Aurora are:

1. Gain more visibility into internal systems instead of reinforce the network perimeter (i.e., skin)
2. Acknowledge that you are going to have a harder time distinguishing between insiders and external attackers who have hijacked legitimate user credentials
3. Have an answer to the following question: How do you stop an attacker already inside your network, before it escalates into a crisis?
4. Begin researching and investing in technology that leverages unsupervised machine-learning.

 

I get asked various questions throughout the day about safety, compliance, policies, technologies etc.  Below is my detailed response to the question: why do we need to change our passwords on a regular basis?

 Why do we change passwords on a regular basis?

1. It is required by regulations and standards
2. It mitigates the problems that would occur if an attacker acquired the protected (i.e., “hashed”) passwords from a system.  Ideally, the password would be set to expire before the attacker could actually “brute force” the password from its protection and use it.  That is, the protection around the password is strong enough to hold off the brute force attack for 90 days (for example).  This is becoming more challenging with powerful computers
3. Passwords are often stolen (e.g. via phishing) without the knowledge of the victim and not used immediately. These passwords are sold to organized crime. A password change will prevent the use of it by a thief.

What are healthcare companies doing?

1. Below are the results from an informal and non-scientific survey posted to the “National Health Infrastructure Information Sharing & Analysis Center” email distribution list in September 2016.
2. Question Asked:
3. How often are people resetting passwords?
4. Results
5. 30 Day – 1
6. 60 Day – 2
7. 90 Day – 10
8. 120 Day – 2
9. 365 Day – 2

What is some recent research on mandatory password expiration?

1. Both the Federal Trade Commission (FTC) and National Institute of Standard and Technology (NIST) have published papers/blog posting on requiring individuals to change their passwords on a regular basis.  The FTC blog posting specifically references specific studies from various universities.

What are some key points from the NIST posting?

1. Routine password expiration / changes is “out.” Expiration encourages choice of less complex and/or multiple use passwords (e.g., using the password for your Gmail and work network login). Password changes should only occur if there is evidence of compromise
2. Longer passwords are “in” (e.g. 8 character min,.> 64).
3. Disallowing known weak / bad  passwords is in (P@ssw0rd)

What are some key points from the FTC blog posting?

1. Individuals who are required to change their passwords frequently select weaker passwords to begin with, and then change them in predictable ways that attackers can guess easily (e.g. “B@dpassword1” becomes “B@dpassword2”)
2. Unless there is reason to believe a password has been compromised or shared, requiring regular password changes may actually do more harm than good in some cases. And even if a password has been compromised, changing the password may be ineffective, especially if other steps aren’t taken to correct security problems

Where can I find more information?

I used the resources below to help with my response to your great question.

1. http://www.slideshare.net/jim_fenton/toward-better-password-requirements
2. https://nakedsecurity.sophos.com/2016/08/18/nists-new-password-rules-what-you-need-to-know/
3. http://csrc.nist.gov/groups/SMA/ispab/documents/minutes/2015-10/oct23_choong_password.pdf
4. https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes
5. https://pages.nist.gov/800-63-3/

The Takeaways:  

1. Each organization needs to critically evaluate all of their current administrative policies related to password management. Each company needs to weigh the costs and benefits of password expiration and consider other changes.  For example, a company may extend the password expiration time from 90 days to 180 days (or longer), but require longer passwords/password phrases. Based on the work of one researcher, the length would have be at least 14 characters to with stand a brute force attack
2. Passwords will continue to be used at several organizations for several reasons:
   • Several regulations and standards still require periodic changes of passwords. For example, the Payment Card Industry Data Security Standard (version 3.1) requires passwords to be changed every 90 days.  HIPAA only states that passwords need periodic change cycles. The Health Information Trust Alliance’s Common Security framework (version 8.0, a framework for security controls for healthcare care companies, requires passwords to be changed every 90 days.
   • Several applications do not support long passwords so forced password resets would still be need.