Password failure is responsible for the vast majority of data breaches today. Low-tech phishing attacks and low-effort, high-value password spraying attacks are effective and on the rise. With the continued digitization of modern society, increased work-from-home opportunities and cascade effect of attacks on critical suppliers, cybercriminals have boundless opportunities to exploit single points of failure caused by improper and insecure password use.
Targeting supply chains has bigger impacts and far-reaching effects
Hackers increasingly target supplier and logistics companies in order to maximize the impact of an attack. These types of attacks yield high rewards for attackers. Managed services providers with delegated admin access by upstream customers or with high-visibility downstream exposure yield optimal outcomes for persistent password spray efforts. This was the appeal of SolarWinds, which had a known list of high-value clients.
Attacks on supply chain companies appeal for similar reasons. Consider the attacks on Colonial Pipeline’s East Coast fuel distribution and North American meat supplier JBS this year. In these incidents, hackers identified high value IT systems, targeted accessing them through the easiest method possible (a compromised or weak password), then escalated access once inside.
Even without the security concerns, integrated global supply chains and vendor-reliant businesses are houses of cards that can come down with one well-poised attack. The risk appetite for disruptions is quickly disappearing.
Humans are the weakest link
Cloud computing appeals to businesses because it provides efficiencies through Infrastructure as a Service, Platform as a Service and Software as a Service. In a pure cloud environment, one in which systems are accessed through the internet by username and password, a single point of failure leads to major disruptions. Despite single sign-on integrations, multi-factor authentication and complexity requirements, passwords are responsible for a vast majority of data breaches today.
Employees are, quite simply, the weakest link in cybersecurity. Most people acknowledge cybersecurity is important but fail to follow through with their actions. According to Digital Guardian research, 11% of people use the same password on every account in their name. In fact, people are least likely to change work passwords as compared to passwords used for much lower-stakes or personal activities. Additionally, people fail to change passwords even when notified of a breach; they are much more likely to do so if they simply forget the password.
Governance and training practices exist but make little impact. Human behavior is incredibly difficult for security practitioners to overcome because people tend to value access over security. Weak and reused passwords are precisely what make simple attack methods like password spraying so effective, especially when aimed at users with access to a prime target.
Reduce exposure through integrated decentralization and ZKPP
Passwords are symmetric-key cryptography. They often become the single point of security failure because people create workarounds to required complexities that reduce access. Additionally, symmetric-key cryptography doesn’t support highly distributed cloud infrastructure and IoT very well. Storing data and digital assets in a distributed ledger in combination with zero knowledge password proof (ZKPP) can immediately improve cybersecurity across a business and ecosystem of vendors and users.
Zero knowledge password proof and zero knowledge proof (ZKP), strictly speaking, are different, though the latter is derived from the former. ZKP means one party (the prover) can prove to another party (the verifier) that a given statement is true without conveying any information apart from the fact that the statement is indeed true. ZKPP is more narrowly defined as “an interactive zero knowledge proof of knowledge of password-derived data shared between a prover and the corresponding verifier.”
The origins of ZKP date back to the 1980s, when MIT researchers sought to identify a “zero knowledge” method of information exchange between two parties. The zero knowledge proof theory ultimately came to fruition in modern cryptography. As it relates to blockchain, decentralized technology uses two types of cryptographic algorithms: asymmetric-key algorithms and hash functions. The asymmetric key algorithms make ZKPP fairly simple to implement within web3 solutions because the method is native to cryptography.
Cybersecurity for the future
Businesses serious about cybersecurity should stop doing the same thing and expecting different results. Human behavior has proven difficult, if not impossible, to modify. So long as employees are entrusted with self-encrypting, data remains at risk. For a digitally interconnected world with increasing demands to migrate to the cloud, implementing ZKPP for critical systems access may be the only realistic way to reduce the risk of compromise to high value databases and systems.
This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security magazine. Subscribe here.