Over 67% of ransomware attacks against MSPs were carried out through social engineering.
Such attacks – now profoundly commonplace – often compromise an IT provider’s entire client list, leading to the reputation and financial damages that managed service providers are now all-too familiar with.
Cybersecurity has become just as much about peace-of-mind as it is about protection…both for the end-users and the IT providers themselves. But one of the paradoxes of this challenge is that complete security requires buy-in from each individual end-user. As an MSP, what are you to do in a world where 82% of workers admit to using weak passwords, and that’s enough to bring down your entire IT business?
We’ll explore that answer, but first let’s begin by looking at the general idea of a security stack.
The Big Picture
Cybersecurity requires a multitude of methods and tools to effectively protect data and networks. There are many entry points and attack surfaces in the average IT landscape. To minimize the chance of intrusion, different solutions must be applied to these disparate vulnerabilities.
Think of it like securing a physical office. Though the main point of entry for employees and visitors is the front door, there are also windows, service entrances, air vents, and skylights. Just having strong deadbolts on the door isn’t enough to keep out a persistent intruder.
Knowing this, one might install window bars, glass break detectors, motion sensors, and even 24/7 monitored cameras throughout the office. This is a layered approach, sealing off as many vulnerabilities as possible and even providing “eyes on” the premises around the clock.
Cybersecurity has a similar toolbox of entry-denial, alerting, and monitoring solutions. Security stacks combine all these tools. A typical security stack might include:
- Endpoint Detection & Response (EDR)
- Managed Detection & Response (MDR)
- DNS filtering
- Data backup/recovery
- Email protection
- Data encryption
- Data access control
- 24/7 Security Operations Center (SOC) monitoring
- Security awareness training
As you can imagine, each security stack is unique, as they are usually purpose-built for a particular IT landscape. With that in mind, most stacks have specific tools in place to address specific weaknesses; for example, awareness training to combat phishing and ransomware. One tool that’s finding its way into more and more security stacks is password management.
Password Managers for the Security Stack
Within the security industry, password complexity and strength is a common topic of discussion. Although it seems simple enough, it is often difficult for end users to embrace the idea of password hygiene.
It is theoretically possible to teach password hygiene to end users or IT clients, but history shows that the hassle and complexity of observing password best practices means that very few will actually embrace the training.
A password manager solves this issue by providing a secure, convenient way to handle this important spoke on the cybersecurity wheel. By creating and remembering usernames and passwords for the users, the burden of maintaining strong passwords and memorizing dozens of credentials is lifted.
It’s far easier for folks to follow password hygiene best practices when all they need to remember is a single password to unlock the password manager.
Which leads to one point of confusion that many encounter when considering password managers. If everything is now locked under one password, doesn’t that make it easier to be hacked?
Security experts agree that password managers are safe. In fact, they’re much safer than not using one and relying on easily-memorized weak passwords.
Complex Passwords Made Simple
The primary reason is that password managers encourage and facilitate good password hygiene across the board. Every individual login credential can be made incredibly complex. And since the only password that the user needs to remember is the master password, they can devote 100% of their brainpower to memorizing a single, highly-complex password.
After all, it’s important to draw the right comparisons. For instance, if a user is responsible for maintaining 100 passwords for 100 different accounts, there is a very good chance that most of the passwords are the same. In effect, they already are using one password to secure much of their online presence…by reusing it dozens of times. Password managers eliminate this issue by making it easy to create unique passwords for every single login. Now there’s a single password to remember, but it can be much more complex, and additionally protected by 2FA.
Some worry that the password manager itself might become hacked. This has become less of a concern due to the widespread use of advanced encryption among password managers.
Additionally, all leading password managers use a technique called “zero knowledge,” meaning that although the password manager knows your passwords, the company that makes the manager doesn’t.
Shoring Up the Weakest Security Link
Recently, the 2020 Verizon Data Breach Investigations Report disclosed that at least 81% of data breaches leveraged stolen or weak passwords.
Cybersecurity experts agree that passwords are one of the most common vulnerabilities being exploited. Penetration testers and bad actors alike love to exploit weak passwords. Most mass email phishing campaigns have the sole objective of harvesting credentials from users because they unlock so much nefarious potential.
Nevertheless, even passwords that aren’t leaked, phished, or spotted on a post-it note can be bypassed. Brute force and hash cracking attempts can make short work of weak passwords.
Using Brute Force
Some brute force attacks simply involve guessing passwords, usually from a known list of previously-used passwords, common passwords, or permutations of past passwords. (This is why changing your password by adding a number to the end doesn’t do much good.)
Attempts to crack the password hash are a little more involved as they require the intruder gain access hashed credentials.
There are, of course, ways to obtain these hashed credentials including intercepting a WPA Wi-Fi handshake, swiping passwords stored in a local database, or capturing Windows domain credentials as they travel through a network.
Unfortunately, once the hashed credentials are obtained, cracking them is usually only a matter of time. Special software is used to make millions of guesses per minute, and new advances in machine learning are being applied to make this process even faster.
The difficulty and time required to crack hashes is an exponential increase as the character length of passwords increments. Currently, cracking hashes of passwords six characters or less is nearly instantaneous. Cracking seven-character passwords takes less than five minutes. However, a nine-character password takes around 24 days.
On the other hand, once a password of sufficient complexity reaches 10 characters or more, it becomes nearly uncrackable with current technology. Users must create and remember such passwords to minimize the risk of a malicious hacker brute forcing right through.
Making Security Easy for Users and Clients
It’s not easy for end users to memorize high-strength 10+ character passwords, much less dozens of unique passwords like this. Furthermore, password managers give IT professionals the means to make password hygiene accessible to everyone. With the manager generating and storing individual login credentials, the user need only create (or generate) and memorize one secure password.
When they sign into a site, they only need that one master password. This makes it far easier for the user to create one password that’s sufficiently lengthy and strong. Enabling two-factor authentication in the password manager app adds even more protection.
Password Managers are Essential
As with everything in security, there is no single tool or solution that will protect you and your organization from cyberattacks. Furthermore, to provide the best defense, security must to layered, configured, and utilized properly.
Part of this layering process is identifying and mitigating authentication policy weaknesses and removing the human element — the most common chink in the armor — as much as possible. Password management software helps with this objective by hardening authentication and taking the majority of the password hygiene burden off the shoulders of the end user.
In conclusion, the future of entire organizations (and your MSP) can fall on the shoulders of a single end user. Users are likely to be exploited if their password habits aren’t up to par. This is precisely why password managers are an essential tool for everyone’s sense of security, especially your own.
Consider Password Boss
- MSP Management Portal
- Integration with Many MSP Tools
- Role Based Access
- Two Factor Authentication
- Secure Password Sharing
- Built-In Dark Web Feature
- AES-256 and PBKDF2 Security
- Remote Control Integration
- A High Margin, Profitable Option for MSPs
Want to learn more? Check out our other blogs:
5 Things Every MSP Needs to Know About Password Management.