By Morey Haber, CTO & CISO at BeyondTrust
Are you a recycler?
Over the years, we’ve learned some difficult lessons about recycling. Having “disposable” everything while convenient is not good for the environment, economy, or posterity. We all need to learn how to correctly recycle, reuse, repurpose, and dispose of material items.
The important word to notice in the previous paragraph is “material.” Some non-material items should never be recycled, especially when dealing with issues of security. For example, if you recycle passwords and accounts, you are potentially a “security recycler” which could lead to unnecessary risks and potential threats.
Cycling versus Password Recycling
If you feel the term “cybersecurity recycler” is a manufactured catchphrase, you are partially correct. Nonetheless, non-material items like passwords do have a cost to recycle.
Password cycling is actually a synonym for password rotation, an IT security best practice for privileged credentials when it is executed with unique passwords; password recycling—the re-use of credentials—introduces a quantifiable risk and is a security no-no.
Selecting unique, never used passwords provides far better security, and only has a cost associated with the time, tools, and processes to actually change them. There is nothing material disposable—even if you use one-time passwords (OTPs). Passwords, and even all accounts should be unique each and every time they are rotated/changed.
In the realm of information technology and cybersecurity, we recycle all the time. We recycle hardware, software licenses, as well as often overlooked items, like data storage and basic disk space. This recycling is all done in the name of efficiency and cost-effectiveness. However, some items should never be recycled.
Make a Plan, and Eliminate Password Recycling While Enforcing Password Security Best Practices
Fortunately, there are tools that can help organizations avoid recycling passwords and accounts. Products like BeyondTrust Password Safe are designed to manage accounts and passwords and place your “crown jewels”—privileged accounts—under management. This means that an account’s name, password, and usage is all governed by an automated, immensely scalable solution and can be checked in / checked out and documented for usage with every session. In addition, the passwords can be automatically rotated such that password recycling never occurs and every system, account, and resource has a unique password. This protects against password re-use attacks, impedes lateral movement, and dramatically condenses your organization’s threat surface.
Included as well are session management tools to record RDP and SSH sessions interactively when these accounts are used. This allows you to determine whether or not the account and passwords were used appropriately, providing a measurable benefit for meeting auditing and compliance standards.
The concepts of recycling in the material world help improve sustainability across our planet. Recycling of security technology can be cost-effective so long as we can ensure that the threats from previous usage are mitigated. Password and account recycling, however, should never occur and technologies exist to ensure you do not fall to the dark side of cybersecurity recycling practices.