The National Institute of Standards and Technology is also tackling the problem. The draft version of the Digital Authentication Guideline document includes new guidance on password policies, such as allowing for longer passwords; allowing spaces and other characters; removing special character requirements (such as what combination of letters, numbers, and non-alphanumeric characters must be used); and doing away with password hints. NIST also said in the draft that sending unique passcodes via SMS messages should not be used as part of a two-factor authentication scheme, and that stronger authentication schemes should be adopted.
Although the guidance is still in draft form and the official public comment period doesn’t start until early 2017, IT departments can use it to start thinking about how to improve authentication, such as rolling out multifactor authentication and changing password requirements.
Another bonus: NIST’s Mary Theofanos said mandatory password changes don’t make sense, so IT departments can now work on alternative methods — and stop torturing users.
2. We may finally be taking IoT security seriously
Last year, we could see the ransomware wave coming. This year, it’s internet of things (IoT) security — or the extreme lack thereof — that is clearly on the horizon.
The distributed denial-of-service (DDoS) attacks this fall, which spread through home security cameras, VCRs, and other connected devices, took down the internet and seemed to be the industry wakeup call that finally worked. Made up of compromised IoT devices, the Mirai botnet launched large attacks against French service provider OVH, the website of security blogger Brian Krebs, and networking company Dyn.
The last time DDoS was the big story, it was about hacktivists and online pranksters targeting financial websites and other visible targets. This time, botnets are launching large, multivector attacks that can exceed 1 terabit per second — and interrupt internet access for millions.
Security experts have been warning for some time about the millions of devices that are connected to the internet without even the most basic security features, so the Mirai attack shouldn’t have been a surprise. And with Mirai’s source code publicly available, it is safe to assume there are other IoT botnets waiting in the shadows to strike. With all these devices connecting to the internet, we are ripe for an IoT worm, said Lamar Bailey, senior director of security research and development at Tripwire. Fixing the problem will require a lot of coordination, creativity, and persistence, but perhaps people are actually seeing the risks.
The silver lining is that the Mirai attack was a “fairly cheap lesson in what a compromised IoT [threat] would look like while there’s still time to do something about it,” said Geoff Webb, vice president of solution strategy at Micro Focus. But IoT vendors need to get serious about security fast — and consumers should avoid their products until they do.
Sign up for Computerworld eNewsletters.