Thursday May 5 celebrates World Password Day, a yearly reminder to use strong passwords, ensure you are not using default or easily guessed passwords, and to review passwords used in your systems and devices. For an individual or family these tasks can be done in minutes or hours at the most. But for organizations it can be a lot more complicated, especially without the right tools designed specifically for these tasks. And compared to individuals, a successful breach costs corporations an astonishing 36,000 times as much as for individuals ($8.19M versus $225 per breach). And for publicly traded organizations it is getting extremely serious – the SEC is in the process of amending its reporting rules so that cyber breaches must be reported so investors understand better an organization’s ability to manage cyber risk (including passwords).
Let’s dive into the three key challenges organizations face with passwords, and ways organizations can improve their password game.
Organizational Challenge: How IoT Devices and Applications Get Their Passwords: In an ideal world every device is running a unique password that meet or exceed corporate password policies. But in a typical corporate environment containing multiple forms of IoT devices there are many parts of the organization who take on that role, and sometimes even non-employees. Take the case of an external contractor installing new Point of Sale (POS) systems in a retailer; will they take the extra time to understand your company’s policies and set appropriate passwords, or will they install the system and leave the default vendor-provided passwords in place? Or other IoT devices like smart lighting systems that the Facilities team has installed and updated passwords on, but they use the same password on all of them (and leave it posted on sticky note in the breakroom).
How Organizations Can Do Better: Three words: Tools, Training, and Audits. Given the scale of IoT devices within an organization, automated password policy enforcement solutions (like Viakoo’s Device Password Manager, or DPM) should be used to regularly check that devices are compliant to corporate policies. Ensuring all parts of the organization that manage IoT devices and applications are trained on password policies reinforces that it is their responsibility, not someone else’s or IT’s. Having an audit process reinforces the use of automated tools and training, and makes clear where more effort is needed.
Organizational Challenge: Unique Password Issues for IoT/OT Devices: Many IoT devices are tightly coupled with other devices and applications to perform a business function: for example, an IP camera itself does not provide video evidence to the physical security team; it’s the combination of IP camera, networking, storage, and a video management software application that results in retrievable and usable video evidence. In a tightly coupled IoT environment there often is the need for the IoT device password to also be present in the IoT application, so it can coordinate and communicate with all IoT devices involved. Related to the difficulty in setting IoT device passwords is that every device type and manufacturer may have different limitations on what passwords are acceptable or not; e.g. not all allow symbols, or have limits on the length of the password.
How Organizations Can Do Better: Having a complete IoT device inventory is the starting point for being able to properly set passwords and coordinate with applications; Viakoo recommends using an asset discovery solution (most leading discovery solutions interoperate with Viakoo). Solutions that automate managing issues related to the tightly coupled nature of IoT devices and applications will avoid unnecessary downtime or manual efforts. Solutions like Viakoo DPM can also ensure each device password is different and meets both device-level password restrictions and corporate password policy, making proving compliance much easier.
Organizational Challenge: Weak, Default, or Easily Guess Passwords: Cybersecurity professionals will tell you hackers don’t hack in, they login. Especially with IoT devices where platforms such as Shodan (shodan.io) allow you to search for internet-facing devices using default credentials, ensuring your organization is not using default passwords is critical. Depending on location, your organization may be required to address passwords because of regulations; for example, California has an IoT security law that requires manufacturers to use unique passwords for each device, and requires the end user to change it upon installation. Whether as a law or simply best practice, having a process to onboard new devices with unique passwords and ensure all devices are using unique passwords is critical.
How Organizations Can Do Better: Use a password strength assessment solution (such as what is included in Viakoo’s Device Password Manager solution) when setting new passwords. When onboarding new devices, ensure that the installer is following a process you’ve established and approved. Plan a regular audit (could even be daily) that uncovers and locates devices that are in violation of your policy.
Looking Ahead: Zero Trust: Will there forever more be a World Password Day? At Viakoo we believe it will be here for several years, but at some point new forms of authentication will displace passwords. Many organizations have a Zero Trust initiative; if yours is one, start making efforts to extend zero trust to IoT devices. Viakoo’s Device Certificate Manager (DCM) can automate deployment and management of 802.1x and TLS certificates to bring your IoT devices into a safer and more secure operational status.