温馨提示:本站仅提供公开网络链接索引服务,不存储、不篡改任何第三方内容,所有内容版权归原作者所有
AI智能索引来源:http://www.ssh.com/blog/zoom-and-who-data-breaches-prove-need-passwordless-it-solution
点击访问原文链接

Recent WHO and ZOOM data breaches prove the need for passwordless IT

进入原网站 导航首页
Recent WHO and ZOOM data breaches prove the need for passwordless IT About us Investors Partners Careers Solutions SOLUTIONS Zero Trust Suite Quantum-Safe Cryptography (QSC) SalaX Secure Collaboration Security Risk Assessment, Quantification & Mitigation By Topic Just-in-Time Access Secure vendor access Credentials & Secrets Management Hybrid & multi-cloud access management Interactive tour: Privileged Access in the Cloud M2M connections IT Audits & Compliance Secure file transfer By Industry Managed Service Providers (MSP) Operational Technology (OT) Federal Government Security Products SECURE ACCESS & SECRETS MANAGEMENT SECURE FILE TRANSFER & ENCRYPTION NQX™ quantum-ready encryption Tectia™ SSH Client/Server Tectia™ z/OS SalaX Secure Collaboration Secure Mail 2024 Secure Messaging 2024 SalaX Secure Collaboration Solutions SOLUTIONS PrivX Zero Trust Suite SalaX Secure Collaboration Strong ID-based access with Entra ID & Zero Trust Suite Quantum-Safe Cryptography (QSC) Security Risk Assessment, Quantification & Mitigation Device trust & access and identity verification Identity-based authentication & converged IAM and PAM TOPICS Just-in-Time Access Secure vendor access Credentials & Secrets Management Hybrid & Multi-Cloud Access Management Interactive tour: Privileged Access in the Cloud M2M Connections Management IT Audits & Compliance Secure File Transfer INDUSTRIES Managed Service Providers (MSP) Operational Technology (OT) Federal Government Security Healthcare Data Security OT Security IT/OT convergence of data & systems Zero Trust Access and ZSP Workflow approvals Secure remote access  Secure patch management  OT Compliance Discovery and threat intelligence Phishing-resistant MFA & device trust Products SalaX SECURE COLLABORATION Secure Mail Secure Messaging Secure Sign SalaX Secure Collaboration FQX File Encryptor SECURE ACCESS & SECRETS MANAGEMENT PrivX™ PAM PrivX™ OT Edition PrivX Key Manager SECURE FILE TRANSFER & ENCRYPTION Tectia™ SSH Server Tectia™ SSH Server for IBM z/OS PrivX Desktop NQX™ quantum-safe encryption Services SSH Risk Assessment™ Professional Services Support Contact us Customer cases PrivX Zero Trust PAM Enterprise Key Management UKM Tectia SFTP for servers & mainframes SSH Secure Collaboration Resources SSH Academy Content library Blog References Press releases Downloads Manuals Events & Webinars Media Legal Report a vulnerability Solutions SOLUTIONS PrivX Zero Trust Suite SalaX Secure Collaboration Strong ID-based access with Entra ID & Zero Trust Suite Quantum-Safe Cryptography (QSC) Security Risk Assessment, Quantification & Mitigation Device trust & access and identity verification Identity-based authentication & converged IAM and PAM TOPICS Just-in-Time Access Secure vendor access Credentials & Secrets Management Hybrid & Multi-Cloud Access Management Interactive tour: Privileged Access in the Cloud M2M Connections Management IT Audits & Compliance Secure File Transfer INDUSTRIES Managed Service Providers (MSP) Operational Technology (OT) Federal Government Security Healthcare Data Security OT Security IT/OT convergence of data & systems Zero Trust Access and ZSP Workflow approvals Secure remote access  Secure patch management  OT Compliance Discovery and threat intelligence Phishing-resistant MFA & device trust Products SalaX SECURE COLLABORATION Secure Mail Secure Messaging Secure Sign SalaX Secure Collaboration FQX File Encryptor SECURE ACCESS & SECRETS MANAGEMENT PrivX™ PAM PrivX™ OT Edition PrivX Key Manager SECURE FILE TRANSFER & ENCRYPTION Tectia™ SSH Server Tectia™ SSH Server for IBM z/OS PrivX Desktop NQX™ quantum-safe encryption Services SSH Risk Assessment™ Professional Services Support Contact us Customer cases PrivX Zero Trust PAM Enterprise Key Management UKM Tectia SFTP for servers & mainframes SSH Secure Collaboration Resources SSH Academy Content library Blog References Press releases Downloads Manuals Events & Webinars Media Legal Report a vulnerability About us Investors Partners Careers April 28, 2020 Recent WHO and ZOOM data breaches prove the need for passwordless IT Written by: Jani Virkkula Cyberattacks attacks are on the rise once again. High-profile targets like the World Health Organization (WHO) and their top officials are a lucrative target for hackers.  Also, hackers got hold of 500,000 Zoom user passwords.

“This is unprecedented for everyone here. We’re doing what we can to mitigate it” is a direct quote from WHO’s chief information officer (CIO), Bernardo Mariano. He also stated that they have doubled the size of the security team and increasing collaboration with security vendors. All commendable actions by the organization.

Passwords and credentials are a huge problem In this case it turns out that the WHO security systems were not compromised per se. Yet, Australian cybersecurity expert, Robert Potter was able to get a hold of a list of leaked WHO credentials and said he was able to verify that the WHO email addresses and passwords were real.

How is this possible? The answer is simple: many WHO employees were using their company credentials to create accounts on other services, outside the WHO ecosystem or the organization’s security perimeter.

The same is true for the Zoom case. “Bear in mind as well that these credentials were not from any breach at Zoom itself, but rather just broad collections of stolen, recycled passwords.”

Potter also calls the WHO’s password security ’appalling‘, citing examples like 48 instances of ’password‘, ’changeme‘, or even their first names. He said the exposed login information seemed to have originated from a hack in 2016.

To summarize these two cases:

Impossibly weak passwords like ‘password’ are STILL being used in real life They are getting re-used elsewhere, along with other company credentials Passwords are not very often changed We’ve quoted this before but it bears repeating: The Verizon Data Breach Investigations Report inidcates that 80% of hacking-related breaches still tied to passwords. How to go forward, then?

Will managing passwords better or enforcing stricter policies really help? The short answer: not really. We believe it’s time to acknowledge a few points:

You really cannot control how people behave outside your company, no matter what your polices state on paper If you make your processes too complicated or inconvenient, people will find ways to bypass your controls or ignore your policies Blaming the users will only get you so far. It’s also an excuse. It is our job in the security industry to make the tools both secure and easy to use. Read how we have defended ‘the What is happening in general, is happening in ‘hardcore’ IT as well. Read more about how professional IT users bypass security controls like Privileged Access Management (PAM). There are no security perimeters in the traditional sense of the word but your security perimeter is defined every time access is made. This is particularly true now that more people are working remotely. Stop worrying about passwords & start implementing passwordless IT! We believe it is time to stop perpetuating the password problem: it only increases our unhealthy obsession and dependency on them and makes us password-a-holics. The same goes for credentials in general.

Managing access is more critical, rather than managing passwords or credentials.

Basically, you can define two user groups accessing your systems: regular business users and privileged users (IT professionals).

See how we can help you with both user groups:

How to set up secure remote access for employees working from home Make remote work fast & secure for admins, devs and IT subcontractors Our recommendation is that if you need to prioritize. Start with your IT teams, since they have access to the beating heart of your digital business and operations. They should go passwordless and credentialess ASAP.

We are not alone on this. For example, Microsoft now recommends passwordless strategies. Gartner has also stated that ‘standing privileges’ are a risk – even when stored or vaulted in their report ‘Remove Standing Privileges Through a Just-In-Time PAM Approach’.

There are also (in)famous cases where privileged credentials were involved, like the Snowden case, the Sony breach or when a disgruntled ex-employee shut down the entire North American Citibank network in 2 minutes.

Just-in-time (JIT) credentialess and passwordless access is the new way Our solution, PrivX, can offer you a more modern and secure approach where:

No one has permanent access to any target, but each session is validated and authorized every time it is made. No one accessing your critical IT infrastructure handles any credentials, or sees any secrets at any point of the process. There are no leave-behind credentials for hackers to harvest or misuse in your IT environment or target servers. There’s no need to worry that subcontractors walk away with your precious credentials, because they never ‘existed’ in the first place. There’s no need waste time on password policies or resetting forgotten passwords which cost time and money – and don’t really work. Instead, you can get:

Secure remote access: on-demand access without passwords and with short-lived, eph that the user never sees or handles Zero leave-behind credentials or passwords: certificates that are automatically created just-in-time (JIT) when the user establishes the session and are automatically deleted after establishing the connection (in 5 minutes) Minimized need for training: an easy and centralized web UI for single sign-on (SSO) access Maximized integration: a best-of-breed solution that leverages your existing tool stack, like your identity and access management (IAM) solutions, Active Directory (AD) and security information and event management (SIEM) Automated off-boarding: any changes in identities and authorities are automatically reflected in access rights and roles. Example: remove a developer from your Active Directory, and that person’s session to the target host is disconnected automatically in less than a minute. Mitigated risk: aligned with the Zero Trust framework and Gartners’ just-in-time (JIT) and zero standing privileges approach to mitigate the risk of credential harvesting or privilege abuse These are just some of the security benefits of our PrivX solution. It is a quick-to-implement and scalable privileged access management (JIT-PAM) solution for establishing secure remote access to hosts, network devices or web applications and managing third party access.

Learn more about the product that is a great alternative to VPNs or jump hosts, can be set up remotely and requires virtually no maintenance.

Or see how it works below:


You can also sign up for the PrivX test drive to play in your own PrivX sandbox in a browser or contact us here to request a demo.

Stay safe!

 

Tag(s): SSH , RDP , just-in-time , remote work Jani Virkkula Currently employed by SSH.COM as Product Marketing Manager, Jani is a mixed-marketing artist with a strong background in operator and cybersecurity businesses. His career path of translator->-tech writer -> marketer allows him to draw inspiration from different sources and gives him a unique perspective on all types...

Connect with the author Other posts you might be interested in Gartner 15 min read | October 2, 2019 Gartner: standing privileges in IT are a risk Read More Privileged Access Management 15 min read | April 4, 2023 Beyond key vaults: The best way to manage SSH keys Read More Privileged Access Management 11 min read | August 3, 2021 DevOps and secure access: 5 questions companies should ask themselves Read More Subscribe to email updates SSH is a leading defensive cybersecurity company that secures communications between humans, systems, and networks. We specialize in Zero Trust Privileged Access Controls and Quantum Safe Network Security. Our customers include a diverse range of enterprises, from multiple Fortune 500 companies to SMBs across various sectors such as Finance, Retail, Technology, Industrial, Healthcare, and Government. 25% of Fortune 100 companies rely on SSH’s solutions. Recent strategic focus has expanded SSH business to Defence, Critical Infrastructure Operators, Manufacturing OT Security and Public Safety.

Leonardo S.p.A invests 20.0 million EUR in SSH, becoming the largest shareholder of the company. SSH solutions form a Center of Excellence for Zero Trust privileged access management and quantum-safe network encryption in Leonardo - a global industrial group that creates multi-domain technological capabilities in the Aerospace, Defence and Security sector with 17.8 billion EUR revenue in 2024. SSH company’s shares (SSH1V) are listed on Nasdaq Helsinki.

 

Solutions Zero Trust Suite Zero Trust Suite & Entra ID Integration Quantum-Safe Cryptography (QSC) SalaX Secure Collaboration Security Risk Mitigation OT security MSP Security Device Trust Monitoring & Threat Intelligence Credentials & Secrets Management IT Audits & Compliance Products PrivX™ Hybrid PAM PrivX Key Manager Tectia SSH Client/Server™ Tectia™ z/OS Secure Messaging Secure Mail Secure Sign NQX™ Quantum-Safe Services SSH Risk Assessment™ Professional Services Support Resources Careers References Downloads Manuals Events & Webinars Blog Company About us Contact Investors Partners Press Stay on top of the latest in cybersecurity Be the first to know about SSH’s new solutions, product updates, new features, and other SSH news!

Thanks for submitting the form. © Copyright SSH • 2025 • Legal

智能索引记录