Industry Trends

Changing Behavior is Hard – Thinking About Passwords, Shadow IT, and AI

By John Welton | June 13, 2016

Passwords and social media sites have been a recent topic of interest. Although the conversation is not new, it is still important because it affects everyone. The challenge is that users resist regularly changing their passwords, and implementing behavior change is not easy. Fortinet’s Tyson Macaulay shares some perspective, and talks about what the future could have in store for us.

Talk a bit about passwords. With so many social networking sites in the news lately, what else should we be thinking about?

The password re-use issue is significant.  People use the same passwords over and over, and even when they change them they often change them across all their cloud-accounts. Which means that if one account gets compromised, they are all now vulnerable. 

In addition to personal accounts, however, from an enterprise CIO perspective I would also be very concerned about my “shadow IT” - where business units in my company have outsourced SaaS functions to cloud providers – without consulting me, the CIO! Examples include, Adobe, Dropbox, Salesforce,, SAP, AmDocs, Oracle, etc. 

There is a good evidence that corporate users are re-applying their personal cloud-passwords to their SaaS/shadow-IT passwords. Because Shadow-IT is, by definition, outside the scope and control of the CIO, the chance of a cloud-based SaaS service being enabled with corporate AD or LDAP is low.  So password security or rules are not enforced on corporately procured SaaS/shadow IT. Which means that the personal social media password challenge everyone is talking about can have a direct impact on business. Which is why it is more important than ever to get a firm grip on SaaS/shadow IT through application control solutions, and to implement clear policies and education programs internally driven by, for instance, in-line notifications. 

Can you elaborate more on what we should consider when we think about cyber criminal motivation and cyber attacks? 

Similar to the increased force and velocity of APTs targeting industrial niches and small entities – any (presumably) high-net-worth individual might be especially vulnerable to identity theft or theft of wealth, especially if they are re-using password credentials (as most people do!) You don’t have to be an exec at a Fortune 500 firm. You might just be a successful contractor, florist, or restaurateur who put a picture of his/her new expensive car on Facebook!  The solution here is a lot less clear – because corporate infrastructure might not be part of the picture.  However, tools like pre-programmed credit alerts and two-factor authentication (available from many cloud-services now) are an important and easily applied starting point. Using threat intelligence inside whatever security infrastructure you have is also important, as it can trigger on poor reputation domains and URLs coming to your network location and mailbox. The advent of NFV security in edge devices for small business (IE, AT&T UCPE) and even homes will also help, when enabled with proper threat intelligence.

Are there any missing opportunities we are not exploiting enough?

As single factor authentication has been increasingly hacked, many organizations and service-providers have tried to transition to two-factor authentication. This can be a combination of things, such as log-in credentials combined with a token (chip card) or biometric (fingerprint). But organizations have found adoption rates challenging. So some companies have begun using attribute-based factors to assess the authenticity of users as they login. These attributes could be an encrypted cookie linked to a device, a source IP address, the typical time of day a user accesses the system, or even the speed and pattern by which a user enters his/her password. However, this requires a significant amount of data and analysis for each user profile, and sometimes results in false positives— for example, valid user-access could be flagged as potential unauthorized use simply because the user has injured a finger or has a cold, resulting in a poor user-experience, increased help desk calls, and lost productivity. 

Artificial Intelligence (AI) and machine learning may provide part of the answer. Potentially, AI could learn with a higher degree of efficiency and granularity what a unique set of attributes might be per user: what would individually equate to a good vs. bad authorization. These attributes could then also be weighted, because some may be worth more, in terms of accuracy, than others. Applying AI on a profile-by-profile basis, organizations could possibly create tailored attribute rates that keep false positive rates low while leading to better user experience

So, this leads to a basic question: Is the password dead?

I know it’s not, but they are terrifyingly and increasingly risky when used by themselves for authentication because there are so many different ways to steal people’s passwords - phishing, social engineering, keylogging, and botnets, just to name a few. Even if stored passwords are encrypted, insider threats driven by criminal intentions appear to be routinely foilng such controls  - for the right price. So it is urgent that people and organizations take the right action to address their password challenges.