There is major trouble up ahead for protecting user accounts unless companies step up their game.
At July's Cloud Identity Summit, Bob Blakley, global head of information security at Citigroup, will point his keynote presentation in that direction and ask the audience to fasten its seatbelts, hold down its breakfast and prepare for a bumpy ride.
Look down the list of hacked companies in just the past six months: Target, Neiman Marcus, Michaels Stores, Apple, and (unfortunately) the list goes on (and on, and on).
No longer are cyber thieves just out to brag they cracked a database of user data and credentials. The game now is financially lucrative and nearly epidemic. A Web site called Pastebin has become the Recycle Bin for stolen passwords.
"The basic theme here is that for a long time the fact was that people might be able to find out one of your passwords or could find a way to reset one of your passwords by getting personal information about you and answering some questions. That was kind of an individual problem," said Blakley.
He plans to lay out a new positive-feedback dynamic, and ask if there are any new and solid defenses. Blakley is uncertain if the industry is approaching, or already has passed, an inflection point where the game of protecting account credentials changes radically.
He speculates that very point may be the stage at which for more than half the population it is true that enough information for someone to assume their identity has been leaked from one source or another.
"At that point the adversary has a 50-50 chance of successfully impersonating any target of his choice unless we step up our game," says Blakley. "The issue is that things can change very rapidly."
That leaves one to wonder if the uptick in user account hacks and password breaches is the eye of the storm, or just the leading edge?
"The real goals now are not consumer identities on a Gmail account. The real prize is getting administrative accounts for large enterprises; these could allow attackers to go get additional databases of more user data and bootstrap themselves into even more accounts," says Blakley.
Secrets are the issue. "Because of password reuse and other things, the probability goes up and up and up that I can find somebody who is an administrator and reverse engineer from his public account what his credentials are, or what his answers to password recovery questions might be at his administrative account," says Blakley. "It is a chain reaction of privilege escalation as long as we are relying on secrets."
Unfortunately, current trends point in that direction. "The question is, are things going to start getting worse at a faster than linear rate in terms of account security, and in particular, account security based on passwords," says Blakely.
It is within this narrative that Blakley hopes to offer insights.
"There are various ways I can point people. I don't know all the answers, but I will try not to leave people suicidally depressed," he says half jokingly.