As ransomware attacks continue to wreak havoc on organizations worldwide, many official standards and regulations have been established to address this pressing issue.
This article examines the common regulations and standards issued by CISA, NIST, HIPAA, FedRAMP, and ISO 27002 and discusses the importance of following password security best practices.
Explore whether these regulated standards are sufficient or if organizations should strive for more robust security measures.
The Impact of Weak Passwords on Ransomware Attacks
Weak passwords can significantly increase an organization’s vulnerability to ransomware attacks. According to the Verizon 2022 Data Breach Investigations Report, 63% of data compromised was due to credential theft or compromise. Additionally, attackers often exploit weak or stolen passwords to gain unauthorized access to an organization’s systems, paving the way for ransomware infections.
Furthermore, the 2023 State of Passwordless Security study by HYPR found that 3 in 5 organizations had authentication-related breaches in the last 12 months. In addition, the average cost of authentication-related cyber breaches in the last 12 months rose to $2.95M. These statistics underscore the importance of strong password security practices to protect against ransomware attacks.
Guidance from CISA, NIST, HIPAA, FedRAMP, and ISO 27002
By following and exceeding the password guidance provided by CISA, NIST, HIPAA, FedRAMP, and ISO 27002, organizations can bolster their defenses against unauthorized access and reduce their vulnerability to ransomware attacks.
CISA – Strengthening Ransomware Defense
The Cybersecurity and Infrastructure Security Agency (CISA) has released guidance to help organizations protect themselves against ransomware attacks. The CISA guidelines emphasize the importance of implementing a comprehensive cybersecurity program, including regular backups, patch management, and user training, to minimize the risk of ransomware infections.
Although CISA doesn’t provide specific password recommendations in the ransomware guidance, it recommends following the NIST password security guidelines. In addition, CISA encourages organizations to adopt multi-factor authentication (MFA) and other robust access controls to minimize the risk of unauthorized access that could lead to ransomware infections.
NIST – A Comprehensive Framework for Digital Identity
The National Institute of Standards and Technology (NIST) has published Special Publication 800-63B, which outlines best practices for digital identity and authentication. This document provides valuable guidance on password security, such as recommending using long, complex passwords and implementing multi-factor authentication (MFA) to bolster account security.
NIST’s Special Publication 800-63B provides detailed password guidance. Key recommendations include the following:
- Password length – Encourage the use of lengthy passwords, with a minimum of 8 characters for user-chosen passwords and a minimum of 6 characters for randomly generated passwords.
- Complexity – Do not impose complexity rules, such as requiring special characters or a mix of character types.
- Password expiration – Discourage periodic password changes unless there’s evidence of compromise.
- Password reuse – Encourage users to avoid reusing passwords across different accounts.
- MFA – The use of multi-factor authentication for enhanced security is strongly recommended
HIPAA – Protecting Healthcare Data from Ransomware
The Health Insurance Portability and Accountability Act (HIPAA) has issued cybersecurity guidance to help healthcare organizations safeguard sensitive patient data from ransomware attacks. The guidance emphasizes the need for robust risk management processes, continuous security awareness training, and adherence to HIPAA’s security rule to protect electronic protected health information (ePHI).
HIPAA’s Security Rule requires covered entities to implement password policies and procedures to verify the identity of individuals accessing electronic protected health information (ePHI). Specific password guidance is not provided, but HIPAA encourages following industry best practices, such as NIST guidelines.
FedRAMP – Securing Cloud-Based Services
The Federal Risk and Authorization Management Program (FedRAMP) has established a framework to ensure the security of cloud-based services used by federal agencies. This framework includes rigorous security assessments, authorization, and continuous monitoring to mitigate the risk of ransomware attacks on cloud services.
FedRAMP’s security controls are based on NIST Special Publication 800-53. Password recommendations include –
- Password length – Minimum of 12 characters for high-impact systems and 8 characters for moderate-impact systems.
- Complexity – Encourage using a mix of upper- and lower-case letters, numbers, and special characters.
- Password expiration – Require password changes every 60 days for high-impact systems and 90 days for moderate-impact systems.
- MFA – Mandate multi-factor authentication for remote access to federal information systems.
ISO 27002 – Authentication Information Control
The International Organization for Standardization (ISO) has published the ISO 27002 standard, which provides information security management systems (ISMS) guidelines. Among its recommendations, the standard highlights the importance of strong authentication controls, including complex passwords and MFA.
ISO 27002 recommends organizations establish a password policy that includes the following:
- Password length – Encourage using sufficiently long passwords without specifying an exact length.
- Complexity – Recommend a mix of different character types, such as upper- and lower-case letters, numbers, and special characters.
- Password expiration – Set an appropriate period based on the organization’s risk assessment.
- Password reuse – Restrict the reuse of previously used passwords.
- MFA – Encourage the use of multi-factor authentication when appropriate.
The Importance of Password Security Best Practices
While these regulations and standards provide a solid foundation for ransomware prevention, organizations should not solely rely on them. In one analysis it was discovered 83% of compromised passwords satisfy the password length and complexity requirements of regulatory password standards. A major area of cybersecurity where organizations can improve is password security.
According to a study by Specops, passwords should be 12 characters or longer to provide adequate security. Many regulated standards, however, still recommend a minimum length of just eight characters. Shorter passwords can be more easily cracked by attackers, potentially compromising an organization’s entire network.
Going Beyond Regulated Standards
As ransomware attacks evolve in sophistication, organizations must stay ahead of the curve and implement more robust security measures. It may involve:
- Regularly updating and strengthening password policies, such as enforcing longer password lengths, complexity requirements, and regular password changes.
- Increasing employee security awareness through training programs, ensuring that all staff members are well-versed in identifying and avoiding phishing attempts and other attack vectors.
- Implementing advanced security tools, such as endpoint detection and response (EDR) solutions, to monitor and respond to potential threats in real time.
- Conducting regular security assessments and penetration tests to identify and remediate vulnerabilities within the organization’s infrastructure.
- Collaborating with industry peers and security experts to share knowledge and stay up to date on the latest ransomware trends and attack techniques.
Aiming for a Higher Security Standard
While the regulated standards for ransomware prevention, such as CISA, NIST, HIPAA, FedRAMP, and ISO 27002, provide valuable guidance and a solid starting point for organizations, it is crucial to recognize that these standards may not be enough. By going above and beyond the regulated standards, organizations can significantly reduce the risk of falling victim to a ransomware attack.
As ransomware threats evolve and grow in sophistication, organizations must remain proactive and vigilant in their cybersecurity efforts. It includes adhering to regulated standards and striving to exceed them, particularly in password security and employee training. By taking a comprehensive and adaptive approach to ransomware prevention, organizations can better protect their critical data and assets from the ever-present threat of attacks.
Safeguard your Organization from Ransomware with Specops Password Policy
Many organizations use Microsoft Active Directory Domain Services as their on-premises identity and access management solution for securing resources. However, Active Directory lacks native tools providing effective modern password policies. In addition, Active Directory native password policies do not protect against incremental or breached passwords, which often lead to ransomware attacks.
Specops Password Policy provides organizations with modern password policy tools to meet the challenges of securing passwords from current attacks. It enables organizations to set custom rules and meet regulatory requirements. It also provides real-time end-user feedback, helping users see what is expected of them. In addition, admins can configure length-based aging, allowing users to wait longer between password changes based on password strength.
Organizations can use existing Group Policies they have in place to extend password security using the Specops Password Policy security options. Note the following features and capabilities:
- Custom dictionary lists
- Block over 3 billion compromised passwords with Breached Password Protection
- Informative end-user client messaging at failed password change
- Users receive real-time dynamic feedback with the Specops Authentication client
- Length-based password expiration with customizable email notifications
- Block usernames, display names, specific words, consecutive characters, incremental passwords, and reuse a part of the current password
- Granular, GPO-driven targeting for any GPO level, computer, user, or group population
Learn more about Specops Password Policy and download a free trial version here: Active Directory Password Filter – Specops Password Policy
Sponsored and written by Specops Software