A joint security advisory from multiple national cybersecurity agencies, across the United States, Canada, New Zealand, the Netherlands, and the United Kingdom, has been released and it includes guidance on the top 10 most commonly exploited attackers vectors cybercriminals use to gain an initial access to organisations: https://www.cisa.gov/uscert/ncas/alerts/aa22-137a
This joint advisory provides great intelligence for organisations around the ways attackers commonly gain access to systems.
The advisory also highlights just how frequently weak passwords and user credentials appear in attacker exploits. Whether it be through exploiting default passwords, phishing, guessing insecure passwords, a failure to deploy MFA or using stolen login credentials, passwords are clearly a key enabler behind several cyberattack scenarios.
Organisations need to take action against this threat, because passwords are evidently a weak and exploitable link in the security chain.
One of the best remedies is to remove passwords from the hands of users and enable the transition to passwordless security, meaning employees can gain access to enterprise applications without the need to remember or manage hundreds of passwords.
This limits the chances of passwords being stolen and phished for, and also means users are not forced to employ insecure password practices.