Credential theft lies behind the majority of cyber attacks today. Whether it is consumer cybercrime based on snatching banking credentials, or the targeting of access rights of core business systems and data, credential theft and misuse is fundamental to cybercrime.
However, while attack methods get a great deal of attention, much less is said about the evolving tactics used to steal and exploit credentials. This should be of greater concern due to how credentials are being used outside of traditional business networks to access sensitive data and systems. Identifying and reducing the scope of what attackers can achieve needs to be addressed.
So, what are the security risks around credentials in enterprises today?
Recently seen social media accounts with high volumes of followers have been compromised, exploiting the trust in these to target tens of thousands of users. The same modus operandi is increasingly being used in the business world, where credentials stolen from a senior employee or executive can be used to influence both digital and physical actions of other staff.
It is vital to understand how sophisticated this kind of credential theft is. There have been several examples where enough information was gathered through reconnaissance to ensure that when electronic demands were sent, the person whose credentials had been compromised was uncontactable, thus forcing the recipients to take a decision, which is typically socially engineered to be time bound.
The move to cloud-based email and data storage is adding a new layer of complexity that makes credential theft harder to spot. Once credentials are found that give access to cloud-based systems, they can be used without touching the businesses network, which has traditionally been the bastion of their security controls. How do you validate if the correct user is leveraging these credentials in cloud services today?
Any difficulties in managing credentials are understandable when you consider how the same credentials can be used and cached in multiple devices and systems. Typically, multiple methods are used to gain access to the same business systems, whether they are apps, web interfaces or public clouds.
Cybercriminals’ ability to screengrab, keyboard log, and leverage underlying system or application vulnerabilities – whether that’s on a smart phone, tablet or PC, or in an internet cafe or cloud architecture – means ‘where’ and ‘how’ credentials require digital protection is proliferating.
It may seem easy to enforce policy around these credentials to minimise the risks, yet executives and senior staff often have the broadest access and therefore are more likely to be targeted, either directly or through their support staff or via friends and family that can gain access to systems or passwords. Of course, single sign-on tools aimed to simplify the user experience, and digital wallets/vaults offer a possible option.
However, it’s important to consider which systems require more than just a single form of authentication, and how to apply and enforce this consistently across the technology-diverse user ecosystem.
If credential theft continues to be a core focus for the adversary, we need to extend the scope of where and how the credentials being used are protected, whether that’s from employees doing the wrong things or attackers looking for the path of least resistance to achieve their goal.
Although layers of security can continue to be applied throughout these technology systems, the constant across them is the credentials used. The impact here is the access they give, and the implied trust that goes with communications from these accounts.
Given all of this, what are five key issues you should be thinking about today:
How are you preventing credential theft attacks?
Within your existing processes, procedures and tools, what can be specifically implemented to manage credential theft? As an example, banks that send users marketing information will never ask for personal information or credentials via email.
The same principles can apply to businesses, for example an escalation process to validate email requests if the person is not contactable, so there is always a point of human verification. Review your tools, for example anti-phishing capabilities to see how they can be optimised to spot credential theft.
How do you identify and enforce the right level of validation against users to ensure they are who you think there are?
Visibility lies at the heart of all security strategies, including credential theft prevention. It’s obvious but vital to ask whether you have a clear process to identify the information and accounts that could be sensitive and to validate where and how users are leverage these? If they are outside the business, how do you implement the right policy controls?
This may mean reducing or refusing access, or adding in additional authentication layers. How do you define and enforce this consistently, across the scope of connection methods being used, in a way that you can dynamically adapt to new requirements?
Where do you apply these enforcement controls?
As businesses move to the cloud, the pressure is on credentials to support more flexible and dynamic use of information systems. There is a prime requirement to add in secure access for new apps, cloud resources and devices, with minimal effort from an execution perspective.
>See also: Cyber crime and the banking sector
Multifactor authentication can help here, but what happens where there is a resource it doesn’t support? As users and their connection methods change, how do you easily evolve the enforcement controls, and are you doing that at the source connection point or at the end authentication/data use point, or somewhere between the two?
How do you spot credential misuse?
The goal is to prevent credentials being misused, whether that’s an inside job or external attacker, yet you should have the ability to detect where instances occur quickly, to marginalise impact. What processes and capabilities do you have to spot when misuse does happen? Can you identify the sudden change in connection location, and do you see the increase in activity or the change in activity profile?
When you spot these, how easily is it for you to then segregate that account, either in its entirety or (better) at the points of access that would cause harm? What forensic data could you use to understand what has already occurred?
Are you testing for credential theft scenarios?
Security professionals have become more used to testing network resilience, by dealing with cyber breaches, but how frequently do you test to see what can be achieved with genuine credentials, when used from a non-business system outside your network?
>See also: The need for better password security
As you build out your visibility, you should start to consider what scenarios would have greatest impact, and would test your capabilities to identify, prevent and – where required – respond to credential misuse?
Credential theft is not going to go away soon, and will likely continue to grow as a way of facilitating attacks. By asking yourself these questions now, identify how you can understand where your organisation may be vulnerable and how you can shore up your defences without impacting users.
Sourced by Greg Day, VP & chief security officer, EMEA at Palo Alto Networks
The Women in IT Awards is the technology world’s most prominent and influential diversity program. On 22 March 2018, the event will come to the US for the first time, taking place in one of the world’s most prominent business cities: New York. Nominations are now open for the Women in IT USA Awards 2018. Click here to nominate