Compromised credentials and the enterprise: an accident waiting to happen?

How can IT departments deal with the issue of compromised credentials and implement policies that protect data.

Last year’s Yahoo hack, which resulted in an alleged 200 million sets of Yahoo credentials being dumped on the dark web, is yet another powerful example of the serious consequences which can arise when a website or app is hacked.

Various news outlets are reporting that the entire user data set is on sale for around £1,300, with email addresses, (hashed) passwords and dates of birth all rumoured to be included in the haul.

With lone wolves, hobbyists, hacktivist groups and state-sponsored hackers all actively engaged in hunts for this type of data, and exploit kits available for sale to the highest bidder, apps and sites are under almost constant attack.

>See also: Enterprise security in the connected devices age

And each new, successful hack seems to release a treasure trove of user credentials – credentials which are likely to be utilised again and again, for numerous different cloud apps in both business and personal spheres. When the same credentials are re-used in this way, these breaches expose multiple different cloud apps and services, creating significant risks to enterprises.

This problem is exacerbated by organisations’ heavy reliance on cloud apps. On average, a staggering 1,053 cloud apps are in use within the typical enterprise, according to Netskope’s June 2017 Cloud Report.

Yet 93.6% of those apps are not enterprise ready, lacking both core auditing functions and security certifications. As employees increasingly embrace and rely upon cloud apps to get their jobs done efficiently, this issue will only get worse.

As cloud and mobile trends continue to take off, and more and more data breaches lead to compromised credentials, organisations are being left vulnerable to specific and growing cloud-borne threats.

>See also: Keeping the enterprise secure in the age of mass encryption

The majority of IT professionals recognise that a large quantity of sensitive corporate data are now stored in, and shared through, the cloud. The challenge is therefore increasingly difficult: finding the balance between empowering staff to access and use cloud apps while implementing sufficient protection against data loss.

Some organisations are turning to cloud access security brokers (CASBs) to help solve these issues and more. A useful aspect of CASB solutions enables IT teams to set policy based on an individual user’s web reputation.

This works by asking new employees for their most commonly-used login credentials so that IT can run a reputation score on those credentials. Policy can then be applied to mitigate the threat posed by any credentials found to be unsafe.

This may sound draconian but it is a necessary precaution given what’s at stake, and no different to checking the security stance of devices trying to connect to a network.

Employees often feel more comfortable using their corporate details to sign up for services. They may feel less personally responsible for a corporate log-in, and perhaps might use it more flippantly, entering it online in sites or apps where they don’t want to use their own email address. This automatically passes on any resulting issues straight to their employer.

>See also: Enterprises using IoT aren’t securing sensitive data – Thales

An outsider using an employee’s compromised credentials will look like an insider, unless extra intelligence is gathered. Surgical visibility and control, and robust data analytics are crucially important as they will help differentiate between employees and bad actors.

Unusual behaviour or abnormal usage patterns will alert security teams to suspicious circumstances, but only if they have the necessary tools in place for visibility and control of employee behaviour, such as a CASB, and they know what “normal” looks like.

Wherever possible, organisations should use policy and employee training to coach staff towards safe courses of action and secure cloud apps without impacting productivity.

One powerful example would be a policy which would effectively triage uploaded data into the most suitable cloud storage app – Box, Dropbox, Egnyte, Intralinks, OneDrive, etc. – based on the nature of the data and the required security level.

The decision as to which app to use would then be taken out of the employee’s hands. Unlike humans, policies are harder to circumvent and less prone to mistakes. When policy is applied in this way, even if a consumer-grade cloud app were to be breached, the organisation can be sure that no critical data will be compromised.

Mitigating security risks from a company’s entire cloud app ecosystem cannot be completed in one fell swoop. Organisations can, however, take certain steps to better prepare themselves and their systems against these threats.

>See also: Enterprise navigation in the dark era of cyber attacks and cyber security

Ultimately, visibility is key: the IT department needs better and more granular visibility into the sanctioned and unsanctioned cloud apps in their corporate environment.

Investing time and money into understanding how these apps are being used and how best to secure the data within them will permit staff to continue using cloud technology to work effectively, while simultaneously ensuring that company data are not exposed to unnecessary risks from those apps.

Organisations can’t control which other parties fall victim to data breaches across the web, but they can take sensible steps to ensure that any credentials compromised in those breaches don’t then come back to haunt them.


Sourced by Andre Stewart, VP EMEA, Netskope

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...