[BreachExchange] The ‘Ricochet Effect’ of credential compromise

Fri Dec 29 16:52:13 EST 2017

http://gulfnews.com/business/sectors/banking/the-ricochet-
effect-of-credential-compromise-1.2130660

Barely a week goes by without reports of a data breach, and no organisation
is immune. In 2016, the financial sector was targeted repeatedly, most
notably by a group called “Bozkurt Hackers”, which first released 10GB of
data allegedly from a Sharjah-based bank. Over the next several weeks, the
group continued to leak data, claiming it belonged to six other banks.

These were direct attacks. But financial services firms can also suffer
when data breaches happen to other organisations. If employees reuse
corporate emails and passwords on other sites and these sites become
compromised, the stolen credentials can be used to launch attacks against
the financial institution — in effect, ricocheting back to the firm.

Looking at credentials dumped on copy-paste sites and otherwise shared
online reveals that more than half-a-million unique credentials are
available for financial services organisations. Major and regional banks
make up the majority.

So how are these credentials leaked? Most frequently, they can be traced
back to breaches on social media platforms. The LinkedIn and MySpace
breaches were responsible for 63 and 8 per cent of the credentials. The
Adobe breach accounted for 19 per cent. Breaches of dating services such as
Ashley Madison and Adult Friend Finder also were the source for credentials
and, more severe, personally identifiable information (PII).

Leaked credentials are used in a variety of ways that impact financial
services firms. For example:

Account takeovers — Taking advantage of the fact that people recycle
passwords for multiple services, attackers use compromised credentials to
gain access to other services, such as during the Dropbox leak when
passwords gained in the LinkedIn breach were reused.

Credential stuffing — This is a type of brute force attack wherein large
sets of credentials are automatically inputted into websites until a match
with an existing account is found. An attacker can then hijack that account
for a variety of purposes such as draining stolen accounts of funds, the
theft of personally identifiable information, or to send spam.

Spear-phishing — Threat actors can craft personalised emails using the
information gleaned from breaches such as the LinkedIn breach as a way to
distribute malware.

Botnets — Breached data sets containing email addresses can be used in the
operation of botnets, which can subsequently be used to deliver spam or
more malicious pieces of malware.

To better prepare for and mitigate against such instances, here are ten
tips for protecting credentials.

1. Establish a policy that limits which external services are allowed to be
associated to corporate email accounts.

2. Implement an enterprise password-management solution. This is not only
great for secure storage and sharing but also strong password creation and
diversity.

3. Understand and monitor approved external services for password policies
and formats to understand the risks and lowest common denominators.

4. Proactively monitor for credential dumps relevant to your organisation’s
accounts. Consider additional monitoring for your high value targets’ (e.g.
executives) non-enterprise accounts.

5. Internally, or with the help of an external service, evaluate credential
dumps to determine if the dumps are new or have been previously leaked.

6. Implement multi-factor authentication for external facing corporate
services such as Microsoft Outlook Web Access, and Secure Sockets Layer
Virtual Private Networks, as well as for software-as-a-service offerings
such as Google Applications, Office365 and Salesforce.

7. Understand and document any internal services that aren’t federated for
faster and more complete incident response to any breach that impacts an
organisational account.

8. Ensure that you have an emergency password reset process in place. Make
sure that all of the users’ accounts are included, not just Microsoft
Active Directory accounts.

9. If you have any user behaviour analytics capabilities, import
compromised identity information and look for any suspicious activity (for
instance, accessing resources that have not been accessed in the past).

10. Update security awareness training to include the risks associated with
password reuse. Encourage staff to use consumer password management tools
such as 1Password or LastPass to also manage personal account credentials.

Financial institutions can’t control how other organisations manage their
security programmes. But they can avoid the ricochet effect by
understanding how compromised credentials can be used against them and
through better policies, controls, monitoring and employee education.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171229/847ce4c7/attachment.html>