[BreachExchange] Why Your Employees' Compromised Credentials Endanger Your Organization

Audrey McNeil audrey at riskbasedsecurity.com
Tue Jan 30 20:18:32 EST 2018


Massive data breaches that result in the compromise of personal information
such as social security numbers, addresses, credit card information, and
credentials have dominated headlines in recent years. Details are
frustratingly slow to emerge: it took years to find that the 2012 Dropbox
hack exposed 68M passwords, and three months after the Equifax breach,
millions of consumers have still not been notified that their personal
information may be in the wrong hands.

Why is the slow reveal so alarming? In that lag time, unsuspecting
consumers have no idea vital information like login ID’s and passwords are
up for grab on the Dark Web. It took three years to reveal that the 2013
Yahoo Hack resulted in 200 million sets of valuable information for sale on
the Dark Web, including passwords and the security questions and backup
email addresses used to reset lost passwords.

People are creatures of habit, and hackers know that credentials are often
used repeatedly across cloud services and websites for personal and
business use.

With exploit kits readily available on the Dark Web, the barrier to entry
for hackers and level of knowledge required to launch cyberattacks are
significantly lowered, and these “compromised credentials” pose a very
significant threat to the enterprise.

IT professionals are finding it increasingly difficult to protect data from
the growing number of cloud-borne threats, as high volumes of sensitive
data continue to be stored and shared via the cloud. The delicate balance
between empowering staff to access and use cloud services-- often with
their own passwords and login credentials-- is becoming that much harder to

Luckily, technology isn’t just a means to unwittingly expose sensitive
data. Smart solutions exist to also protect that data, and make sure IT
remains one step ahead of a potential attack. To combat these growing
cloud-borne threats, organizations are turning to cloud access security
brokers (CASBs) that help solve these issues by setting security policies
in place, such as single sign-on, data loss prevention (DLP), malware
detection, authorization and more.

CASBs enable IT teams to set policy based on an individual user’s web
reputation, which is based on the prevalence across the web of that user's
most commonly deployed credentials. This works by asking new employees for
their most commonly-used login ID’s so that IT can run a reputation score
on them.

While this procedure may sound draconian, it is a necessary precaution
given what’s at stake. A password provided by an employee’s IT department
likely meets strict requirements, but is easy for the employee to remember.
As a result, that employee may often feel more confident using corporate
login credentials to register for services online.

When that same password is used as a corporate login and also used for a
personal site-- one that very likely will or has been hacked, that poses
huge risk for businesses. Knowing which login credentials have been
reused-- and identifying those that may have been compromised-- is a
crucial step for IT departments.

It’s about more than just changing passwords. An outsider using an
employee’s compromised credentials will look like an insider unless extra
intelligence is gathered. Unusual behavior and abnormal usage patterns
alert security teams to suspicious circumstances, but only if they have the
necessary tools in place for visibility and control of employee behavior,
such as a CASB. Surgical visibility and control, and robust data analytics
are crucially important as they will help differentiate between employees
and bad actors.

Organizations should use policy and training to coach staff so that they
can use secure cloud services without impacting productivity or security.
One powerful example would be a policy which would effectively triage
uploaded data into the most suitable cloud storage app – Box, Dropbox,
Egnyte, OneDrive, etc. – based on the required security level dictated by
the nature of the data.

In this case, the decision of which app or service to use is taken out of
the employee's hands. When policy is applied in this way, even if a
consumer-grade cloud service were to be breached, the organization can be
sure that no critical data will be compromised.

While organizations can’t completely control their users’ credentials
across the entire web, what they can do is enact practical measures to
ensure smart usage, and seek and block out hackers. This would ensure that
credentials that are compromised during a data breach will not come back
and haunt them somewhere down the line.

Having granular visibility into both sanctioned and unsanctioned cloud
services in a cloud environment is key: with a complete 360-degree view
into how services are being used and how best to secure the data within
them, employees will be able to work most effectively in the cloud, while
ensuring the safety of precious company data.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180130/09e795e4/attachment.html>

More information about the BreachExchange mailing list