Encrypting data at rest, regularly auditing access, on-site security and monitoring for data leakage are just a few of the measures you can take to protect your corporate data. But all these measures quickly fall apart if users knowingly or unknowingly reveal their passwords. How to protect your data against password theft? An overview of the challenges of privileged access management.
Credential theft is commonplace
The security level of an networked information system is generally dependent on its weakest link. Often, this is the user: it is difficult to find the perfect balance between minimal inconvenience and maximum security.
Phishing, ransomware, social engineering, or sometimes even physical data theft, the opportunities to have one’s credentials stolen are numerous, and it is often noticed too late to mitigate the impact. Regularly, huge lists of logins and passwords appear on the Internet. Sometimes, it is the system administrators who are at fault, due to a bad server configuration, an accidental upload of a test database, or simply because the application used by your company does not apply certain necessary security measures. By exploiting these vulnerabilities, some individuals manage to gather large swaths of user credentials, most often valid.
To date, the largest list of accounts is called “Collection #1”; in 2019, a 2.7 billion rows database, containing 773 million unique email addresses, as well as passwords associated with each of those rows was leaked.
Collection #1 is a series of 12,000 text files uploaded on MEGA, totaling 87 GB of user credentials.
Source: Troy Hunt
This list does not mention which websites those databases were stolen from; it would be tempting to think that such a list is unusable. Unfortunately, most users reuse their passwords, making these thefts quite viable, even if the credentials have not been stolen from your systems: by using a technique called credential stuffing, which involves testing stolen username and password pairs on a target from one of these stolen account sources, an attacker can hope that a user has reused their password.
Akamai, a leading Internet service provider, estimated in 2017 that credential stuffing could cost companies up to $5 million per attack, primarily in application downtime, lost customers and time invested by IT teams. Additionally, there is an estimated monetary loss of $500,000 to $54 million, assuming that 1% to 100% of your users’ accounts are compromised, respectively.
The same vendor indicated that the number of credential stuffing attacks on financial services providers is steadily increasing, with a 45% increase between 2019 and 2020. 3.4 billion attacks specifically using this modus operandi were conducted on online services of banks worldwide in 2020 alone.
Stolen credentials are not only a matter of corporate data
In addition to the loss of time and money that credential stuffing causes, if such a data breach impacts your business, your legal responsibility may also be engaged: the GDPR (General Data Protection Regulation), explicitly classifies logins and passwords as PII (Personally Identifiable Information). Thus, any leak of such identifiers or data, whether or not due to negligence, must be notified to all users as soon as it is detected, and no later than 72 hours after the discovery; any failure to comply with this obligation may cause your company to pay a fine of up to 2% of its turnover as compensation for the breach.
How to mitigate such losses?
While not inevitable, the theft or loss of credentials can be mitigated:
The first line of defense lies with the users of these credentials. Offer specific training to identify phishing, encourage users to report any breach they notice, or any loss of credentials they experience, without repercussions.
The sooner the loss of credentials is discovered, the faster it can be dealt with; in the case of a dissemination of part or all of your customer base, you can also protect yourself more quickly from the consequences of a data leak if you spot it early enough.
Strengthen security by adapting security protocols
Historically, it was recommended to change your password on a regular basis. Specifically, NIST, the American technology standards institute, recommended changing your password frequently, usually every 42 days, at most. However, it was found that such a policy causes users to use a much weaker password, knowing that they will have to change it in the near future.
It was also found that a long password is more secure than a complex one; NIST guidance calls for a minimum of 8 characters.
But a secure password is no longer enough; authentication techniques called “multi-factor” must be used:
Implement multi-factor authentication (2FA, MFA)
Multi-factor authentication, by verifying a user’s login attempt through something they have (a temporary password generator), in addition to something they know (their traditional password) adds a layer of security in the case of data leakage attacks.
The user proves that he is the instigator of the connection through his smartphone, through a dedicated generating device, through a physical security key (FIDO type) or through a one-time code book. If the system is well implemented (and does not allow resetting these additional factors via email, or allows overriding it in case of unavailability), the security level is greatly increased.
However, beware of authentication SMS, as SIM cards can be hijacked directly from cell phone operators.
Set up access audit and privileged access management systems
In the context of access to company resources, it may be appropriate to add to these policies a continuous access audit system and privileged access management system. By using a jump-box system with secure access, it is easy to limit and control access to resources by forcing users through a well-surveilled “bottleneck”. This will allow the capture of exchanges, the granular recording of accesses, and will also make it possible not to reveal the connection credentials to certain systems, in favor of the user’s identification, via a “bank safe” system.
These systems also make it possible to quickly revoke access to all privileged resources, without having to reset sometimes inaccessible passwords.
I have experienced a credential leak, or my login information has been stolen: what should I do?
In the first case, the absolute emergency is to disable access to all privileged resources. Once this is done, a mechanism for invalidating all user accounts must be triggered, so that they can reset their passwords.
All users affected by such an information leak must also be notified within 72 hours according to the GDPR.
If your credentials have been stolen, it is important to do a personal “mini-audit”: if you use the password that has been stolen on several services, all accounts on these services are considered as compromised, and the passwords will have to be reset immediately, individually, on each service.
Within your organization, it is important to focus on continuous auditing of privileged access, and a sound password policy, to minimize the impact that data leaks could have. While not absolutely inevitable, accidents do happen and can be very costly to a company’s operations.
The importance of multi-factor authentication and privileged access control is a powerful bulwark against credential leaks.
Sonema has been helping its customers for over 30 years with their growing connectivity needs, and also offers solutions for privileged access control (PAM), multi-factor authentication and security auditing. For more information, contact us.