The cost of compromised credentials creeps up

Evaluate needs, set up strong protocols to match security services with actual risk

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

The most com­mon cre­den­tials are a com­bi­na­tion of user­name and pass­word, but those have lost a good bit of their pro­tec­tive pow­ers. Next-gen­er­a­tion cre­den­tials also are edg­ing toward a pre­car­i­ous place. Here’s what you need to know about the dan­gers of com­pro­mised cre­den­tials and how to mit­i­gate those risks.

ed-note_infoarmor_christian-leesThe speed of work these days puts enor­mous pres­sures on InfoS­ec, IT and work­ers alike to rush the cre­den­tial­ing process. Employ­ees, con­trac­tors and even ven­dors are rapid­ly cre­den­tialed with lit­tle atten­tion giv­en to secu­ri­ty rules such as lim­it­ing access per job roles, enforc­ing secure pass­words, and imme­di­ate­ly revok­ing cre­den­tials after an employ­ee moves on. These are but a few of the dan­gers that lead to com­pro­mised cre­den­tials.

When pass­words and user­names linger long after an employ­ee, con­trac­tor or ven­dor rela­tion­ship has end­ed, crim­i­nals get to choose from a smor­gas­bord of cre­den­tialed iden­ti­ties with which to phish employ­ees and even top exec­u­tives.

And when auto­mat­ed sys­tems ren­der short, inef­fec­tive pass­word choic­es or, con­verse­ly, over­ly long ones that users must write down to remem­ber, they end up com­pro­mised quick­ly. Add to that any pass­word shar­ing prac­tices and secu­ri­ty short­cuts dur­ing sign-ons (such as stor­ing a pass­word in a brows­er) and things get more pre­car­i­ous. Yet, all of this is com­mon.

These prac­tices rep­re­sent sig­nif­i­cant risk con­sid­er­ing that accord­ing to Verizon’s 2016 Data Breach Inves­ti­ga­tion Report, 63 per­cent of con­firmed data breach­es involved weak, default or stolen pass­words.

Unfor­tu­nate­ly, PINs and tokens can fall prey to shod­dy secu­ri­ty prac­tices as can sev­er­al of the next-gen­er­a­tion cre­den­tial­ing pro­to­cols. This means the cost of data breach­es will con­tin­ue to esca­late.

Per the Ponemon Cost of Data Breach 2016 report, the aver­age cost of a breach has jumped to over $4 mil­lion per inci­dent. That’s a 29 per­cent increase since 2013 and a 5 per­cent increase since last year. But this stag­ger­ing fig­ure doesn’t include dam­ages to brand rep­u­ta­tion, cus­tomer con­fi­dence, an executive’s career, or oth­er relat­ed costs in dam­ages or recov­ery.

For­tu­nate­ly, com­pa­nies can mit­i­gate risks and regain con­trol.

Pol­i­cy makes bet­ter prac­tice

The key to mak­ing effec­tive pol­i­cy is to con­sid­er the work process­es and stag­ger the cre­den­tial process­es to fit. For exam­ple, a pass­word may suf­fice for access to pub­lic-fac­ing infor­ma­tion with no trans­ac­tion, iden­ti­fy­ing or sen­si­tive infor­ma­tion. These pass­words should still be encrypt­ed and pro­tect­ed, but they shouldn’t slow down the user.

On the oth­er end of the spec­trum, where access to high­ly sen­si­tive infor­ma­tion is need­ed, stronger, more com­plex pass­words and secu­ri­ty lay­ers such as bio­met­rics, cryp­to­graph­ic keys or out-of-band con­fir­ma­tion codes can be added.

The point is to match the secu­ri­ty mea­sures to the actu­al risk. But you also want to make your pol­i­cy work­able in the real world.

Con­sid­er ask­ing users to think of a long sen­tence that means some­thing to them and cap­i­tal­ize every sec­ond, third, fourth or oth­er let­ter in every word. They also should use at least one sym­bol.

Also, it is a good idea to involve busi­ness users and exec­u­tives in the pol­i­cy devel­op­ment so that what you end up with is work­able for all par­ties. This means bet­ter adop­tion and adher­ence.

Adding secu­ri­ty tech, ser­vices to your arse­nal

It’s impor­tant to not only use strong cre­den­tials, but to asso­ciate known behav­iors with those cre­den­tials. If for exam­ple, you know that Bill comes to the office on Tues­days and Thurs­days but works remote­ly the rest of the week and that he rou­tine­ly access­es cer­tain types of files, it becomes much hard­er for a crim­i­nal to use Bill’s com­pro­mised cre­den­tials unde­tect­ed

Mon­i­tor­ing activ­i­ty such as pass­word resets, unusu­al fund trans­fers, unau­tho­rized account access reports, unex­pect­ed address changes, and pub­lic record alerts also are help­ful in catch­ing malev­o­lent char­ac­ters quick­ly.

For­tu­nate­ly, secu­ri­ty ser­vices can han­dle all of these issues. How­ev­er, not all secu­ri­ty ser­vices are cre­at­ed equal.

Dif­fer­ences in threat intel­li­gence

One of the key areas that dif­fer­en­ti­ates secu­ri­ty ser­vices is threat intel­li­gence. But that’s a broad term and the ser­vices offered may be unclear, so it pays to dig deep­er for a bet­ter under­stand­ing.

For exam­ple, some secu­ri­ty ven­dors rely heav­i­ly on Open Source Intel­li­gence (OSINT) data that is pub­licly avail­able and some­times unver­i­fied. While there is val­ue in shared threat infor­ma­tion, it is dif­fi­cult to authen­ti­cate and eval­u­ate the threat when there is insuf­fi­cient or unver­i­fied infor­ma­tion avail­able.

Secu­ri­ty ven­dors who proac­tive­ly scan Dark Web sites, hack­er dump sites, hack­tivist forums, file-shar­ing por­tals, data leaks and bot­net exfil­tra­tion, and mal­ware logs to both ver­i­fy the pub­licly shared OSINT data and har­vest addi­tion­al threat data pro­vide the most pro­tec­tion.

Close­ly eval­u­ate what a secu­ri­ty com­pa­ny means when it says “threat intel­li­gence” before you sign on.

Com­pro­mised cre­den­tials will always be a poten­tial prob­lem but with the right part­ner, the risk can be con­tained.

More sto­ries relat­ed to secu­ri­ty pro­to­cols:
Cre­ate safer pass­words for all your online accounts
Admit­ting there are secu­ri­ty prob­lems with encryp­tion is the first step toward a solu­tion
Pass­word vaults help pro­tect your dig­i­tal life