Technical and Process Controls for the Enterprise Must Extend to Employees and How They Engage in Personal Services
The ubiquitous use of social media has blurred the lines between business and personal lives. A lot has been written about the importance of keeping the two separate, with an emphasis on the potential risk to an individual’s reputation. A photo or casual comment meant for a friend can have a detrimental effect when viewed by a business associate or employer. But there’s another important reason why separating business from pleasure should be a concern – the potential for increased cyber risk to your business stemming from credential compromise to social media accounts.
Barely a week goes by without reports of a leaked database. At the same time, dumps of stolen credentials are regularly sold, traded and shared online across paste sites, file-sharing sites and online marketplaces. Credential compromise is not new, but how these credentials become available is often directly related to the lack of separation between business and pleasure.
The LinkedIn and MySpace databases were recently exposed by threat actors using the names “Peace of Mind” and “Tessa88”. Breaches of dating services like Ashley Madison and Adult Friend Finder also were the source for credentials. And although proportionally low, even gaming services have been responsible for leaked credentials. It may be surprising but many of the credentials used for these sites were corporate accounts. That’s right. Many employees reuse their corporate emails for other services and, when these services are breached, it also reveals their credentials.
Employees who have reused corporate emails and passwords for personal use can put their employers at risk of account takeovers, credential stuffing and extortion attempts.
On May 23, 2016, OurMine Team reportedly compromised a number of social media profiles for various business personnel and celebrities. The accounts that were affected included Twitter, Tumblr and LinkedIn profiles. The group initially claimed the use of zero-day exploits to compromise accounts, but later confirmed access was secured through the use of information from the recently exposed dataset from LinkedIn. More recently, it was reported that the alleged Dropbox leak also occurred from password reuse of the LinkedIn breach. The likelihood is that people have neglected to change their passwords since 2012, and proceeded to recycle the same password for multiple services.
Threat actors can automatically inject breached username and password pairs in order to fraudulently gain access to user accounts. This technique, known as credential stuffing, is a type of brute force attack whereby large sets of credentials are automatically inputted into websites until a match with an existing account is found. An attacker can then hijack that account for a variety of purposes, such as draining stolen accounts of funds, the theft of personally identifiable information, or to send spam. According to the Open Web Application Security Project (OWASP), credential stuffing is one of the most common techniques used to take-over user accounts.
Hundreds of thousands of corporate email addresses were leaked as part of the Ashley Madison breach. Following the breach of online dating site Ashley Madison in July 2015, extortion attempts were directed against specific individuals identified within the compromised dataset. Users received extortion emails threatening to share the exposed information with the victim’s partner, unless one Bitcoin was paid into a specified Bitcoin wallet. A number of automated post-breach extortion services also emerged including one site that reportedly spammed users with unsolicited bulk emails that suggested their spouses or employers may find out their details were exposed.
By better understanding that corporate credentials are being reused for personal services and how threat actors may exploit credentials, security teams can better prepare for and mitigate instances of credential compromise. Here are a few tips.
• Establish a policy for which external services are allowed to be associated to corporate email accounts.
• Understand and monitor approved external services for password policies and formats to understand the risks and lowest common denominators.
• Proactively monitor for credential dumps relevant to your organization’s accounts and evaluate these dumps to determine if the dumps are new or have been previously leaked, in which case you may have already addressed the matter.
• If you have any user behavior analytics capabilities, import compromised identity information and look for any suspicious activity (e.g., accessing resources that have not been accessed in the past.)
• Update security awareness training to include the risks associated with password reuse.
• Encourage staff to use consumer password management tools like 1Password or LastPass to also manage personal account credentials.
The number of compromised credentials that are available online is staggering, providing a goldmine for attackers. In fact, Verizon’s 2016 Data Breach Investigations Report found that breached credentials were responsible for 63 percent of data breaches. As the lines between personal and professional become blurred, so too must the approach that organizations take to deal with cyber risk. Technical and process controls for the enterprise must extend to employees and how they engage in personal services.
Alastair Paterson is CEO and Co-Founder of Digital Shadows. Alastair has worked for over a decade advising secure government and FTSE 100 clients on large-scale data analytics for risk and intelligence. Before founding Digital Shadows in 2011, Alastair was International Propositions Manager at BAE Systems Detica working with clients in the Gulf, Europe and Australasia. He holds a first class MEng in Computer Science from the University of Bristol.