Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

The Cyber Risk of Mixing Business with Pleasure

Technical and Process Controls for the Enterprise Must Extend to Employees and How They Engage in Personal Services

Technical and Process Controls for the Enterprise Must Extend to Employees and How They Engage in Personal Services

The ubiquitous use of social media has blurred the lines between business and personal lives. A lot has been written about the importance of keeping the two separate, with an emphasis on the potential risk to an individual’s reputation. A photo or casual comment meant for a friend can have a detrimental effect when viewed by a business associate or employer. But there’s another important reason why separating business from pleasure should be a concern – the potential for increased cyber risk to your business stemming from credential compromise to social media accounts.

Barely a week goes by without reports of a leaked database. At the same time, dumps of stolen credentials are regularly sold, traded and shared online across paste sites, file-sharing sites and online marketplaces. Credential compromise is not new, but how these credentials become available is often directly related to the lack of separation between business and pleasure. 

The LinkedIn and MySpace databases were recently exposed by threat actors using the names “Peace of Mind” and “Tessa88”. Breaches of dating services like Ashley Madison and Adult Friend Finder also were the source for credentials. And although proportionally low, even gaming services have been responsible for leaked credentials. It may be surprising but many of the credentials used for these sites were corporate accounts. That’s right. Many employees reuse their corporate emails for other services and, when these services are breached, it also reveals their credentials. 

Employees who have reused corporate emails and passwords for personal use can put their employers at risk of account takeovers, credential stuffing and extortion attempts.

Account takeovers

On May 23, 2016, OurMine Team reportedly compromised a number of social media profiles for various business personnel and celebrities. The accounts that were affected included Twitter, Tumblr and LinkedIn profiles. The group initially claimed the use of zero-day exploits to compromise accounts, but later confirmed access was secured through the use of information from the recently exposed dataset from LinkedIn. More recently, it was reported that the alleged Dropbox leak also occurred from password reuse of the LinkedIn breach. The likelihood is that people have neglected to change their passwords since 2012, and proceeded to recycle the same password for multiple services.

Credential stuffing

Threat actors can automatically inject breached username and password pairs in order to fraudulently gain access to user accounts. This technique, known as credential stuffing, is a type of brute force attack whereby large sets of credentials are automatically inputted into websites until a match with an existing account is found. An attacker can then hijack that account for a variety of purposes, such as draining stolen accounts of funds, the theft of personally identifiable information, or to send spam. According to the Open Web Application Security Project (OWASP), credential stuffing is one of the most common techniques used to take-over user accounts.

Extortion attempts

Hundreds of thousands of corporate email addresses were leaked as part of the Ashley Madison breach. Following the breach of online dating site Ashley Madison in July 2015, extortion attempts were directed against specific individuals identified within the compromised dataset. Users received extortion emails threatening to share the exposed information with the victim’s partner, unless one Bitcoin was paid into a specified Bitcoin wallet. A number of automated post-breach extortion services also emerged including one site that reportedly spammed users with unsolicited bulk emails that suggested their spouses or employers may find out their details were exposed. 

By better understanding that corporate credentials are being reused for personal services and how threat actors may exploit credentials, security teams can better prepare for and mitigate instances of credential compromise. Here are a few tips.

Set policies

• Establish a policy for which external services are allowed to be associated to corporate email accounts. 
• Understand and monitor approved external services for password policies and formats to understand the risks and lowest common denominators.

Monitor activity

• Proactively monitor for credential dumps relevant to your organization’s accounts and evaluate these dumps to determine if the dumps are new or have been previously leaked, in which case you may have already addressed the matter. 
 • If you have any user behavior analytics capabilities, import compromised identity information and look for any suspicious activity (e.g., accessing resources that have not been accessed in the past.) 

Educate employees

• Update security awareness training to include the risks associated with password reuse. 
• Encourage staff to use consumer password management tools like 1Password or LastPass to also manage personal account credentials.

The number of compromised credentials that are available online is staggering, providing a goldmine for attackers. In fact, Verizon’s 2016 Data Breach Investigations Report found that breached credentials were responsible for 63 percent of data breaches. As the lines between personal and professional become blurred, so too must the approach that organizations take to deal with cyber risk. Technical and process controls for the enterprise must extend to employees and how they engage in personal services. 
Written By

Alastair Paterson is the CEO and co-founder of Harmonic Security, enabling companies to adopt Generative AI without risk to their sensitive data. Prior to this he co-founded and was CEO of the cyber security company Digital Shadows from its inception in 2011 until its acquisition by ReliaQuest/KKR for $160m in July 2022. Alastair led the company to become an international, industry-recognised leader in threat intelligence and digital risk protection.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.