Closing Gaps in Credential Security Requires Awareness of What Gaps Exist and How to Mitigate Them
On March 23rd, 2018, the United States brought charges against nine Iranians for their alleged state-sponsored attacks against 100,000 university professors worldwide, and in the US. The attackers’ target was “valuable intellectual property and data”, but their tactic was the compromising of email accounts using spear phishing attacks.
Separately, in January 2018, VeriClouds released the results of research that indicated that 2.7 million credentials of Fortune 500 employees were compromised and available for sale at an average of 2.3 data sources on the dark web. That constitutes 10% of all employed by the Fortune 500.
The Fortune 500 were just the tip of the iceberg, though. On December 5th 2017, 4iQ shared that a database of 1.4 billion credentials were found on the dark web. Going further back to last April, the 2017 Verizon Data Breach Investigation Report found that 81% of breaches in the previous year leveraged either stolen and/or weak passwords.
Notice a theme?
All this leads to the question – what can we do to close the gaps in credential security?
What’s in it for the user?
We’ve heard it many times that the user is the weakest link in security. Complex, single-use passwords that are changed often are not compatible with human memory capacity. But even if all passwords were to suddenly become as strong as security practitioners wanted them to be, users would remain a weak link. Whether by phishing, post-it notes, or just plain old confidence scams, those credentials would leak out.
The reality is that there isn’t enough incentive for users to go to extraordinary lengths to strengthen and protect their credentials. Sure, there’s a general sense of employee loyalty and perhaps even some awareness of the importance of protecting credentials, but that isn’t enough to overcome the perception that it’s just too difficult to outwit the continued and renewed efforts of attackers leveraging creative new tactics.
Are there incentives that could encourage users to improve their credential control?
Most organizations don’t penalize users for loss of their credentials in situations where it’s not a malicious loss. Perhaps that’s because recruiting top talent is difficult enough without fear of reprisals from the security team. At any rate, not all credential loss can be blamed on users – a keylogger could get on their system through no fault of their own, for example.
If not the stick, then perhaps the carrot? Could a system of small incentive payments, for each quarter or year that a user’s credentials aren’t found for sale on the dark web, help encourage users to educate themselves about credential loss and better protect their credentials? That would be a unique program, requiring skills to infiltrate criminal information exchanges, or require a third party service to do the same. And many business and security leaders would point to the idea that employees should be acting securely as part of their job. While that may be true, how’s it working out? The attacks and resulting loss of credentials and/or sensitive data seems to continue unabated. In that case, might it be a low-cost way to improve security?
Taking credential security beyond the hands of the users
No matter how many sticks and carrots we offer to users, users will likely remain the weakest link. We have to shift credential security to other controls that go beyond relying on the user. The challenge is that credentials present so many vectors for attack, requiring a multitude of controls, such as:
● Anti-virus and email protection against phishing is foundational.
● Access controls including Identity Management and Single Sign-On need to be unified across cloud and on-premises services, so that gaps can’t be exploited. Users often leave a company but maintain access to cloud services.
● Two-factor authentication (2FA) can make a stolen password by itself useless. With almost all users possessing a mobile device today, which makes 2FA easier, there’s little reason not to implement it, especially for access to sensitive data.
These common controls are often implemented in piecemeal fashion because of cost, technical challenges, and user rebellion. To close the gaps in a patchwork of controls is going to require a more intelligent approach.
The future of credential security
User Behavior Analytics (UBA) focuses on patterns of human behavior and applies analytics to detect meaningful anomalies that can indicate a potential threat. The algorithms have been rudimentary in the early days, but as the technology matures, we can expect better machine learning and less manual effort to find patterns of concern.
Analytics of any type works best when it is fed vast amounts of data that continually educates the system for better outcomes, which is not always easy to obtain and store. Security sources such as SIEM, IDS/IPS, or identity and access management are table stakes, but expanding into corporate email, unstructured data in the cloud, and even social media is going to be necessary to understand what is normal for a given user. We will still need a combination of controls to secure credentials, but when credential controls have been bypassed, UBA holds the hope that we will be able to detect credential misuse and respond accordingly to reduce or prevent data loss, sabotage or other adverse effects on the business.
Ultimately closing the gaps in credential security requires awareness of what gaps exist and how to mitigate them. Like most security efforts, there is no single silver bullet. Each control has a role to play in credential security.