Virtual Event Today: Supply Chain Security Summit - Register Now

Security Experts:

Connect with us

Hi, what are you looking for?


Identity & Access

Compromised Credentials: The Primary Point of Attack for Data Breaches

Organizations Should Move to an Identity-centric Approach Based on a Zero Trust Model

Organizations Should Move to an Identity-centric Approach Based on a Zero Trust Model

Recent headlines of Russia-linked hackers harvesting access credentials to infiltrate the U.S. Senate and stage lateral attacks illustrate a common tactic used by cyber criminals and state-sponsored attackers. According to the Verizon 2017 Data Breach Investigation Report, a whopping 81% of hacking-related breaches leverage either stolen, default, or weak passwords. So why are so many organizations still focusing on securing the network perimeter, instead of rethinking their core defenses by maturing their identity and access management strategies to secure applications, devices, data, and infrastructure — both on-premises and in the cloud. 

The easiest way for a cyber-attacker to gain access to sensitive data is by compromising an end user’s identity and credentials. Things get even worse if a stolen identity belongs to a privileged user, who has even broader access, and therefore provides the intruder with “the keys to the kingdom”. By leveraging a “trusted” identity a hacker can operate undetected and exfiltrate sensitive data sets without raising any red flags. As a result, it’s not surprising that most of today’s cyber-attacks are front-ended by credential harvesting campaigns. Common methods for harvesting credentials include the use of password sniffers, phishing campaigns, or malware attacks. 

To limit their exposure to these attacks, organizations need to rethink their enterprise security strategy and move to an identity-centric approach based on a Zero Trust model: never trust, but always verify a user’s identity and access credentials. This concept should be implemented with an organization’s workforce, as well as its customers, partners, privileged IT admins, and outsourced IT.

Unfortunately, many organizations still primarily use single-factor authentication (i.e., passwords) to identify a person electronically. Even though most businesses have enforced stricter password strength policies (e.g., length and reuse requirements, renewal intervals) in recent years, end users and privileged account holders often have too many passwords to remember. This makes them prone to either sharing passwords across different environments or even openly recording and storing them. 

To address these problems, organizations should consider the following best practices for identity and access management that fall into four levels of maturity: ‘Good’, ‘Better’, and ‘Great’ to ‘Optimal’:

To achieve a ‘Good’ identity management posture, organizations need to establish identity assurance. This can be accomplished by consolidating identities to shrink the attack surface, leveraging Single Sign-On technology, and enforcing risk-based access. In this context, multi-factor authentication (MFA) plays an essential role. When leveraging MFA, knowing someone’s user name and password is no longer enough to assume the victim’s identity. The likelihood of a  hacker gaining access to something their victim knows, something they have, and something they are, is very limited.

To transform to ‘Better’ identity and access management practices, organizations should establish so-called access zones and require access approvals to be provisioned in accordance with a user’s role. By doing so, lateral movements can be limited. 

To achieve ‘Great’(ness), organizations should also enforce least privilege, limiting access rights for users to the minimum permissions they need to perform their job and ultimately provide these on a just-in-time basis. By doing so, unusual behavior can be detected before it results in a data breach.

To achieve an ‘Optimal’ identity and access management maturity status, organizations should combine all of the above with behavior-based machine learning technology and risk scoring to stop breaches in real-time based on user behavior. A machine learning engine can help detect whether the access being requested is originating from a legitimate user, or from an attacker who has compromised that users’ account. 

With the help of machine learning, access profiles are automatically created based on user behavior. A risk score is then automatically assigned to each access request made by users – across cloud and on-premises applications, VPN, servers, shared account checkout, and more. If an access request is consistent with typical user behavior it presents a low risk. Factors that increase risk include access requests from atypical locations, networks, devices, or at unusual times. The user’s risk score determines whether access is granted, requires step-up authentication (e.g., enter a one-time password, which is being provisioned via SMS), or is blocked entirely. 

This continuous monitoring approach would meet the requirements of Zero Trust Security, which is propagated by The National Institute of Standards and Technology (NIST), Forrester, and corporate innovators like Google. 

Organizations need to recognize that perimeter-based security, which focuses on securing endpoints, firewalls, and networks, provides no protection against identity and credential-based threats. Until we start implementing identity-centric security measures, account compromise attacks will continue to provide a perfect camouflage for data breaches.

Written By

Torsten George is a cybersecurity evangelist at Absolute Software, which helps organizations establish resilient security controls on endpoints. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He is an internationally recognized IT security expert, author, and speaker. Torsten has been part of the global IT security community for more than 27 years and regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege For Dummies book. Torsten has held executive level positions with Centrify, RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Identity & Access

Strata Identity has raised $26 million in a Series B funding round led by Telstra Ventures, with additional investment from Forgepoint Capital, Innovating Capital,...