The latest Verizon Data Breach Investigations Report identifies that credentials are the most sought-after hacker targets — even more than bank or medical records and even personal data.
Hackers use these stolen credentials to launch attacks to try and breach an organization. No business is immune from these risks and they face a constant battle to ensure that compromised passwords are not in use within their organization.
Enterprises must take steps to shore up credential security or face the potential financial and reputational impact of a successful breach. With exposed credentials often cited as the source of breaches or debilitating ransomware attacks like the Colonial Pipeline, every business needs to reevaluate how it protects itself from this ever-growing threat.
Poor password policies
Organizations have historically addressed the threat of compromised passwords by enforcing password resets. However, this approach has proven ineffective as it does nothing to ensure that the new password is strong and has not been exposed. It can also increase operational costs and have a negative impact on employee and user productivity.
The National Institute of Standards and Technology (NIST) advises against this approach and recommends that companies verify that passwords haven't been compromised before being activated and continuously monitor those passwords to ensure that they do not become compromised in the future.
Organizations must retire the strategy of enforced resets and instead only look to replace exposed passwords.
The password reuse problem
The key reason that credentials are so valuable to hackers is because of the pervasive problem of password reuse. Every business needs to be aware of the inherent vulnerabilities this creates and address the problem.
If passwords have been exposed in a prior breach, then rest assured they are for sale on the Dark Web for cybercriminals to purchase.
Once a hacker obtains the stolen credentials, they can quickly launch a successful attack against any site where the exposed password is still in use. Password reuse is rampant with numerous surveys all identifying that the vast majority of people continue to regularly reuse passwords. As a result, compromised credentials threaten multiple sites when a data breach occurs, not just the organization that experienced the breach.
Automated attacks
Stolen credentials fuel various types of password attacks, from brute force to credential stuffing. All of these automated methods have the same end goal of account takeover and fraud. For example, credential stuffing attacks are carried out by an automated bot that hammers away at websites using exposed credentials until it finds a successful combination. The hacker can then either access the account directly or sell the data to other cybercriminals.
Credential stuffing is increasingly popular due to the fact that instigating a large-scale attack is relatively low cost.
The automation enables bad actors to significantly improve their success rates which in turn continues to make credentials an increasingly attractive and profitable target.
Adopt a layered approach to password policy
Every organization must modernize its password practices to prevent it from being an easy target for cybercriminals. With the widespread reliance on digital systems and services, the risk from passwords continues to grow. Unless enterprises secure the password layer and continuously monitor these credentials, they could inadvertently offer hackers easy access to the network.
Some of the core components of a layered approach include:
- Continuously screening for compromised credentials: This stops systems from being an easy target for password-based attacks and ensures that no exposed passwords are in use.
- Make multi-factor authentication (MFA) mandatory: Rather than viewing MFA as optional, it should be used pervasively as another layer of verification that protects every organization's systems and data.
- Make password hygiene a priority: Educate employees and users on the risks and instill better security hygiene, preventing weak passwords, password reuse, and password sharing. Otherwise, users will continue to fall prey to the creative tactics of cybercriminals.
Companies need to deploy a layered password security approach to ensure that only strong, unique, and uncompromised passwords are in use. This strategic shift is vital in the defense against the growing number of sophisticated credentials-based attacks. Passwords are the weak link for many organizations and if a data breach occurs, it can cost businesses vast amounts of money, never mind the negative brand impact.
If organizations want to avoid becoming another statistic in the surge in credential-related breaches, they must modernize their password policy and adopt the steps outlined above.