Keeping your data safe and protected often seems like an uphill battle. Consistently presenting a hardened attack surface to a would-be attacker and doing so across all the various attack vectors possible is a difficult problem to solve. The attacker only has to be right once, while you and your broader security team have to be right all the time.
According to Verizon Security’s 2019 Data Breach Investigations Report, 29% of breaches, regardless of attack type, involved the use of stolen credentials. If you include other password issues such as the use of weak or default passwords and even missing passwords altogether (lock down those open S3 buckets, people!) the total percentage is much higher. Credential attacks provide an attacker with their initial access into your organization, a foothold from which they launch their full attack, eventually resulting in the exfiltration of your company’s data.
So, what can we do about this? In no certain order, these are some recommendations from Spycloud that we feel can minimize your exposure to data breaches:
- Put Multi-Factor Authentication (MFA) in Place – Turn on MFA anywhere and everywhere you can. If someone has obtained valid credentials for your organization, MFA will provide an additional barrier that they determine may not be worth the effort to overcome.
- Monitor All Users for Credential Exposure – Monitor credential exposure for your entire ecosystem of users. For any exposed credentials, make sure to force a password reset that meets strict criteria, preferably those recommended by NIST, and remind users to reset the password for any other accounts using the same one, or a variation of it. In addition to monitoring your employee and consumer accounts, you should also monitor your business partners’ exposure. Several high profile breaches were initiated with attacks on a third-party vendor. In one such high-profile breach, the third party was the primary company’s HVAC vendor.
- Use a Password Manager – Get users to implement a password manager for all their work and personal logins. If you are using different, highly complex passwords across all your various logins, you will be at less risk for account takeovers of your work and personal accounts.
- Stop Rotating Passwords – This somewhat counterintuitive advice came out of the NIST password guidelines that were updated in 2017. We firmly believe in this recommendation. Password rotation can push users to make bad decisions when creating new passwords. They will often rotate through a short list of passwords with only minor variations. Only force a user to change a password when it’s been exposed.
- Automate Account Takeover (ATO) Prevention – Manual operations often are forgotten or pushed to the side in lieu of other activities, so look to automate ATO prevention. One of the easiest things to do is to periodically check to see if any current user passwords are exposed and then force those users to change their passwords. Additionally, as part of your password reset workflow, make sure that users are not choosing any passwords that have been previously exposed. Automating these processes will guarantee that they happen consistently and correctly.
- Zero Trust – Don’t Trust Anything – Assume that everything sent to you (especially links) via email, text or attachment is suspect. Verify the legitimacy of anything significant with the person making the request. Report questionable items to your security staff, and they can help you determine if they are legitimate, if you are unable to verify on your own.
Ultimately protection from data breaches is on all of us. Following these six recommendations is a good start, as is continuous education on the role we all have in keeping the information we have locked behind logins safe from cybercriminals.
