Last month, I opined on how to protect corporate credentials in the wake of the loss of 1.2 billion usernames and passwords to Russian hackers. I threw down a gauntlet and challenged all to answer why we can continue to allow these types of attacks on passwords to hurt our enterprises. Although many organizations have a policy that prohibits reusing corporate credentials on third-party sites, enterprises have found it difficult to enforce these policies. The headlines are full of high-profile breaches on leading websites, some of which have caused hundreds of millions of user accounts to be compromised.
Maybe we don’t fully understand the scope of the problem. Across the three major threat vectors used by cybercriminals to get corporate credentials, there has been significant activity. The following are some related statistics:
Exposure by Third-Party Site Hack
“Almost as soon as the Heartbleed vulnerability was released as an OpenSSL advisory, IBM Managed Security Services (MSS) witnessed attackers immediately retooling and exploiting the bug on a global scale. Once the major vendors of intrusion detection and prevention systems created protection signatures, MSS was able to see just how bad the situation had become. On 15 April 2014, MSS witnessed the largest spike in activity across the customer base with more than 300,000 attacks in a single 24-hour period, just one day later,” according to the IBM X-Force Threat Intelligence Quarterly 3Q 2014.
Exposure by Phishing
“The Anti-Phishing Working Group tracks the number of unique phishing websites. This is now determined by the unique base URLs of the phishing sites. There were 180,378 phishing sites that were observed in Q2. This is the second‑highest number of phishing sites detected in a quarter, eclipsed only by the 164,032 seen in the first quarter of 2012,” according to the APWG Phishing Activity Trends Report Q2 2014.
Exposure by Malware
“In 2013 alone, there were 30 million new malware strains in circulation, at an average of 82,000 per day. This has brought the grand total of all malware samples in PandaLabs’ database to approximately 145 million,” according to the Panda Annual Report 2013.
“In Q1 2014, the total malware sample count in the McAfee Labs ‘zoo’ broke the 200 million sample barrier,” according to the McAfee Report Q1 2014.
“Massively distributed malware originally designed for financial fraud has been used to target nonfinancial organizations in an APT-style attack. These include the infamous Zeus, SpyEye and Shylock families. Over time, malware developers extended the capabilities of these malware families and added advanced evasion techniques to turn them into sophisticated APT tools that can target organizations in general,” according to IBM Trusteer research.
Preventing the Theft of Corporate Credentials
Today, effectively preventing the theft of corporate credentials from advanced threats requires the following three essential capabilities:
- Validating that corporate credentials are used only to log in to an approved corporate applications, whether those applications are hosted internally or delivered by a software-as-a-service vendor, business partner or through the cloud.
- Automatically preventing corporate credentials from being sent to unauthorized sites. This can help prevent users from submitting their credentials on phishing sites and stop the reuse of corporate credentials on unapproved third-party sites such as social networks.
- Preventing malware from compromising the user systems and, in cases when malware avoids detection, helping prevent malware from communicating out to expose corporate credentials. This stops malware from communicating stolen credentials to a cybercriminal.
What all of this tells me is that we are still waking up to how difficult and challenging it is to protect corporate credentials. So here is my challenge to you this month: Can we stop thinking of protecting corporate credentials as an impossible mission?