While at Black Hat last week in Las Vegas, the big cyber attack news was the loss of 1.2 billion usernames and passwords to a Russian gang, as reported by security consultant Hold Security. The company tracked the gang, which they have dubbed CyberVor (“thief” in Russian), for several months and found that it had collected over 4.5 billion records, mostly consisting of stolen credentials, from 420,000 Web and FTP sites. According to Hold Security, 1.2 billion of these credentials appear to be unique and belong to over half a billion email addresses. The attacks were not anything new, just a persistent use of social engineering and malware attacks.
The real question is not, “How did this happen?” but rather, “How can we allow these types of attacks to hurt our enterprises?” Although many organizations have a policy that prohibits reusing corporate credentials on third-party sites, enterprises have found it difficult to enforce these policies. The headlines are full of high-profile breaches on leading websites, some of which caused hundreds of millions of user accounts to be compromised. Significant new vulnerabilities such as the Heartbleed bug highlight the risk companies face from password reuse.
Password Protection: The User Risk
As passwords become more complex, employees are more likely to reuse their usernames and passwords on e-commerce, subscription and social media sites despite corporate policy prohibiting credential reuse. Because of this reality, cyber criminals have shifted their focus toward obtaining user information from popular websites since they know there is a high likelihood that those same credentials could be used to log in to other systems. As the news of this attack breaks, the big question for companies is, “If a third-party site is compromised, are we going to be part of the story?”
Attackers know it’s just a matter of time before an employee does one of the following:
- Mistakenly clicks on a link in an email and enters credentials in what appears to be a trusted website;
- Reuses his or her corporate credentials on third-party sites because it’s easier to remember one password instead of six or more passwords;
- Unknowingly falls victim to a drive-by download, watering hole attack or infected USB drive.
As a result, one of the biggest challenges companies face when protecting corporate credentials is enforcing existing policies and preventing criminals from exploiting user behavior.
To help enforce password policies, information technology and security organizations have long delivered awareness programs that teach employees about the risk of password reuse and how to safeguard their corporate credentials. However, most companies have no way to enforce these policies or even know whether employees are complying.
Preventing the Loss and Theft of Corporate Credentials
Today, effectively preventing the theft of corporate credentials from advanced threats requires the following three essential capabilities:
- Preventing malware from compromising the user systems and, in cases when malware avoids detection, helping prevent malware from communicating out to expose corporate credentials. This stops malware communication from sending stolen credentials to a cyber criminal.
- Validating that corporate credentials are used only to log in to approved corporate applications, whether those applications are hosted internally or delivered by a software-as-a-service (SaaS) vendor, business partner or through the cloud.
- Automatically preventing corporate credentials from being sent to unauthorized sites. This can help prevent users from submitting their credentials on phishing sites and stop the reuse of corporate credentials on unapproved third-party sites such as social networks.
How to Protect Against Advanced Malware
Companies need to realize that a new threat prevention approach is necessary in order to truly protect against spear phishing, credential theft and advanced, information-stealing malware. By monitoring how and when corporate credentials are used and automatically preventing exposure, companies can protect their corporate credentials as the threat landscape evolves.
Unlike other approaches designed only to block malware, a company’s approach should prevent advanced malware and advanced persistent threats from compromising user endpoints and include special protections that prevent corporate credential theft and exposure. The following approaches are strongly recommended:
- Blocking malware communications: Block malware and malicious communications from malware to prevent corporate credentials exposure. Even if malware has infected an employee’s machine, the user’s credentials can’t be exfiltrated.
- Preventing corporate password exposure on phishing sites: Protect employee credentials from phishing attacks by validating that employees are submitting their credentials only to authorized login URLs. When users attempt to submit their enterprise credentials to an unauthorized URL, they should be required to provide different credentials.
- Preventing reuse of corporate credentials on noncorporate sites: Prevent corporate employees from reusing their corporate credentials to access public sites such as e-commerce and social media sites. Monitor when corporate credentials are used and require users to change their credentials before logging in to a nonapproved website. As a result, organizations can easily support access to both corporate and approved third-party SaaS and cloud applications while preventing exposure on unauthorized sites.