The CISO role is perhaps the most difficult and risky position in any organization. Take a look at the news these days and you’ll understand why. Every week, we read a new story of another breach or one more massive account takeover scheme – and those are just the ones made public.
The CISO combats an adversary that is growing in number, sophistication and motivation every day. It’s daunting, to say the least. What, exactly, are they facing?
- The adversary’s ability to adapt outpaces any organization’s ability to defend
- The larger the organization, the greater the chances adversaries can exploit a weakness
- The CISO is often the one sacrificed for security issues that become public
One of our SpyCloud team members that has previously been a CISO in a few large organizations likes to use the analogy, “A bullet is fired the first day you take the job and it’s just a matter of time before it hits you.” Pretty sobering. One of the issues that kept him up at night was how to reduce the overall risk and impact of customer credentials leaked out of the organization. Sound familiar?
SpyCloud would like to do our part to help CISOs get a better night’s sleep when it comes to leaked credentials.
The Nightmare of Leaked Credentials
It begins with a breach. There are numerous ways to breach an organization and criminals have mastered this craft. Some get away with simple attacks, such as exploiting unpatched software, misconfigured servers, default passwords, reused passwords or phishing. Others like to show off their skills with more sophisticated attacks that go as far as using zero-day exploits that can’t be detected by commercial security products.
Once an organization is breached, the stolen credentials are harvested. Given that account credentials have become more valuable to bad actors than credit cards, they are the first thing criminals will target. Unlike credit card numbers, stolen passwords provide access to the account and all of the data contained therein. Because of password reuse, they frequently grant criminals access to more than the original account. Accounts with the same or similar password are immediately at risk as well. These could include personal or work-related accounts that contain sensitive data that can also be sold in the Underground.
The Dream of A More Secure Organization
There’s no way to completely rid your organization of all risk. This realization can be effective motivation to take appropriate measures to dramatically reduce your chances of a leak. We’ll give you seven recommendations for a more secure enterprise that may buy you a few extra Zs.
1. Assume the Worst
When it comes to storing credentials, assume that your user database will be accessed and copied by criminals. It’s better to go into this with eyes wide open.
2. Store Credentials the Right Way
We recommend all credentials be stored by your corporate and customer facing applications using a strong cryptographic hashing algorithm like bcrypt, Argon2 or scrypt. If you mandate this across the board, you will make potentially leaked credentials nearly useless to criminals. The computational requirement make it infeasible to crack these algorithms (today), therefore any of these hashed passwords that are stolen cannot easily be decrypted and used against your customers, limiting your overall liability.
3. Don’t Store Credentials the Wrong Way
The worst way to store credentials is to use SHA1 or MD5, even with salts. Don’t be fooled by their commonality. They are easily cracked and your customers’ passwords will be revealed in plaintext. Once in plaintext, the criminals have free reign to use and sell them at will, opening up risk to both your organization and your customers.
4. Transform Bad to Good
Do a thorough scan of your credential stores. If you find any that use SHA1 or MD5, begin to migrate users to one of the stronger hashing algorithms we mentioned earlier. It’s worth the exercise to ensure all of your organization’s credentials are being stored securely and cannot be cracked.
5. Enable Multi-Factor Authentication
Multi-factor Authentication (MFA) adds another layer of security between your customers’ credentials and the criminals, often squeezing out the less sophisticated and more numerous criminals. While this extra step boosts protection, it could also be perceived as friction for users to log in. Therefore, incentivize customers to implement MFA.
6. Use An Exact Match Solution
The majority of criminals looking to find vulnerable accounts are relatively inexperienced and make use of simple ATO techniques that can be easily recognized by a variety of solutions. The more sophisticated criminals, however, know how to bypass MFA and other detection solutions. To block both kinds of criminals, use an exact match solution that compares your customers’ passwords to a comprehensive and current database of compromised accounts to see if there’s a match. When there is a match, a password reset is automatically enforced.
7. Promote The Use of a Password Manager
Take the hassle out of remembering multiple passwords by championing password managers. Password Managers are effective tools to reduce the threat of employees or customers reusing passwords. They make it much easier to select unique strong passwords for every account. While password managers greatly reduce the potential for ATO via password reuse, they should be implemented in conjunction with the other recommendations above.
By integrating these recommendations into your security strategy, you just might be able to add a few more hours of peaceful sleep to your nightly routine. The key is to take proactive steps before it’s too late. Sweet dreams.