The recent Intersec 2019 held in Dubai had an interesting participant: an American company selling padlocks of increasing size and weight, guaranteed to be unbreakable. Today, threat actors are no longer intimidated by the size nor sophistication of the cyber security “padlock.” They are learning to bypass those indestructible padlocks and target the person carrying the master key to open them all. They are now looking for weak links – and in this case the weakest turns out to be the human element.
Traditionally the threat actor has been looked at as someone who breaks the veritable software code – the code hacker. In present day times, the hacker now looks for the software defect that even its originators overlooked when they built or modified the business application – known as the zero-day vulnerability.
Such threat actors who discover zero-day vulnerabilities and exploit them get their hefty investments either through the cyber-crime syndicates or are recruited by rogue nations targeting selected national infrastructures in target countries. But this is a long drawn out exercise, both in terms of time and effort, and is usually reserved for selected high-impact targets.
Threat actors therefore target user credentials and, if the end user happens to be a network or system administrator or other privileged account holder, then that is always the luckiest break for them. Threat actors of all types and their associates are working to gather privileged access credentials in an activity now termed as credential harvesting.
The 2018 Forrester Wave report for Privileged Identity Management points out that 80% of hacking-related breaches use either stolen, default, or weak credentials. If these credentials are from a network or systems administrator or other privileged users, those stolen credentials can provide access to the veritable crown data jewels of the kingdom, inside the network.
In short: hackers no longer “hack” in, they log in using compromised credentials.
Clearly all organizations need to have planned cyber security hygiene programs to increase the awareness of how threat actors are targeting employees to gain access to their corporate user name and privileged passwords and credentials.
Here are some of the activities that can be planned by organizations:
Awareness of phishing
Users need to be shown the various types of phishing emails and other types of phishing tools like SMS and others. The more rigorous this training, the better for employee awareness and long-term stability.
Protect, and double protect
Organizations needs to ensure all devices are registered on the network whether PCs, mobile, IoT, or any other connected devices. Administrators need to segregate the network based on corporate sensitivity and value of data and operations. This is called vaulting and the administrators area needs to have maximum security and protection. All sessions need to have automatic monitoring and auditing.
Reduce attack surface
One of the most effective ways to harden the corporate environment is to optimize end user identities and remove any local instances of user name and passwords. Top-to-bottom hierarchical privileges, logical workflow access, and just in time privilege requirements are some of the best practices to implement.
Using another authenticator besides a password to verify an identity or an exception login instance is one of the most effective ways to secure against credential hacking. Multi-factor authentication leverages information known to an end-user about what they know, what they are, and what they have.
A Ponemon study indicates that the average amount of time required to identify a data breach by the end user organization is 197 days, and the average amount of time needed to contain a data breach once it is identified is 69 days. That is a lot of time for a rogue actor to be floating inside a corporate network. Time for action.