Four Tips to Combat Compromised Credentials

, , ,

Contributing Author Brett Williams , APAC Solutions Architect, Flashpoint discusses the key steps needed to protect against a compromised credential breach.

In many cases, passwords are the primary line of defence protecting user accounts from being hijacked in an account takeover (ATO) attack. With the right policies and parameters in place to ensure strong, unique passwords, this defence can be quite effective. That being said, as we all know, passwords are highly susceptible to human fallibility.

In the latest Notifiable Data Breach report (covering breaches in Australia for the last half of 2019)* issued by the Office of the Australian Information Commissioner (OAIC), it was found that 68% of breaches were related to compromised credentials.  Of which 36% of the credentials were obtained by phishing and 32% were from other methods.  These methods could include credential-stealing malware and compromised databases/websites.

 

In addition, there is an overlap between personal and work-related account passwords. With the rise of credential stuffing, adversaries can take a set of username/password combinations obtained by attacking one target and use them to compromise employee or customer accounts with other organizations. Easier yet, threat actors can even carry out credential stuffing using the low-hanging fruit of publicly disclosed dumps available on the open web.

Such activity can pose a business risk on several fronts—from the financial and reputational costs of fraud against customer accounts to the potentially massive impact of adversaries gaining privileged network access through ATO against an employee account.

More recently, the COVID-19 pandemic continues to be reflected in cybercriminal activities. Malicious actors are taking advantage of global fear and uncertainty and exploiting them through attack vectors that include tailored phishing lures and custom malware.  For instance, continuous and long-term working from home can create a sense of isolation in employees, which in turn can lead to low morale.  This environment (combined with the anxiety introduced by the COVID-19 pandemic) can increase individuals’ susceptibility to malicious social engineering attempts to collect credentials to be used in attack campaigns against corporate remote access infrastructure. For many organisations, usernames and passwords are their only line of defence into remote access to critical enterprise systems.

With the surge in remote working, video conferencing solutions, such as Zoom,  has seen a sharp increase in usage., In April 2020, reports surfaced that over 500,000 Zoom accounts* were sold across the dark web marketplaces likely for use in “zoombombing” or other malicious activities. These credentials were likely obtained as a result of credential stuffing attacks.

In the ecosystem related to credential stuffing operations, it is very common for threat actors performing the account checking to leverage combo lists (aggregated lists of previously leaked credentials) containing millions of potential credential pairs (email: password) to create a validated list of accounts.  This technique can then be used for fraud activities and to launch attacks against websites and applications.

As the technology and tools to leverage stolen credentials advance, a more thoughtful approach to your organization’s password policy is a highly effective way to reduce risk by better protecting your customers, network assets, and employees. While there’s no one-size-fits-all approach to optimizing password policy, the following four measures and best practices are worth considering:

  • Monitor for Compromised Credentials – Dumps containing compromised passwords, usernames, and other credentials are easy pickings for threat actors, and employee or customer accounts using these credentials are ripe for the taking. By monitoring public dumps and leaks privately shared and sold only within illicit online communities, defenders can assess the exposure of accounts they’re tasked with safeguarding and take proactive action against ATO.

While establishing the data collections and technology required to automatically monitor, process, and act upon compromised credentials data is extremely talent and resource-intensive, organizations can gain these capabilities through a trusted partner. In doing so, defenders can augment traditional password policy best practices with the ability to take action based on indicators observed within the cybercrime underground.

  • Use a Password Manager – While in many circles it’s become conventional wisdom, it bears repeating: password managers are an easy, efficient way for users to maintain unique passwords for each account. That being said, a word of caution is in order: not all password managers are created equal, and using a password manager that is insecure or unreliable can lead to all of a user’s passwords being lost or compromised at once.
  • Know When to Reset Passwords – While long accepted as a best practice, cybersecurity leaders are increasingly coming around to the realization that automatically forcing password resets at a specified time interval—such as every 90 days—does not reduce the likelihood of accounts being compromised. On the contrary, forcing users to frequently come up with new passwords can encourage them to reuse a password they’re already using for another account or simply make a slight modification to an existing password. The most effective policy is to only reset passwords known to have been exposed in breaches, which can be accomplished by monitoring for compromised credentials and simultaneously make users comfortable with using complex passwords or phrases.
  • Enforce Complexity and Uniqueness Standards – Case-sensitive combinations of letters mixed with special characters are exponentially more difficult for automated brute-forcing tools to mathematically guess than simple combinations of words and numbers—and the longer the password the better. And while it’s unlikely that users will be able to memorize lengthier, more random credentials, adopting the aforementioned best practice of using a password manager makes it easy to implement and enforce strict standards for complexity and uniqueness.

While these best practices are not a comprehensive roadmap to strong password hygiene, they’re a great starting point for organizations that have taken laissez-faire or reactive stance when it comes to ensuring the security of user credentials. In particular, as the technology and tools to leverage stolen credentials advance, defenders should seek out innovative new ways to proactively flag exposed passwords leveraging insights gleaned from illicit communities and open-web dumps.

 

*https://www.oaic.gov.au/privacy/notifiable-data-breaches/notifiable-data-breaches-statistics/

 *https://www.bleepingcomputer[.]com/news/security/over-500-000-zoom-accounts-sold-on-hacker-forums-the-dark-web/

To Learn more about Flashpoint and Compromised Credential Monitoring: Click Here 

 

 

————————————————————————————————————————

 

Brett Williams Bio (https://www.linkedin.com/in/brettwilliams/):

 

As Lead Solutions Architect at Flashpoint, Brett works with clients to help them use intelligence within their enterprises and how deep and dark web monitoring should be an integral part of any threat intelligence program. He is responsible for providing relevant intelligence and services to address various use cases including, insider threat, cyber intelligence, anti-fraud, physical security and counter-terrorism. Brett is widely recognized for his extensive and in-depth knowledge of the security landscape. He has experience working across industry sectors including finance, government, law enforcement, healthcare and education. He has over 28 years’ experience working in information technology and security with a focus on incident response, intelligence, security operations and digital forensics.

 

 

Mitigate Security Risks On-Premise and in the Cloud with StealthBits new release StealthAUDIT 10.0

,

 

Stealthbits recently announced the release of their most ambitious and impressive security platform – StealthAUDIT v10. With security professionals across the world struggling to keep up with the ever-increasing pressure to defend their organisations from evolving and sophisticated threat attacks, its essential to have visibility into every part of their systems. 

With StealthAUDIT v10, Stealthbits delivers an essential security platform for that is essential for any organisation to have full insight and notice from any imminent threats and visibility into vulnerabilities present in hard to monitor repositories 

StealthAUDIT v10’s release highlights include:  

Shadow Access Rights Analysis: Shadow Access Rights analysis provides an incomparable insight into dangers that lurk beneath the surface. Security staff can explicitly identify attack paths threat actors take to move laterally, escalate privileges and compromise entire domains. 

AWS S3 and Azure SQL Database Support: StealthAUDIT v10 expands support for two of the cloud’s most commonly used object storage database platform solutions. With the expansion of the support, StealthAUDIT now services thousands of enterprises globally. This means even more comprehensive platform support, and a “single pane of glass” view into user access, activity and sensitive data across an entire organisational landscape

Structured Data Security Assessment: Understanding and proactively identifying risks at the application layer, the operating system layer and the database layer is imperative to protecting the sensitive data cyber intruders seek to locate and exfiltrate from an organization. New structured data security assessment reports within StealthAUDIT 10.0 highlight the scope of the audited environment and categorize threats to High, Medium, and Low Severity findings in a simple report. Security professionals can quickly prioritize vulnerabilities to be remediated, saving time and ensuring holistic database security regardless of location

Improved and Enhanced User Experience:  StealthAUDIT v10’s redesign also brings a consistent look and feel across all web-based interfaces within Stealthbits’ portfolio, which multi-product users will enjoy and appreciate as they navigate across products. StealthAUDIT v10’s also includes improved web reporting and ease of use and an upgrade to a more modern aesthetic. 

Apart from the features listed above StealthAUDIT v10 includes comprehensive updates across a wide spectrum of systems. 

Use StealthAUDIT v10 capabilities to do more for the cybersecurity of your organisation.

Read the full release notes from Stealthbits and get a full overview on their Insider Security Blog  HERE

Interested in seeing the capabilities of StealthAUDIT? Request a Demo 

 

Source: Insider Threat Security Blog. https://blog.stealthbits.com/announcing-stealthaudit-10-0-mitigating-security-risks-on-premises-and-in-the-cloud/

Is your Organisation Ready for Remote Workers?   5 Strategies to create a cyber resilient Remote worker Policy 

,

 

By Alexander Duffy

 

The World Head Organisation (WHO) has officially declared COVID-19 a pandemic. With multiple countries in quarantine, the global work force is becoming increasingly confined to work from their homesOrganisations who were previously not prepared for this shift in the workforce are now left with a need to support remote workers while maintaining business as usual.  

Some organisations especially in finance and government who may have been slow to adopt work from home policies now find themselves scrambling to implement adequate measures in place to accommodate a trend that is here to stay. While it may be tempting to rush in and assemble a quick fix or a band aid solution, it is best to proceed with a plan that can be sustained in the long-term  

Ramifications of a quick fix or  implementing a plan without a clear strategy could lead to sloppy security standards and holes that may put the organisation at risk. However, it is now undeniable that every organisation should pay attention to the many benefits and risks associated with a remote work force and develop a data based strategy immediately.  

 

Benefits of a Remote Workforce  

 Before current world events came into play, working remotely was proving to be beneficial for many workplaces. A PGI report conducted in 2014 showed that 82% of people experienced less stress, 80% experienced improved morale and 70% stated it improved their productivity. However, for organisations, the biggest perk of working remotely is the ability to hire people regionally dispersed, allowing a broader pool of talent without the associated cost.  

 

Risks Associated with a Remote Workforce  

 Unfortunately, with all the benefits come the increased cyber security risk. OpenVPN conducted a survey in which respondents stated that 36% of them have had a security incident that was due to unsecured remote workers. Furthermore, 90% also believe that remote workers are not secure and pose a major security risk to their organisation.  

 

How to Implement a Work from Home Strategy? 

 While, there is no one size fits all solution when it comes to remote work, there are some essential elements that is needed in developing a work from home strategy.  

 

Risk Assessment:  Rigorous risk assessment conducted with key business leaders and executives is the first step in developing a remote worker strategy. This step is essential because it drives the protections needed and the budget required to achieve the correct security posture.  

 

Implement Formal Policies Organisations should create and formalise a remote working policy. Policies need to include a device policy that describes in detail, what technology and tools are appropriate and comply with the organisation’s standards.  This policy should also include regulations around the used of BYOD devices and any additional security measures needed on these devices for compliance. An important factor of policy making needs to be the ability to enforce it from the top down by making executives and team leaders accountable for violations of said policy.  

 

Encryption Data encryption should be the next thought, protecting data at rest is important for preventing data theft from stolen or lost devices. It should be applied to all corporate laptops and mobiles.  

 

Secure and Accessible Infrastructure Many corporate connections were never designed, or stress tested to support the number of remote workers trying to connect into the organisation on VPNs. Changing the way workers access and use the data needs to be monitored and mapped. Access anywhere methods such as SharePoint online and cloud storage like OneDrive are powerful but require extra considerations. Measures need to be put in place to ensure that only corporate approved devices can access those resources. One way to achieve this is by using Cloud Access Security Brokers or corporate VPNs and connecting those to cloud private gateways, and then applying restrictions on the SaaS services to only allow access from protected IP ranges or devices.  

 

User Training Last but not least is user training. Ensuring users are aware of their obligations and responsibilities when working remotely is critical to address the human factor in security risk management. Training for staff in all areas of the organisation that covers topics such as password polices and how to securely access and store corporate data can help organisations succeed in keeping a remote work force and an organisation’s security safe.  

 

Conclusion 

 Whether it is due to virus pandemics and other external factors outside of an organisations control or just through the many other benefits associated with it, remote working is here to stay. Organisations need to actively plan and implement solutions to securely extend their network perimeter. It’s a big world out there and it’s only getting bigger.  

 

About the author
Alexander Duffy is the Chief Security Officer for emt Distribution. He is passionate about implementation of the ASD Essential Eight framework and its role in improving the security posture of organisations in ANZ.  For more security updates follow him on LinkedIn

10 Cybersecurity Tactics Everyone should Implement Now!

,

By Alex Duffy

In life there are a set of rules that apply to certain scenarios. When you are driving and want to change lanes, you check your mirror, indicate, check your mirror again, safely switch lanes, and finish up by turning off the indicator. These rules are in place in order for everyone to have a safe driving experience. The same practise can be applied to your online security, which is critical considering almost everything is completed online these days. In some cases an 8-16 character password is all that’s protecting your finances – that should be reason enough to want to protect yourself.

So, how do you make sure to keep yourself safe? Follow these 10 steps:

ONE – Look for browser warnings and the green lock before entering credentials.

Whenever you access a website, your browser runs background checks to make sure that the site you are visiting is indeed who they claim to be. When the websites fail these checks, your browser will warn you. These warnings are there for a reason! So make sure to listen to those warnings and respect them.

TWO – Maintain Unique passwords for every account and website.

Too often people will use the same email and password for their bank, as they do for any odd website out there that has asked them to create an account. The issue with this is that once that website becomes compromised and your account details are stolen, threat actors will often use those same credentials against a variety of services like PayPal, large banks and more, and will be end up being successful in stealing your information.

THREE – Use Random Generated or pass phrases as your password.

Regarding passwords, you are looking for length and complexity. Complexity does not mean take your name and replace an ‘A’ with an ‘@’. Complexity means that you couldn’t break a password just by changing characters. Remembering truly random passwords is tough, so passphrases are the next best thing. Simply take a saying or a line from your favourite song, poem or book, and use that as your password, spaces and all. You could also take the first letter of each word to create a new passphrase. Generally speaking, if you add a number or two that should satisfy password complexity standards.

 FOUR – Do not click links that arrive in unsolicited email.

Phishing is a scamming method that uses fear and urgency to get you to act irrationally. If you are not expecting to be contacted by the sender, and a link urges you to ‘click here’, and they are threatening that something bad will happen, like your email account getting shutdown or blocked, it is generally fake. If you are still unsure, you can hover over the link to gain more information. If Microsoft claims they sent you the email, the link should be Microsoft’s. In the end, if you are ever in doubt, then contact the company directly and see if they sent you the email.

An example:

Microsoftpasswordreset.suvlaki.co – FAKE

login.microsoftonline.com – GOOD

FIVE – Where possible enable multi-factor authentication

Multi-factor authentication is a second way of verifying your identity. This can be achieved using methods such as a text, phone call, or a generated token. This should be enabled because in the event of your password being stolen, the threat actors  are still unable to access your account. When multi-factor is set up, you should always be aware that if you receive an authentication code without trying to log in, then it could mean that someone has your password and is trying to log in.

 SIX – Change passwords regularly

Your job is to make stolen passwords redundant. You can do this by changing your passwords often which heavily reduces the impact of a stolen password

 SEVEN – Try not to write down your passwords, if you do, do not store them in plain sight.

You should not have your passwords written down, makes it easy to gain access to your devices. But if you really insist on it, which again, please don’t. Then PLEASE, hide them – and no, NOT UNDER THE KEYBOARD!

 EIGHT – Use a password manager to help you remember your unique passwords.

No alt text provided for this image

A strong password is one that is long and can’t be remembered. No one is asking you to remember them all, instead securely store them in a password vault. Password vaults are invaluable at keeping your everyday passwords safe, and then ensure that access to your vault is protected by a strong passphrase and multi-factor (Step three and five).

 NINE – keep ALL software up to date.

Updating your operating system or antivirus is only half the battle against protecting your device. Any out of date applications, such as Adobe, Zoom etc, can allow a threat actors to gain full access to your system and everything within.

 Ten – With emails, ensure that the send and the senders email address are correct.

It is incredibly easy to change your display name for an email address to appear as someone else. Your job is to make sure the person emailing you is actually the person they claim to be. You can work this out by comparing their display name to the actual email address.

An example:

John Harry <[email protected]> – BAD

John Harry <[email protected]> – GOOD

 

About the author
Alexander Duffy is Security Solutions Architect for emt Distribution, working in the Threat Intelligence space on a full  range of  emt’s cybersecurity portfolio like ThreatConnect, Flashpoint, etc. For more security updates follow him on LinkedIn

Internet of Things Security Often Overlooked in Cyber Defence

,

By Alexander Duffy, Security Solutions Architect, emt Distribution

In September last year, the ABC Investigations journalism unit published an in-depth report
looking into the use in Australia of surveillance cameras manufactured by Chinese companies, Hikvision and Dahua, with security ramifications for any organisation installing Internet-connected devices.

Security researchers assert that vulnerabilities in Hikvision and Dahua cameras leave them open to malicious actors looking to syphon off video, audio and other data. Both companies have also been accused of spying on behalf of the Chinese Government and have been banned from U.S. government use.

According to Terry Dunlap, Co-founder of ReFirm Labs, governments are taking the right step in evaluating whether Chinese companies like Hikvision are an acceptable risk as suppliers.

“Chinese firms have a long history of embedding backdoors in their equipment,” said Dunlap. “And it’s not happening by accident – in 2013, we found purpose-built backdoors in Huawei equipment. In 2017, we saw the same embedding technique in Dahua security cameras, which the U.S. Congress then banned in 2018.

“All telecom gear coming from China that is placed into critical infrastructure, for example, needs to undergo a thorough security vetting from top layer applications all the way down to the firmware level where we see backdoor implants. Companies need to think twice about purchasing Chinese-made equipment if they don’t have vetting and monitoring capabilities in place to detect such backdoors and implants.”

ABC Investigations found the Chinese cameras above the entrances to the Australian Government Solicitor headquarters in Canberra and an office block used by the Department of Home Affairs and Attorney-General, AUSTRAC, and the Office of National Assessments. Another camera – removed once the Department Of Defence became aware of it – was found at the RAAF Base Edinburgh in South Australia.

Surveillance cameras and telecommunications equipment are just some of the Internet-connected devices subject to cyber attack. There are thousands of other kinds of vulnerable devices described by the term ‘Internet of Things’, and they number in the millions if not billions.

While most organisations have taken increased measures in recent years to strengthen the security of their information systems, many overlook device security. Not surprisingly, vulnerabilities in IoT devices are often the easiest targets for threat actors  and often represent the initial point of entry into organisations’ networks.

In a breach featured in a webinar by Joseph Carson, Chief Security Scientist at Thycotic, an attack by Somalian pirates on a secure database detailing shipping movements was initiated by exploiting wireless lights that had been incorrectly configured, giving hackers network access.

Unfortunately, the security measures most organisations currently have in place don’t effectively protect IoT devices. Current security measures don’t effectively protect firmware, and fail to proactively address vulnerabilities before it’s too late.

In a 2018 report, research firm Gartner predicted that until 2020, the biggest inhibitor to growth for IoT security will come from a lack of prioritisation and implementation of security best practices and tools in IoT initiative planning. “In IoT initiatives, organisations often don’t have control over the source and nature of the software and hardware being utilised by smart connected devices,” said Ruggero Contu, research director at Gartner.

As cyber intrusions become more commonplace, CSOs and CISOs have to look towards more innovative solutions to protect their organisations. Among the challenges they face is allowing business units to meet the demand for IoT devices with the confidence that they do not pose a security risk.

The introduction of cyber security tools into Australia and New Zealand for vetting, validation and monitoring of organisations’ firmware security has now closed this security gap for enterprises, government agencies, operators of critical infrastructure, and other organisations.

With these tools, organisations reliant on IoT devices can vet firmware images for vulnerabilities in around 30 minutes, without requiring source code, giving them confidence in the choices they make. Without them, they could be learning about the vulnerabilities they have introduced to their networks, or their customers, from the media.

About the author
Alexander Duffy is Security Solutions Architect for emt Distribution, the Australia and New Zealand representative for ReFirm Labs, which provides the industry’s first IoT and firmware security solutions that proactively vet, validate and continuously monitor IoT devices for hidden threats.