Lost or stolen user access credentials are a chronic, widespread cause of cybersecurity breaches. By mid-2020, 80 percent of hacking-related breaches and 77 percent of cloud breaches involved the use of compromised credentials. The number of corporate credentials with unencrypted passwords posted on the dark web soared by more than 400 percent, leaving organizations vulnerable to various cyberattacks.
That momentum has not ebbed in 2021. Credentials remain one of the most sought-after data types, well ahead of personal, medical, and banking data.
Moreover, credentials are also the “fastest” data type to be compromised, particularly in 85 percent of phishing attacks. Stolen credentials are an alarmingly common attack vector in ransomware, Magecart, and web application attacks.
The Risks to Corporate Credentials and Consequences of Compromise
When passwords and authentication systems were first invented some 50 years ago, nobody imagined that five decades later, those systems would give bad actors a convenient target to attack enterprise systems and steal valuable corporate data.
Today, however, passwords are among the weakest links in enterprise cybersecurity, especially as IT networks become more complex and cybercriminals become more sophisticated. Here are the most common risks to corporate credentials and the possible consequences of compromise.
People often use the same password across different accounts because it’s cumbersome to manage unique passwords for each account. This causes serious security problems for the organization.
In one survey, 95 percent of respondents said that password reuse was one of the biggest security threats to their company. Moreover, reused passwords account for 93 percent of human risk factors, expanding the attack surface and increasing the risk of data breaches.
Weak or Default Passwords
According to one survey, many employees in Fortune 500 companies used passwords so weak they could be hacked in less than one second. These include easy-to-remember passwords like “123456,” “Hello123,” “qwerty,” and “password.” Many employees also write down or share their passwords.
Simple passwords are not only easier for employees to remember; they’re also easier for hackers to guess or obtain through brute force attacks. Then hackers can then mimic legitimate users, breach enterprise networks, access compromised accounts or systems, and steal data.
Credentials with privileged access are also attractive to attackers since they allow the attacker to access and maliciously compromise many business-critical IT assets with one single “key.”
One Password, Many Threats
Even with just one stolen credential, hackers can inflict extensive damage, such as:
- Moving laterally within the network
- Compromising many different systems, accounts, and users
- Launching ransomware or other types of malware attacks
- Gaining access to funds, sensitive data, intellectual property, and customer information
The 2021 attack on Colonial Pipeline was a severe cyberattack that required just one compromised set of credentials. These credentials allowed hackers to gain entry into Colonial’s networks and launch a ransomware attack that forced the company to shut down its systems and led to fuel shortages across the United States.
Supply Chain Attacks
Compromised or stolen credentials also increase the risk of supply chain attacks. One famous example is the SolarWinds attack of 2020, where hackers stole credentials to breach 200+ customers of SolarWinds, including global corporations and federal agencies.
Financial and Productivity Costs
Aside from cybersecurity risks, credentials can cause other headaches for businesses too. For example, users may need to manage credentials for multiple service accounts, sometimes with complex password requirements, affecting their user experience and hindering productivity.
Credentials management also has a tangible financial cost for organizations. The annual expenses of password support and infrastructure can go up to $1 million for large organizations.
Further, about 30 – 50 percent of IT helpdesk calls are for password resets, hindering the IT team’s productivity and efficiency. Even a single reset request can cost about $70. These costs add up over time for multiple users and reset requests.
7 Common Ways Credentials Are Compromised
Modern cybercriminals and hackers can compromise, steal, and misuse enterprise credentials in many ways.
In 2020, phishing was the top “action variety” in breaches, according to Verizon and the FBI. In fact, 75 percent of organizations experienced a phishing attack, and in a majority of such attacks, compromised account credentials were involved.
In a phishing attack, a threat actor sends fake emails that look legitimate to the victim. The attacker then dupes the victim into revealing his or her credentials on a malicious, attacker-controlled website; that allows the attacker to access enterprise systems, disrupt operations, and steal sensitive data.
Attackers may use social engineering techniques to gain access to credentials. For example, they may call a victim pretending to be someone from the IT helpdesk or approach a victim in person, and trick the victim into revealing his or her credentials.
Sniffers and Keyloggers
Sniffing is a technique attackers use to infiltrate insecure or unencrypted wireless or wired networks and steal credentials by listening to network traffic.
A keylogger is a spyware that secretly logs everything the user types, including usernames and passwords. It then sends the log file to a malicious server, allowing the cybercriminal to steal the credentials and use them for malicious purposes.
Brute Force and Cracking
Brute force involves the use of automated tools to generate billions of passwords. Attackers then try each password with every possible character combination to access a user’s account until they discover the correct password.
Such attacks often remain undetected if the attacker can get a copy of the system’s password file or download the hashed passwords from a database.
A dictionary is a file containing the most commonly used passwords, such as “123456,” “password,” and “iloveyou.” In this tactic, the attacker automatically tries every word in the dictionary to guess the actual password. Such attacks are especially effective when people use simple, easy-to-remember passwords for multiple accounts.
A rainbow table contains pre-computed hash values to crack the password hashes in a database. The attacker runs a list of passwords through a hashing algorithm and compares the results against an encrypted password file to crack weak (or even complex) passwords quickly.
This method is common when employees work remotely from public spaces like cafes or libraries: the thief simply looks over the user’s shoulder to note his or her credentials as the user types them into an account or system.
4 Strategies to Detect Credential Compromise and Protect Enterprise Accounts
Detecting the threats of compromised credentials should be a top priority for all security admins. They can do this in multiple ways.
Implement User Behavior Analytics (UBA)
UBA analyzes millions of network events generated by corporate users to detect compromised credentials, insider threats, and risky behaviors on the enterprise network. It can also find evidence of intruder compromise, identify the lateral movement of threat actors within the network, and find other kinds of malicious behaviors.
Since UBA focuses on user behaviors rather than static threat indicators, it can detect attacks that escape traditional detection tools and raise early or real-time alerts about suspicious behaviors or malicious attacks.
Deploy Endpoint Detection and Response (EDR)
Adversaries leverage compromised user credentials to gain access to enterprise assets, move laterally among systems, and stay hidden inside for a long time. For this, they often attack insecure endpoints via ransomware, phishing, malvertising, and drive-by download attacks.
EDR solutions can block and respond to endpoint security incidents. They provide better visibility into endpoints and support continuous monitoring to find possible cases of credential compromise.
Leverage Automated Detection Technology
Automated deception technology can detect password guessing attempts by unauthorized users. It deceives attackers by distributing traps and decoys across the network to imitate genuine assets. By defining a “honey user” and honey credentials for a decoy account, security personnel can get alerts on credential compromise within these accounts.
Use a Strong Password Manager
A password manager securely stores passwords in an encrypted database. It can also generate random, complex, and unique passwords for accounts, minimizing the possibility of credential theft or compromise. Some password managers also warn users if any passwords have been compromised so that quick action can be taken.
Prioritize Business Security with ZenGRC
To protect your enterprise credentials from compromise, you need better visibility into your risk environment. Try ZenGRC to boost your threat detection and risk assessment capabilities.
Leverage a centralized, integrated platform to get a single source of truth into the critical risks affecting your credentials and protect your organization from the dangers of credential compromise. Workflow management features offer easy tracking, automated reminders, and audit trails. Insightful reporting and dashboards provide visibility to gaps and high-risk areas.
Many organizations rely on ZenGRC to increase risk visibility and strengthen their cybersecurity defenses. Schedule a demo to explore ZenGRC for yourself.