By Morey Haber, CTO & CISO at BeyondTrust
If you were a cyber criminal, imagine what you could do with a cache of stolen passwords. Perhaps you might launch a brute force attack against targeted organisations. Maybe you could monetise your stolen passwords by selling them on the Dark Web.
More advanced cyberthreat actors might be able to link the data with other sources to widen the scope of targets in the hope that the identities compromised reused passwords amongst multiple accounts and services. And the most persistent attackers may hammer on your web-based accounts until they break in. Think this sounds far-fetched?  Consider this recent old school attack against financial systems.

Another devious method threat actors will use to gain persistent access into financial accounts is to extract funds en masse from ATMs, while providing little time for response before the transactions are complete. There’s a good summary of this type of threat in The Harvard Business Review. This attack can occur from vulnerabilities and exploits, or from caches of pins and passwords that have been pilfered. Essentially, these attacks exploit  a privileged attack vector and steal money from everyone all at once. If you think this type of cyberattack vector happened only years ago and could not happen today since the indicators of compromise are well known, you’d be mistaken.

Tips for Protecting Against Password Pickpockets

Any time an individual or group knows the password(s) from another group of people or resources, a pickpocket attack could occur. The most famous such incident involved Edward Snowden (and yes, everyone in the government and security industry is sick of hearing his name). Snowden illegally obtained credentials from his co-workers to steal information using heisted passwords and authorised data access terminals (workstations). Users were unaware of the theft, passwords were not rotated, and information was stolen piece by piece to avoid detection. This type of slow, sinister data theft also happened to Yahoo and Starwood, albeit via slightly different privileged attack forms, and not all at once.

Pickpocket password threats can come from inside or outside your organisation. They can happen in our personal lives and in any business, organisation, or government. The threat is based around the concept of one entity knowing too many credentials and passwords for someone (or something) else. The credentials have been obtained illicitly, and the perpetrator has malicious intent in reusing them.

So we are left with a security dilemma. How do we mitigate this type of threat? Here are a few strategies:

  1. Never reuse a password across different resources. Every application and resource should have a unique password. Never use the same credentials at home and at work. For businesses, consider a password manager that can store, automatically rotate, and provision passwords to appropriate individuals by role or persona. This prevents a cyber thief from accumulating passwords since the passwords are constantly changing and follow an entitlements model.
  2. Frequently change your passwords. This aligns with the recommendation above. Often, even when we use a password manager, we do not force password rotation frequently enough; especially in our personal lives. Consider changing passwords as regularly as you change smoke detector batteries. Hopefully you do that at least twice each year, using daylight savings time as a reminder. Now, if you are a curious cybersecurity professional, you may argue that recent NIST guidance states that you no longer need to frequently rotate a user’s passwords. That is true for standard users who never share or enter credentials repeatedly into various systems. However, this is not a best practice for service accounts, privileged accounts, or any other credential/password pair that might be known by more than one individual. This ties back to our premise of why stolen passwords and knowledge of them are a threat.
  3. Use MFA or 2FA. If your password ever did get out into the wild, multi-factor and 2-factor technology can help safeguard unauthorised authentication attempts if a criminal has obtained them. In addition, using this technology with context-aware information (like source IP) will only strengthen the security model to prevent access from unauthorised geolocations.

As privilege attack vectors continue to evolve, organisations need to remain vigilant against the security risk of stolen passwords. Remember, anyone – whether inside or outside your organisation - who has a vast knowledge of illegally obtained passwords is a potential threat.

share us your thought

0 Comment Log in or register to post comments