Verizon’s 2020 DBIR reports that more than 80% of hacking-related breaches involve brute force or the use of lost or stolen credentials— here’s how to prevent weak or compromised credentials from being used in your company’s applications and network Cybercriminals are creatures of opportunity when it comes to committing cybercrimes: They look for the biggest score with the most minimal amount of effort. And when it comes to accessing users’ personal and business-related accounts, their approach isn’t much different. They look for ways to access your account with as little effort as possible by using compromised credentials. How Hackers Get Access to Users’ Accounts As of June 9, 2020, the website shows that there are 9,760,722,439 (nearly 9.8 billion) known “pwned” accounts in existence. That means that the number of compromised accounts surpasses the number of people that we have living in the entire world today! So, this means that for some people, several of their accounts’ passwords have become compromised. haveibeenpwned.com What makes this realization even worse is this: A by Carnegie Mellon University’s Security and Privacy Institute (CyLab) shows that only one-in-three users bother to change their passwords in the aftermath of a publicized data breach. And when they do bother changing their passwords, the updated passwords are frequently less secure than the compromised ones they replaced! recent study Now, let’s imagine that some of those negligent users are your own employees. What would this mean for your business? Let’s connect the dots: Data breaches occur. People don’t change their passwords. Cybercriminals often use those breached credentials. If successful, they gain access to insecure accounts using those creds. Needless to say, this spells trouble for your organization in the form of credential account compromise. But just what sorts of tactics do cybercriminals frequently use to gain access to accounts? Brute Force Attacks is both a type of attack and category of attacks that exploit insecure passwords. The goal for threat actors? To force their way into your account to gain unauthorized access to your content, assets, and information. It involves a hacker testing a list of values (typically words that can be found in a dictionary) against a server to analyze how it responds. The list can also contain various of those terms that include special characters and numbers. So, in the most basic sense, are like having a cybercriminal who’s armed with a massive key ring: They try every key in a lock until one works (eventually). Brute force brute force attacks Credential Stuffing Attacks The Open Web Application Security Project (OWASP) defines as a type of brute force attack that involves “the automated injection of breached username/password pairs in order to fraudulently gain access to user accounts.” So, in a nutshell, a credential stuffing attack is a bit like firing a shotgun: The cybercriminal “fires” passwords and credential combinations that were stolen or leaked to test and see if any of the combinations are valid. credential stuffing Credential stuffing attacks are something that cybersecurity companies are continually fighting. One recent credential stuffing attack that lasted a grand total of 60 hours and involved 44 million login attempts! That’s the equivalent of 733,333 login attempts per hour or 12,222 login attempts per minute. Imperva reported mitigating Password Spraying Attacks Much like credential stuffing, is another type of brute force attack. But in this case, it uses a single password against multiple targeted user accounts before moving on to try other individual passwords. password spraying This method of attack is like the virtual equivalent of lobbing a virtual grenade made of duplicate keys into a room filled with different locks. The goal of “spraying” a single password across multiple accounts to see if the password is valid for any of them enables an attacker to more effectively test a single key across many accounts. So, with successful attacks occurring at such a rapid rate, what can you do to protect your organization against weak or compromised password attacks? 7 Tips for How to Prevent Credential Attacks Within Your Organization Let’s be perfectly frank: No matter what anyone tells you, there is no one-size-fits-all approach to stopping credential-based cyber attacks. (Or any types of cyber attacks, for that matter.) All you can do is implement a layered approach that makes you a tougher target. So with that in mind, here are 7 steps you can take to prevent compromised credentials from affecting your organization. Tip 1: Monitor Your Traffic and Access Logs Using AI and Automation Any organization that’s worth its security salt monitors and analyzes its traffic and access reports. Part of this monitoring involves reviewing successful and failed login attempts. Some organizations might employ in house resources and personnel using an SIEM approach while others may hire third-party services and solutions to do it for them. These records can show whether specific IP addresses or groups of them that are attempting to log in to users’ accounts. (This helps you to identity potential brute force attacks.) Artificial intelligence and machine learning solutions make it possible to scour the logs and identify any suspicious activity and failed login attempts in record time. An advantage of using these solutions is that it frees up your human workers so that they can focus on the analysis of the potential threats or handle other important tasks. Tip 2: Use Breached Credential Lists to your Advantage Brute force attacks the perfect solution for the lazy (or efficient, depending on how you look at it) hacker. Cybercriminals either purchase or download these lists of credentials (dictionaries) for free, and then they use automation to run through these lists of stolen or leaked credentials until they find a combination that works. But where are they getting these lists? There’s plenty of information available on the Dark Web and collaborative hacker communities and sites like GitHub. There are also people posting lists of the most commonly used passwords as well. For example, here’s a screenshot of a list of that’s available through GitHub: 10,000 of the most common passwords Image Source: GitHub Heck, how about a list of the instead? Oh, yeah, that’s available on GitHub, too (and has been for more than a year!). 100,000 (100k) most commonly used credentials While having access to these types of public lists sucks for the cybersecurity-ignorant user who uses these types of passwords, there’s a bit of silver lining for organizations: You can use these lists to prevent brute force attacks from being successful. You can do this by preventing users from using insecure or compromised passwords in the first place. One example of how to do this is to in the Microsoft Azure Active Directory. Azure’s AD already pulls from its internal global banned password list, but this custom capability allows you to specify additional terms that wouldn’t be allowed to be used as passwords. create custom lists of banned passwords Image source: Microsoft Unfortunately, their custom password list limits you to 1,000 prohibited terms. But there are additional tools and options you can consider such as . Specops Password Policy If you’re using WordPress, you also can use a plugin such as , which checks passwords against an online list of common passwords and terms in more than 20 languages. Or, you can use a tool like , which is available as an app as well as a plugin, to audit your website for known insecure credentials. Simply upload your password dictionary and let the scanner’s user enumerator and password cracking tools take care of the rest. No Weak Passwords WPScan Tip 3: Filter or Blacklist Suspicious IP Addresses During a credential stuffing or other type of credential attack, your network logs would likely show a few specific IP addresses with repeated failed login attempts across multiple accounts. This is an indication of some less sophisticated credential-based attacks. The good news? You can choose to either filter or block these IP addresses altogether. but to summarize, it’s a compilation of any IP addresses, domains, URLs that are suspicious or malicious. By applying a blacklist to virtually any area of your network, you can deny service to entities that may pose a threat to your organization. Some companies purchase blacklists from commercial services while others compile their using their logs of failed login attempts. There’s no right or wrong way to go about it. NIST has a couple of definitions for the term “blacklist,” However, if your organization lacks the resources or personnel to painstakingly go through network logs, there are publicly reported blacklists of “bad” IP addresses that you can use. If you’re not sure where to start looking for them, here’s a list of a few free and commercial resources: — The abuse IP database is a great resource that you can use to either check the veracity of a questionable IP address or to access lists of them. While they do offer subscription plans, they also do offer a free plan with access to their basic blacklist and some other useful goodies. AbuseIPDB — The Barracuda Reputation Block list (BRBL) is a free DNSBL of known spam-sending IP addresses. Barracuda Central — This list of block IPs and top attacker IP addresses is a conglomeration of data compiled by SPAMHAUS and DShield. Emerging Threats — This website is a great free tool that shows a list of the latest threats, including URLs, IP addresses, geographic location, and the type of threat each list item poses. Scumware.org — Their (XBL) and (SBL) are great resources via their Datafeed Service. SPAMHAUS exploits block list SPAMHAUS block list One important note: Some of these resources may have usage restrictions, so be sure to read the usage agreements before using any of these resources. If you’re looking for additional RBL resources, be sure to check out . Also, there are also plenty of other online tools and sites that you can use to check individual IP addresses, including your own — and . multirbl.valli.org’s list of RBLs whatismyipaddress.com dnschecker.org There are known IP address lists by region, too. So, another cool trick that you can use is to set up regional IP limitations. This is great if you’re an organization that only works with local or regional customers — for example, if you’re a U.S. company that only does business with individuals in the continental U.S., you could block IP addresses that fall outside those parameters. So, if you suddenly notice failed login attempts from IP addresses that are well outside your customers’ regions, you can block them. Of course, cybercriminals can employ various method to hide their IP addresses — such as through the use of VPNs and botnets — but IP filtering and blacklisting, at least, serves to protect you against the less sophisticated attackers. Tip 4: Use PassProtect On Your Web Apps is a tool ( ) that prevents compromised passwords from being used as user credentials. To be more specific, it’s a tool that binds itself to email and password input elements to identify any user emails or passwords that have been exposed in past data breaches. It does this by checking those values against breaches passwords and email addresses that have been identified by the Have I Been Pwned? API service. PassProtect as well as a Google Chrome extension So, if you were to integrate this into your own web apps, it could help you to mitigate the use of weak and compromised passwords by your users. Tip 5: Implement Multi Factor Authentication and Other Security Measures Here’s another way that you can from the use of weak or compromised credentials: Make the use of and other authentication mechanisms mandatory. protect your website multi-factor authentication (MFA) Multi factor authentication is a great way to supplement password security and prevent the use of stolen credentials. Basically, in addition to your password, an attacker would also require access to additional elements (such as access to a physical security token or biometric) to complete the authentication process. They couldn’t just use breached credentials alone to access accounts. (DBIR) reiterates the impact of credential theft in web app attacks. Although the following excerpt speaks specifically to the number of web app attacks targeting the construction, the sentiment extends to other verticals as well: Verizon’s 2020 Data Breach Investigations Report “For the Web Applications attacks, the most common hacking variety was the use of stolen credentials. Sometimes these were obtained from a phishing attack, and sometimes they were just part of the debris field from other breaches. Employees reusing their credentials for multiple accounts (both professional and personal) increases risk for organizations when there are breaches and the stolen credentials are then used for credential stuffing. The key to reducing this risk is to ensure that the stolen credentials are worthless against your infrastructure by implementing multifactor authentication methods.” The shares a few additional ways that you can supplement your password security measures: U.S. CERT’s Cybersecurity & Infrastructure Security Agency — Automate the disabling of systems that register inactive for a set period. If someone isn’t using an account, then there’s no reason to continue keeping it active. You can always reactivate an account as needed. Disable inactive accounts — Use “salting” and one-way “hashing” to make stored passwords more secure. Salting and hashing are processes that involve adding additional random characters to an existing password before scrambling it into an unintelligible form. Secure password data — Implementing an account lockout policy that initiates a lockout after a set number of failed login attempts helps to mitigate brute force attacks. Account lockout policies Tip 6: Set Policies and Rules Relating to Password Strength and Limitations Password policies are useful for ensuring that any passwords that are created are as secure as possible. Some such policies include: — A simple password is often an insecure password. Thankfully, you can set such as requiring users to include at least one number, uppercase letter, special character, etc. You also can specify here any special letters, numbers, or characters that they can’t use. NIST provides guidance on password security in its special publication . Microsoft also provides some that you might find useful. Password complexity policies password complexity parameters NIST SP 800-63B password guidance information — Also known as a , this particular policy ensures that users regularly change their passwords. Basically, it requires users to change their passwords after a set period of time. Conversely, there are also minimum password age policies that you can implement as well. Maximum password age policies password expiration policy — A common practice that many computer users employ is rotating through a small set of passwords that they can remember. By putting a password history policy in place, you’re mandating that each user has to cycle through before they can circle back to using a previous password. Password history policies how many unique passwords Now, the key here is to enforce any password policies that you put in place. The longer that any of your web app users uses the same password, the more at risk they — and you — are to different brute force attacks. You can also use password complexity checkers, meters, and password generators as well to help users generate better passwords. Tip 7: Educate Users About Password Security and Make the Process Easier Nearly half (49%) of data breaches reported in IBM and the Ponemon Institute’s were “inadvertent breaches” that resulted from good ol’ fashioned human errors and system glitches. 2019 Cost of a Data Breach Report So, while this really should go without saying, it bears repeating: Educate your users. Teach them about the and how to identify them. Teach them to use secure passwords (or, better, pass phrases) to secure their accounts. Demonstrate the advantages of using a password manager, which allows users to generate and store unique, complex passwords for all accounts. All they’d have to remember is one master password — it doesn’t get much easier than that! dangers of phishing attacks Implementing strong password security policies without first addressing the fallibility of human nature and our desire for convenience will always result in weak password security. So, educate your users while also allowing them to use a reputable password security manager. Final Thoughts From the data we’ve shared, it’s clear that credential compromise attacks are a significant issue for organizations regardless of size. There are multiple ways that you can your users’ accounts against brute force attacks and other credential-related threats. Cybercriminals aren’t going to stop trying to gain access to your accounts, and they’re going to use whatever means they have at their disposal. This means that to protect your business, you need to understand the tactics they use and layer your defenses to combat them.

Google

Microsoft

Target

Read My Blog: https://sectigostore.com/blog

2022 - HackerNoon Contributor of the Year - Authentication

Nominated for 2022 - HackerNoon Contributor of the Year - Authentication

Too Long; Didn't Read

Questions about cloud security? Get answers here.

7 Ways to Protect Your Company from Insecure Credentials

Too Long; Didn't Read

People Mentioned

Companies Mentioned

Casey Crane

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

7 Ways to Protect Your Company from Insecure Credentials

Too Long; Didn't Read

People Mentioned

Companies Mentioned

Casey Crane

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

RELATED STORIES