Categories
Security

Why securing credentials is more important than ever

Passwords. They’re the bane of our existence—whether you work in IT, IS or just have trouble remembering them all. Passwords may have originated as a security measure, but now, at least alone, they’re a liability. Why? Unintentional user negligence and intentional cybercriminal enterprise have rendered the username/password combo, otherwise known as credentials, practically moot.

Thanks to countless years of desks left unattended and phishing scams coercing users into entering their personal information, millions of credentials are readily available to be stolen, sold, and/or leaked online. That’s why credentials—or more importantly, the security measures we use to verify identity and grant access—need protecting now more than ever.

Unfortunately, many businesses continue to rely on outdated credential security models that leave their networks exposed—a situation only exacerbated by remote work.

Securing credentials for the 2022 threat landscape

Once upon a time, before the pandemic ushered in the era of Zoom fatigue and cloud-based-everything, access to the corporate network could be protected by a level of security provided by the four walls of the workplace. Traditional on-premises security inferred onto employees an automatic level of trust. Swipe a badge, gain entry. From there, identity could be verified by simply recognizing a familiar face at work.

This trusted access extended to all systems and networks, empowering organizations to follow the “trust, but verify” model, in which users were given full access to the corporate network once their login credentials—typically just a username and password—were substantiated.

As cybercrime tactics advanced, however, this approach was like handing threat actors the keys to the proverbial castle: If criminals had just one employee’s credentials, they could gain access to the entire corporate network, including sensitive data like financials or employee records.

In fact, cybercriminals have developed a wide range of sophisticated (and some unsophisticated) methods for targeting credentials, ranging from key loggers and credential-harvesting malware to spear phishing and business email compromise. Before the pandemic brought about the mass migration to remote work, organizations were already in need of revamping their credential security to better adapt to modern-day threats.

Remote work further compromises credential security
Enter: the sudden, intense shift of organizations’ entire workforces to the WFH model. It’s no secret that, while beneficial in many ways for businesses and their employees, remote work has dramatically expanded an organization’s threat surface. The sheer number of new, potentially vulnerable access points introduced by remote employees alone—including personal devices, home networks and IoT—would be enough to instigate the type of credential policy change advocated here.

Many work-from-home (WFH) devices and networks are under-secured, with minimal or no identity verification required. A single remote employee might introduce a handful or more of new vulnerabilities: Using a personal laptop without entering credentials. Connecting to the corporate network from a home network that isn’t password-secured. Using a home assistant and smart refrigerator with their default credentials settings still in place.

Add to that a remote workforce that may not be up-to-date on the latest WFH best practices, and you have the perfect recipe for a breach.

Cyber criminals are, unfortunately, well aware that remote work has weakened businesses’ security postures. A steep rise in cybercrime has paralleled the adoption of remote work—especially cybercrime targeting credentials. With compromised credentials cited as the most common cause of security incident, it’s clear that organizations should re-imagine how they protect credentials and prove identity when providing access to their remote employees.

Best practices for credential security today
With cybercriminal tactics for targeting credentials becoming more sophisticated, with users (both on-premises and remote) in need of more acute security awareness, and with WFH environments contributing to a burgeoning collection of new vulnerable access points, it’s time for organizations to follow more contemporary principles of credential security.

Want to get started? The following tools and policies help improve both credential and overall security:

Password hygiene:  Password hygiene remains a problem for most people—two-thirds of users reuse their passwords across multiple accounts; 59 percent use their birthday in their password; 43 percent have shared their password with someone—so it’s no surprise that login credentials alone provide little security.

With criminals increasingly credential stuffing, aka using stolen credentials to access other peoples’ accounts and services, preventing password reuse and requiring stronger, more frequently-updated passwords is a first step in the right direction.

  • Set maximum password age limits to ensure passwords are changed, as well as minimum age limits so they can’t be quickly changed back.
  • Require passwords meet complexity requirements, like containing at least one uppercase and lowercase letter, a number, and a special character.
  • Set minimum password lengths and encourage employees to create long passphrases unrelated to their personal information—so no birthdays, street numbers, names, etc.
  • Use Enforce Password History policies that store old passwords and restrict repetition.

Multifactor authentication (MFA): There are 8.4 billion or more passwords stolen from data breaches that have been leaked online— in a single hacker forum. With criminal access to so many credentials, requiring a second or third layer of identification through MFA helps thwart many attempted cyberattacks. MFA calls for at least two modes of identification, including:

  • Something the user knows, such as a password, PIN number, or answers to personal security questions
  • Something the user has, such as a security token, USB device, smartphone, or other physical object
  • Something the user is, a unique physical characteristic, like fingerprints, voice recognition, facial recognition, or retina scanning

Single sign-on (SSO): Besides credential theft, password fatigue is also a key contributor to security breaches. When users are prompted to change passwords frequently, they often make too-simple alterations, such as swapping one special character for another or capitalizing a different letter of an existing password. In addition, having to remember different passwords for dozens of accounts encourages reuse.

Using SSO authentication—i.e., allowing one set of login credentials to access multiple systems—can mitigate risk by reducing both password fatigue and credential theft. When implemented securely (in combination with MFA), SSO benefits include:

  • Reducing password fatigue by eliminating password re-entry.
  • Minimizing risk of accessing third-party sites because passwords are no longer stored externally.
  • Decreasing the likelihood that users will store passwords insecurely (e.g., by writing them down on post-its).

Businesses looking to further improve credential security should consider adopting the latest thinking in best practices. The prevailing philosophies are:

Least-privileged access: One of the most menacing aspects of credential compromise is that cybercriminals can gain access to your entire network with only a low-level user login. Following a principle of “least-privileged access” helps limit damage that might be done by a hacker or malicious insider with unauthorized access.

Least-privileged access involves restricting users’ access rights to only the data and systems they need to perform specific tasks. Least privileged access can also be used with segregation of duties policies to limit users’ access to specific functions.

Zero trust: Traditional perimeter-based security is no longer enough to protect against modern-day risks to corporate credentials, thanks to cybercriminal innovation in credential-stealing methods and the difficulty organizations now face in verifying the identity of their remote workers.

Employees themselves will always be a security risk—albeit one mitigated by successful security education programs—but now their working environments are unsecured and unmanaged by IT. Even least-privileged access could allow bad actors to gain a foothold into the corporate network. Zero trust offers an even more secure approach.

Zero trust follows a “never trust, always verify” philosophy, where every user and device must be continuously validated before receiving access, and access is only granted upon request. Instead of authorizing broad access to a collection of network resources, zero trust grants access to specific resources on an as-needed basis. Users and devices are never trusted by default, even if they had been connected to company resources before.

Implementing this many layers of credential security may take a great deal of time and money—or it might not be possible for many small businesses or start-ups right now. That’s okay—any small improvement in credential security makes a difference. But understanding the threat landscape and the tools, policies, and philosophies that are best recommended helps organizations develop a credential security model to strive for.

To learn more about password hygiene: https://blog.malwarebytes.com/cybercrime/2019/03/hackers-gonna-hack-anymore-not-keep-reusing-passwords/

For a deeper dive on zero trust: https://blog.malwarebytes.com/explained/2020/01/explained-the-strengths-and-weaknesses-of-the-zero-trust-model/

For more information on best WFH practices: https://blog.malwarebytes.com/how-tos-2/2020/03/security-tips-for-working-from-home-wfh/

Categories
Security

Combat fear fatigue with these security tips

Nearly two years ago, companies around the globe scrambled to support entire workforces strong-armed into remote work practically overnight. For far too many, security was an afterthought — until it was too late. Now, as remote work transforms from novelty to the new normal, organizations must double-down on security efforts. But what if those efforts alienate employees and increase stress instead of alleviating it?

While many employees have expressed a desire to be more secure, as our recent Still Enduring From Home report found, fear fatigue has set in after years of constant concern and change. And that is a vulnerability likely keeping IT and security leaders awake at night.

Why can increasing security cause increased stress and fear fatigue?

How to fight fear fatigue while keeping remote workers secure 

Hybrid and remote work are on their way to becoming permanent fixtures. Yet the digital infrastructure so hastily thrown up two years ago to support the remote workforce now needs a serious security overhaul.

Multiple new access points — many of them weak on or lacking cybersecurity protections altogether — have introduced additional vulnerabilities to an already-taxed system. Users connecting from unsecured home networks, personal computers and mobile phones using shadow IT, haphazard physical environments exposing proprietary data, and unchecked identity and access management policies have left organizations at increased risk of compromise.

As such, it’s time for businesses to sharpen security processes, beef up technical protections, and, most importantly, roll out new forms and frequencies of security training. Security awareness has never been more important.

In fact, many organizations have already taken steps to reduce risk and plug security vulnerabilities introduced by remote work. In Malwarebytes’ recent report, Still Enduring From Home, researchers surveyed 200 IT decision makers to see how organizations fared with remote security measures over an 18-month period.

The results paint an optimistic picture: 74 percent of IT teams have implemented new tools, such as antivirus software, password managers, virtual private networks (VPNs), and two-factor authentication (2FA); 71 percent have introduced new forms of training; and 48 percent have updated their crisis management protocols. Overall, 56 percent of respondents said their organizations have become slightly or significantly more secure since they began working from home.

That’s good news, right? Organizations making moves to boost security is cause for celebration, to be sure. However, the outlook is murkier when examining how employees feel about this increased security. According to the report, they’re fairly well-invested: 83 percent care to some degree about security practices, with 51 percent caring deeply.

However, caring doesn’t always translate to awareness, nor does awareness always result in action. While 62 percent of respondents said their employees are either “very” or “acutely” aware of security best practices, nearly 40 percent range from “aware but not a priority” to “oblivious and risky.”

And while employees care about getting security right, many are also suffering from “fear fatigue.” Nearly 80 percent of the Still Enduring From Home respondents reported some level of fear fatigue or jadedness in their organization. Adrenaline-fueled anxiety and adaptation have left them feeling jaded or overwhelmed, making them vulnerable to simple security mistakes.

Fear fatigue (otherwise known as security fatigue) inspires complacency, and complacency leads to risky cybersecurity behavior, like opening an email attachment without properly scrutinizing the sender or neglecting to turn on a VPN while using public WiFi. Scammers are primed and ready to take advantage of this reduced focus. In fact, organizations should consider “human-proofing” an essential layer of their cybersecurity approach.

According to the Verizon 2021 Data Breach Investigations Report, 85 percent of breaches are caused by people. Employees are an organization’s biggest asset, but they also break the rules and make mistakes — sometimes, costly ones. Mistakes can happen due to distractions (57 percent), stress (52 percent), and general fatigue (44 percent), and employees need protecting, supporting, and keeping safe.

Now, there’s a need to keep remote employees appraised of the increased cyberthreats they face and informed about how to deal with them. This requires an increase in training frequency, and confirmation employees are absorbing that training. However, alarmingly, 27 percent of IT leaders said their employees seem “particularly overwhelmed” by threats and jaded by security procedures.

That’s why organizations need to tread a fine line between equipping their employees and overwhelming them. They must learn to balance cybersecurity education while avoiding fear fatigue.

Easier said than done, I know.

To implement an effective fear fatigue mitigation program, it’s important to first address the generalized stress brought on by nearly two years of living in a deadly pandemic.   

  • Collaborate with employees to figure out strategies, including developing strong social networks and regularly practicing healthy routines.
  • Offer employees mental health days separate from sick or personal days.
  • Provide access to counselors and other mood-boosting activities, such as virtual meditation or yoga classes.

Or take the advice of Tanya Barlow, an IT leader at PROCON, Inc.: “The best approach is to continually practice radical empathy — for others in the workplace and for yourself. You have to be willing to forgive and be flexible. You can’t be too hard on yourself, as we are all still collectively healing. In moments of extreme exhaustion, I think it’s important to take time to reflect and practice mindfulness. Remind yourself of things you’re still grateful for and let go of outdated mindsets, routines, and things that don’t truly matter.”

Organizations must also design cybersecurity programs that take the burden off of employees and counter inadvertent actions that put networks, devices, and data at risk. This can be done in two ways: through security tools designed to protect against human error, and/or more engaging training content and mediums for delivering that training. Organizations should:   

  • Leverage technology to automatically block site visits from users clicking potentially malicious links or to detect and bin spear phishing attempts before the targeted employee sees them.
  • Reinforce security measures often and in a fun way. Phish your own employees. Gamify security trainings.
  • Consider delivering training using different modes of learning, from audio-visual (videos) to kinesthetic (scenario planning).

Employees can feel fatigue from over-communicating, too, so balancing the right amount of communication is key. Remember: There’s no one-size-fits-all approach to managing people, so iterate and check in on employee fatigue regularly. Once you know how to provide folks with the right guardrails, they won’t be so afraid of driving off the road. 

Categories
Security

Most US schools fail to secure distance learners

Education in the United States faced a crisis this year. The looming threat of the coronavirus — which spreads easily in enclosed classrooms — forced schools across the country to develop new strategies for education, most involving some form of distance learning.

The dramatic stress of this transition on teachers, parents, and students is well-known. But the impact of long-term distance learning on the cybersecurity posture of schools and districts has not yet been studied — until now. Researchers at Malwarebytes surveyed IT decision-makers and students from K–12 and trade schools, as well as colleges, throughout the US to compile a report on how education security has fared in the wake of the pandemic.

The results paint a rather grim portrait; the education sector, having always struggled with lack of IT budget and personnel, was ill-equipped to move millions of students to a distance learning model. And despite Herculean efforts by IT teams to connect every student and teacher, cybersecurity often slipped through the cracks.

US distance learners remain vulnerable to cyberattack

US schools have been under tremendous pressure over the last 10 months. Forced to close their doors with little warning, teachers, administrators, and IT teams spent the first few months of the pandemic simply figuring out logistics, such as how to get students access to school resources, devices, and Internet service. Unlike most workplaces, schools have been slower to adopt new technologies, and they were not set up for an easy transition to a distance learning model.

Yet even now, halfway through the schoolyear, educational institutions are struggling with cybersecurity for distance learners. Nearly half of all schools did not change their cybersecurity protocols in response to the new distance learning model, which resulted in a number of issues that dramatically increased IT workload and put undue strain on teachers. Some schools even suffered cyberattacks that delayed their distance learning lesson plans for up to a week. Other key takeaways from the report include:

  • 51 percent of IT decision-makers said that no students, teachers, staff, or guests (including parents) were required to enroll in cybersecurity training before the new school year began
  • 47 percent said their schools developed no additional requirements — no distance learning read-throughs, no antivirus tool installations — for the students, faculty, or staff who connected to the school’s network
  • 46 percent of students said their schools suffered a cyberattack (though only 3 percent of IT professionals admitted to the same); On the flip side, of those who engaged in security best practices before the transition to distance learning, none experienced a breach or had to cancel a single day of learning due to a cyberattack

Clearly, security awareness makes a difference in the overall safety of an organization. In fact, of those who were well-studied in cybersecurity, fewer suffered sustained, excess IT workload or experienced Zoombombing attacks than those who were less prepared. However, knowledge is only half the battle. Many respondents were saddled with device and data shortages. Other schools fell flat on security budget. Additional IT challenges presented by distance learning include the following:

  • 40 percent of educational IT pros said their schools are still missing laptops, computers, or tablets for students
  • 28 percent are still missing these devices for teachers
  • 20 percent of IT decision-makers said they had trouble convincing their schools to invest in cybersecurity
  • 44 percent admitted to difficulties in managing the sudden increase of devices connected to the school network
  • 80 percent said there was a steep learning curve for teachers, students, and staff to adapt to online learning tools

But the report wasn’t all doom and gloom. IT professionals had a gargantuan task in front of them to keep teachers teaching and students learning, and for the most part, they were up to the task. About 72 percent of schools provided Chromebooks, tablets, and hotspots to students, and 59 percent distributed laptops, external microphones, and webcams to teachers. More than 70 percent deployed new software tools for distance learning, including Google Classroom and Zoom.

Unfortunately, despite super-human efforts by some educational IT teams, lack of resources, personnel, and budget have strained an already impacted security posture to nearly the breaking point. About 76 percent of respondents experienced connectivity issues, 30 percent suffered a Zoombombing attack, and 52 percent of teachers had to step in and solve an IT or security issue for students and parents. On the bright side, actual cyberattacks were relatively rare.

So, what can educational IT teams do to improve their school’s security posture in 2021 and beyond? Here’s what the report suggests:

  • Create and train teachers and staff on new cybersecurity policies relevant to distance learning (For other businesses, this can be an additional set of rules related to remote work/work from home)
  • Develop requirements that direct teachers and parents to the appropriate point person in IT or security, should issues arise that need solving quickly
  • Implement access rules, including whether students should use a VPN or password manager to access the school’s network and accounts
  • Host cybersecurity training events for teachers, staff, students, and parents

For more information on the state of education security in the US, read the full report from Malwarebytes Labs here: https://resources.malwarebytes.com/files/2020/12/Lessons-in-cybersecurity_How-education-coped-in-the-shift-to-distance-learning_Malwarebytes.pdf

Categories
Security

Cybercriminal Monday: remote employees and retailers take caution

For the last 10+ years, the post-Thanksgiving shopping bonanza known as Black Friday has courted crowds and controversy, with major retailers deciding to open their doors on Thanksgiving Day to mobs of rabid customers looking for deep discounts.

This year, things look a little different. While some doors will open on Black Friday, many shoppers will choose to look for deals online instead. And even though online shopping will protect consumers from catching COVID-19, there’s no guarantee they won’t pick up a different kind of virus — and pass it on to corporate networks.

Conversely, online retailers and organizations with ecommerce platforms should take extra precautions this year, as cybercriminals have already ramped up their attacks on a wide variety of shopping sites.

Watch out for Black Friday and Cyber Monday pitfalls

As the nation heads into a holiday season on lockdown, we once again face norms-defying circumstances: Thanksgiving gatherings will be much smaller and Black Friday will likely have crowds rushing to their laptops instead of their local malls.

Since the start of the pandemic, online spending has increased by 75 percent. Ecommerce cybercrime has followed suit, with a 25 percent rise in credit card skimming observed in the first month of the pandemic alone. Scams laced with COVID-19 misinformation have tricked thousands into giving out their personal and business data or led to infections of home and corporate networks. And ransomware attacks have taken advantage of a vulnerable and distributed workforce. All this means the stakes are even higher for the coming week of holiday shopping.

In fact, expect stores to extend Black Friday deals through the month and beyond, luring shoppers repeatedly back to their ecommerce pages for maximum return on investment. But the old methods for staying safe while online shopping are not all relevant in today’s threat landscape. For organizations with remote employees who may also use their work device for personal use (or personal device for work activities), it’s prudent to send out reminders this holiday shopping season to keep personal business — especially online purchases — separate from business business. Here are a few you can send to your staff:

  • Just because a website uses HTTPS and has a padlock does not mean it is safe. It simply means that the connection is secure between a particular server and who the website claims to be. But it’s easy for cybercriminals to spoof legitimate sites and have your information be sent to them over a secure connection. All the padlock guarantees is that other cybercriminals can’t interrupt the exchange.
  • To protect against web skimmers, consider equipping personal devices with antivirus software that has web protection, or browser extensions that block malicious content. All work devices should be protected with the same.
  • Avoid clicking directly on targeted ads for a particular deal. Online ads could contain exploits delivered via malvertising, which could deliver malicious payloads or divert users to scam pages. If there’s an ad for a great deal, go directly to the retailer’s website instead.
  • Do not use public WiFi to shop online. Also avoid using the company’s VPN for that purpose. The best bet is to shop from a password-secured home network or to purchase your own VPN for home use.

In addition, online retailers and other ecommerce sites should take particular precautions over the next month to protect against web skimmers or other online attacks. Here’s my advice for staying secure:

  • Keep your site updated to protect against cybercriminals who would exploit vulnerabilities, and that includes shoring up weak code. Make sure any admin access to the site’s backend is protected with a strong, rotating password.
  • Make sure any third parties, including Content Management Systems (CMSes), financial transaction partners, or even libraries of code are free from known vulnerabilities by running all updates or cross-checking code for mistakes.
  • Take preventative measures by implementing safeguards, such as a Content Security Policy (CSR) and Subresource Integrity (SRI).

Best wishes for a safe and happy Thanksgiving holiday!

Categories
Security

Brute force attacks increasing on open RDP ports

Ever watch a procedural cop show where the lead detective is some kind of password savant? Then you know this scene: The detective walks into a suspect’s apartment, finds a locked computer, and, after his partner complains they’ll need NSA hackers to get in, cracks the tricky password in a single try. While I love a good Hollywood cybersecurity gaffe, the truth is Detective Special Skills actually would have a decent chance at getting into that computer if he knew the suspect’s name and attempted using a few of the most popular default passwords today. (I’m looking at you, 1-2-3-4-5.)

But let’s say this suspect is a little more tech savvy and has a stronger, unique password in place. That’s game over, right? No getting in? Unfortunately for us good guys trying to protect our personal or business data, the answer is no. By using brute force attacks that automate trial and error, cybercriminals are able to run thousands or even millions of username and password combinations until they crack the code for credentials.

COVID-19’s grip on the global workforce has remained tight for nearly three quarters, keeping the majority of corporate employees — including technicians, security, and IT staff — confined to their homes. The repercussions of ongoing work-from-home conditions continue to be felt, especially a generally weaker security posture for all organizations, the natural result of having a distributed workforce. One such repercussion is a massive increase in open RDP ports, from 3 million in January 2020 (pre-Covid) to 4.5 million in March (post-Covid).

Cybercriminals of course pounced immediately, and to our detriment, they keep throwing everything they’ve got at us. COVID-19 misinformation, scams, social engineering laced with malware, Emotet and more of its friends, digital card skimmers, targeted ransomware attacks, and now brute force attacks, which themselves are methods of endless, everything-but-the-kitchen-sink attack.

Brute force attacks are typically automated or conducted via application, which allows threat actors to “set it and forget it,” coming back to their target once the app notifies them of a successful crack of the desired credentials. And lately, they’ve been cracking open a lot of RDP ports, exposed to the Internet so that remote workers can access company resources from home or IT staff can troubleshoot employee devices remotely.

Once cybercriminals have brute forced their way into an open RDP port, they can launch ransomware attacks, install keyloggers or other spyware on target organizations, or conduct espionage or extortion — pretty much a nightmare scenario. To protect against brute force attacks and shield RDP ports, I recommend:

  • Limiting the number of open ports
  • Restricting access to RDP ports to only those that need it
  • Enhancing security of the port and the protocol (with security software that blocks malicious IPs from compromised servers, for example)
  • For remaining RDP port users, disabling legacy usernames, rotating passwords, and enabling 2FA

At Malwarebytes, we’re now exploring new protective features to combat rising brute force attacks on open RDP ports. Stay tuned for some news on that soon!

To learn more about brute force attacks on the rise and how to protect open RDP ports, read our blog on Malwarebytes Labs: https://blog.malwarebytes.com/exploits-and-vulnerabilities/2020/10/brute-force-attacks-increasing/

For advice on how to protect RDP access from ransomware attacks: https://blog.malwarebytes.com/security-world/business-security-world/2018/08/protect-rdp-access-ransomware-attacks/

And for a refresher on best security practices for all work-from-home employees: https://blog.malwarebytes.com/how-tos-2/2020/03/security-tips-for-working-from-home-wfh/