Categories
Security

Why securing credentials is more important than ever

Passwords. They’re the bane of our existence—whether you work in IT, IS or just have trouble remembering them all. Passwords may have originated as a security measure, but now, at least alone, they’re a liability. Why? Unintentional user negligence and intentional cybercriminal enterprise have rendered the username/password combo, otherwise known as credentials, practically moot.

Thanks to countless years of desks left unattended and phishing scams coercing users into entering their personal information, millions of credentials are readily available to be stolen, sold, and/or leaked online. That’s why credentials—or more importantly, the security measures we use to verify identity and grant access—need protecting now more than ever.

Unfortunately, many businesses continue to rely on outdated credential security models that leave their networks exposed—a situation only exacerbated by remote work.

Securing credentials for the 2022 threat landscape

Once upon a time, before the pandemic ushered in the era of Zoom fatigue and cloud-based-everything, access to the corporate network could be protected by a level of security provided by the four walls of the workplace. Traditional on-premises security inferred onto employees an automatic level of trust. Swipe a badge, gain entry. From there, identity could be verified by simply recognizing a familiar face at work.

This trusted access extended to all systems and networks, empowering organizations to follow the “trust, but verify” model, in which users were given full access to the corporate network once their login credentials—typically just a username and password—were substantiated.

As cybercrime tactics advanced, however, this approach was like handing threat actors the keys to the proverbial castle: If criminals had just one employee’s credentials, they could gain access to the entire corporate network, including sensitive data like financials or employee records.

In fact, cybercriminals have developed a wide range of sophisticated (and some unsophisticated) methods for targeting credentials, ranging from key loggers and credential-harvesting malware to spear phishing and business email compromise. Before the pandemic brought about the mass migration to remote work, organizations were already in need of revamping their credential security to better adapt to modern-day threats.

Remote work further compromises credential security
Enter: the sudden, intense shift of organizations’ entire workforces to the WFH model. It’s no secret that, while beneficial in many ways for businesses and their employees, remote work has dramatically expanded an organization’s threat surface. The sheer number of new, potentially vulnerable access points introduced by remote employees alone—including personal devices, home networks and IoT—would be enough to instigate the type of credential policy change advocated here.

Many work-from-home (WFH) devices and networks are under-secured, with minimal or no identity verification required. A single remote employee might introduce a handful or more of new vulnerabilities: Using a personal laptop without entering credentials. Connecting to the corporate network from a home network that isn’t password-secured. Using a home assistant and smart refrigerator with their default credentials settings still in place.

Add to that a remote workforce that may not be up-to-date on the latest WFH best practices, and you have the perfect recipe for a breach.

Cyber criminals are, unfortunately, well aware that remote work has weakened businesses’ security postures. A steep rise in cybercrime has paralleled the adoption of remote work—especially cybercrime targeting credentials. With compromised credentials cited as the most common cause of security incident, it’s clear that organizations should re-imagine how they protect credentials and prove identity when providing access to their remote employees.

Best practices for credential security today
With cybercriminal tactics for targeting credentials becoming more sophisticated, with users (both on-premises and remote) in need of more acute security awareness, and with WFH environments contributing to a burgeoning collection of new vulnerable access points, it’s time for organizations to follow more contemporary principles of credential security.

Want to get started? The following tools and policies help improve both credential and overall security:

Password hygiene:  Password hygiene remains a problem for most people—two-thirds of users reuse their passwords across multiple accounts; 59 percent use their birthday in their password; 43 percent have shared their password with someone—so it’s no surprise that login credentials alone provide little security.

With criminals increasingly credential stuffing, aka using stolen credentials to access other peoples’ accounts and services, preventing password reuse and requiring stronger, more frequently-updated passwords is a first step in the right direction.

  • Set maximum password age limits to ensure passwords are changed, as well as minimum age limits so they can’t be quickly changed back.
  • Require passwords meet complexity requirements, like containing at least one uppercase and lowercase letter, a number, and a special character.
  • Set minimum password lengths and encourage employees to create long passphrases unrelated to their personal information—so no birthdays, street numbers, names, etc.
  • Use Enforce Password History policies that store old passwords and restrict repetition.

Multifactor authentication (MFA): There are 8.4 billion or more passwords stolen from data breaches that have been leaked online— in a single hacker forum. With criminal access to so many credentials, requiring a second or third layer of identification through MFA helps thwart many attempted cyberattacks. MFA calls for at least two modes of identification, including:

  • Something the user knows, such as a password, PIN number, or answers to personal security questions
  • Something the user has, such as a security token, USB device, smartphone, or other physical object
  • Something the user is, a unique physical characteristic, like fingerprints, voice recognition, facial recognition, or retina scanning

Single sign-on (SSO): Besides credential theft, password fatigue is also a key contributor to security breaches. When users are prompted to change passwords frequently, they often make too-simple alterations, such as swapping one special character for another or capitalizing a different letter of an existing password. In addition, having to remember different passwords for dozens of accounts encourages reuse.

Using SSO authentication—i.e., allowing one set of login credentials to access multiple systems—can mitigate risk by reducing both password fatigue and credential theft. When implemented securely (in combination with MFA), SSO benefits include:

  • Reducing password fatigue by eliminating password re-entry.
  • Minimizing risk of accessing third-party sites because passwords are no longer stored externally.
  • Decreasing the likelihood that users will store passwords insecurely (e.g., by writing them down on post-its).

Businesses looking to further improve credential security should consider adopting the latest thinking in best practices. The prevailing philosophies are:

Least-privileged access: One of the most menacing aspects of credential compromise is that cybercriminals can gain access to your entire network with only a low-level user login. Following a principle of “least-privileged access” helps limit damage that might be done by a hacker or malicious insider with unauthorized access.

Least-privileged access involves restricting users’ access rights to only the data and systems they need to perform specific tasks. Least privileged access can also be used with segregation of duties policies to limit users’ access to specific functions.

Zero trust: Traditional perimeter-based security is no longer enough to protect against modern-day risks to corporate credentials, thanks to cybercriminal innovation in credential-stealing methods and the difficulty organizations now face in verifying the identity of their remote workers.

Employees themselves will always be a security risk—albeit one mitigated by successful security education programs—but now their working environments are unsecured and unmanaged by IT. Even least-privileged access could allow bad actors to gain a foothold into the corporate network. Zero trust offers an even more secure approach.

Zero trust follows a “never trust, always verify” philosophy, where every user and device must be continuously validated before receiving access, and access is only granted upon request. Instead of authorizing broad access to a collection of network resources, zero trust grants access to specific resources on an as-needed basis. Users and devices are never trusted by default, even if they had been connected to company resources before.

Implementing this many layers of credential security may take a great deal of time and money—or it might not be possible for many small businesses or start-ups right now. That’s okay—any small improvement in credential security makes a difference. But understanding the threat landscape and the tools, policies, and philosophies that are best recommended helps organizations develop a credential security model to strive for.

To learn more about password hygiene: https://blog.malwarebytes.com/cybercrime/2019/03/hackers-gonna-hack-anymore-not-keep-reusing-passwords/

For a deeper dive on zero trust: https://blog.malwarebytes.com/explained/2020/01/explained-the-strengths-and-weaknesses-of-the-zero-trust-model/

For more information on best WFH practices: https://blog.malwarebytes.com/how-tos-2/2020/03/security-tips-for-working-from-home-wfh/

Categories
Security

Increase in remote work sparks insider threat concerns

Any horror movie junkie will tell you, if the protagonist gets a creepy phone call, it’s probably coming from inside the house. That same logic can be applied to cybersecurity and insider threats — especially now that more than half of US employees are working remotely. In fact, insider threats increased by 25 percent last year, thanks in large part to remote work. 

Insider threats are largely misunderstood, yet their costs to organizations can be just as high as attacks by cybercriminals. And while breaches by insiders are most often the result of well-intentioned negligence, remote work has further complicated (and diluted) office security, leading to an increase in the use of shadow IT. Of course, we can’t forget that deliberate, malicious sabotage by insiders, though less common, is also made that much easier by remote work.

Remote work a boon for insider threats

As of today, more than half of the American workforce is working remotely “always” or “sometimes,” according to a February 2021 Gallup. More than a year into the pandemic and remote work is holding strong — and so are insider threats. 

In fact, insider threats have risen sharply over the last three years in volume and cost. The 2020 Cost of Insider Threats Report by Ponemon Institute found that malicious insider threats increased by 47 percent from 2018 to 2020. In addition, the cost of those threats surged 31 percent over the same period, from $8.76 million to $11.45 million. Of all industries, retail and finance experienced the most growth in insider threats over the two-year period. 

But a rise in remote work is adding fuel to the fire, leading to an even greater increase in insider threats through the pandemic and beyond. Forrester found in its Predictions 2021: Cybersecurity report that breaches caused by employees increased by 25 percent in 2020, thanks in large part to remote work. 

So why does remote work cause insider threats? 

Insider threats were far less threatening before the rise of remote work. Before the pandemic, a minority of organizations’ employees worked remotely, so security policies were lax. (As were the security habits of remote workers.) A lack of physical oversight made it difficult to enforce stronger policies or even to push out updates. Weakened traditional office security infrastructure, going from brick-and-mortar to virtual, also allowed for more mistakes by employees and more opportunities for malicious actors. 

Malwarebytes Labs’ 2020 report on Covid’s impact to business security found that 20 percent of organizations experienced a breach because of a remote worker. Pandemic conditions often led to hastily thrown-together remote infrastructures built by potentially outstretched, overworked, or underfunded IT/security teams. Work from home (wfh) user behavior also led to mistakes, resulting in security breaches. That behavior has only been exacerbated the longer the pandemic has stretched on. 

Margaret Cunningham, principal research scientist of Forcepoint X-Labs, recently conducted a survey of 2000 European workers’ wfh behaviors to determine why insider threats happen. She found that while younger workers reported a much higher use of shadow IT than older workers, an average of 50 percent were using some sort of shadow IT. That’s a lot of people and a lot of different exposure points for organizations’ assets and data. 

The survey found that mistakes were made by users because of:

  • increased stress (especially for caretakers, such as parents or those caring for a sick or disabled family member) 
  • blending of personal and professional boundaries 
  • lots of distractions 
  • well-intentioned innovation or creative problem-solving 

This last one is interesting and may be a harbinger of increased insider threats to come. An employee may be working on something potentially innovative or creative to get their job done, but in doing that, they create security issues.

All of this well-intentioned behavior doesn’t mean the entire US workforce is benevolent. While the majority of insider threats are honest mistakes, there are still plenty of malicious insiders. Ponemon’s 2020 Insider Threats Report also found that 23 percent of insider threats are deliberate, malicious acts. 

Case in point: In Q4 2020, Shopify was breached in an insider incident. The customer data of about 200 merchants was exposed by two employees who were scheming to steal transaction data. The data exposed included details like email, name, street address, and order details, but didn’t involve complete payment card numbers or financial information. 

While malicious insider threats are less common, they are more costly than those made by careless mistakes. Ponemon found that careless or negligent employees cost organizations an average of $307,111 per incident, and malicious insiders or credential thieves cost $871,686. The cost of insider incidents on the whole has surged by 31 percent over the last two years. 

So what can organizations do to mitigate these risks? What’s NOT going to work is making it even harder to do work because of stringent security policies. We need to think more about what people are doing and why. 

Cunningham’s survey showed that the sense of being burdened by security policies mirrors the use of shadow IT: It’s parallel. We may need to loosen our guard in one area — allow some low-risk security faux paus — in order to shore up the other. Security and IT teams should also be more communicative about why they’re blocking access or what’s at risk. 

For more information on risk mitigation for insider threats, check out this article on building a secure, cloud-based remote workforce: https://blog.malwarebytes.com/business-2/2020/03/remotesec-achieving-on-prem-security-levels-with-cloud-based-remote-teams/

For a refresher on best wfh security practices, consider sending your employees this article: https://blog.malwarebytes.com/how-tos-2/2020/03/security-tips-for-working-from-home-wfh/

Here’s a video interview of Margaret Cunningham discussing the factors that influence remote worker behavior: https://www.bankinfosecurity.com/remote-work-creates-insider-threat-concerns-a-16240

Categories
Security

Brute force attacks increasing on open RDP ports

Ever watch a procedural cop show where the lead detective is some kind of password savant? Then you know this scene: The detective walks into a suspect’s apartment, finds a locked computer, and, after his partner complains they’ll need NSA hackers to get in, cracks the tricky password in a single try. While I love a good Hollywood cybersecurity gaffe, the truth is Detective Special Skills actually would have a decent chance at getting into that computer if he knew the suspect’s name and attempted using a few of the most popular default passwords today. (I’m looking at you, 1-2-3-4-5.)

But let’s say this suspect is a little more tech savvy and has a stronger, unique password in place. That’s game over, right? No getting in? Unfortunately for us good guys trying to protect our personal or business data, the answer is no. By using brute force attacks that automate trial and error, cybercriminals are able to run thousands or even millions of username and password combinations until they crack the code for credentials.

COVID-19’s grip on the global workforce has remained tight for nearly three quarters, keeping the majority of corporate employees — including technicians, security, and IT staff — confined to their homes. The repercussions of ongoing work-from-home conditions continue to be felt, especially a generally weaker security posture for all organizations, the natural result of having a distributed workforce. One such repercussion is a massive increase in open RDP ports, from 3 million in January 2020 (pre-Covid) to 4.5 million in March (post-Covid).

Cybercriminals of course pounced immediately, and to our detriment, they keep throwing everything they’ve got at us. COVID-19 misinformation, scams, social engineering laced with malware, Emotet and more of its friends, digital card skimmers, targeted ransomware attacks, and now brute force attacks, which themselves are methods of endless, everything-but-the-kitchen-sink attack.

Brute force attacks are typically automated or conducted via application, which allows threat actors to “set it and forget it,” coming back to their target once the app notifies them of a successful crack of the desired credentials. And lately, they’ve been cracking open a lot of RDP ports, exposed to the Internet so that remote workers can access company resources from home or IT staff can troubleshoot employee devices remotely.

Once cybercriminals have brute forced their way into an open RDP port, they can launch ransomware attacks, install keyloggers or other spyware on target organizations, or conduct espionage or extortion — pretty much a nightmare scenario. To protect against brute force attacks and shield RDP ports, I recommend:

  • Limiting the number of open ports
  • Restricting access to RDP ports to only those that need it
  • Enhancing security of the port and the protocol (with security software that blocks malicious IPs from compromised servers, for example)
  • For remaining RDP port users, disabling legacy usernames, rotating passwords, and enabling 2FA

At Malwarebytes, we’re now exploring new protective features to combat rising brute force attacks on open RDP ports. Stay tuned for some news on that soon!

To learn more about brute force attacks on the rise and how to protect open RDP ports, read our blog on Malwarebytes Labs: https://blog.malwarebytes.com/exploits-and-vulnerabilities/2020/10/brute-force-attacks-increasing/

For advice on how to protect RDP access from ransomware attacks: https://blog.malwarebytes.com/security-world/business-security-world/2018/08/protect-rdp-access-ransomware-attacks/

And for a refresher on best security practices for all work-from-home employees: https://blog.malwarebytes.com/how-tos-2/2020/03/security-tips-for-working-from-home-wfh/