Ransomware attacks are increasing every day. Data breaches are killing businesses. A recent article stated that 60 percent of small businesses go out of business within six months after falling victim to a cyber attack. The sad thing is the methods used by attackers to execute their plans are very consistent: Gain access to the network. Gain access to privileged accounts. Find and exfiltrate the data. Execute the encryption routine and ask for the paycheck.
But what seems to be overlooked until it is too late are the credentials that give attackers the access to the data in the first place. Limiting the ability for attackers to access corporate resources still boils down to end users and their credentials. I see two simple Identity-related tenets that will reduce the threat surface for organizations: educating users on password/MFA use and privileged access credential management. Both of these items can be implemented with little spend while improving your security posture.
Attackers have been using spray attacks for as longer as I can remember. Every person who uses a computer should know the importance of a strong password. But how many organizations actually make it a point to have password etiquette campaigns? Remember, no matter how protected your environment may be in terms of layers of security, an attacker is just looking for a single credential to start running their scripts. In today’s world, there are still individuals who use a common password for multiple services. And I guarantee one of those folks works for you.
Educate Your User Community
To mitigate this risk, organizations should consider running internal tests to evaluate password strength. Consider running password checks in the same manner as phishing campaigns. Be sure to educate your employees on a regular basis on passwords. Remember that employees come and go, so this needs to be repetitive.
“No matter how protected your environment may be in terms of layers of security, an attacker is just looking for a single credential to start running their scripts”
Multi-Factor Authentication (MFA), while not foolproof, is one of the best ways to reduce the password etiquette issue discussed above. Additionally, ensure your employees understand the process and don’t respond to MFA requests when they are not logging into services. This underscores the fact that people still don’t understand technology and could grant an attacker access to resources without knowing it. Be sure to educate your user community and ensure your MFA solution sends alerts to users when activity occurs from new devices or locations.
Pay Attention to Privileged Accounts
Privileged accounts in many organizations are not properly managed. Whether companies still have on-prem data centers or are fully migrated to the cloud, there are still core administrative (enterprise/domain, DBA, virtual server, etc.) accounts that attackers are looking to acquire to carry out their mission. What’s really scary is the fact that many organizations still don’t separate daily working accounts (used to login, check mail, browse the Internet) from accounts used to manage network and domain resources. It is essential that your administrative staff take proper measures to protect these accounts.
One simplistic approach is to review your highly privileged accounts. In the Windows AD world, review the accounts with Enterprise/Domain administrator privileges and ensure the number of accounts is minimal. Also limit where these highly privileged accounts can be used. You don’t want hashes being left on machines in the wild. Consider jump boxes that can be closely monitored and hardened. You also need to implement a more frequent password rotation, more complex password rulesand use MFA to protect these accounts.
While these ideas may seem extremely simplistic, I can wager that there is someone in your organization who has poor password etiquette, has improperly validated an MFA attempt, or has a highly privileged account that is used improperly. It’s important to address the simple things at the same time as you monitor and defend your organization’s assets. Remember, an attacker only needs one credential to start stealing data.