Zero-days, SQL injection, memory overflows and other kinds of creative abuse in the digital domain are a huge concern for many Internet-facing organisations. Commonly, a large proportion of IT budgets are bent towards ways to protect against these threats. Organisations deploy everything from IPS, IDS, SIEM, anti-virus and vulnerability scanners to look for the proverbial needle, and in many cases it’s a core function of IT security’s mandate. Rightly so, as it is an important and timely concern, but should this be our top priority?
Imagine that you’re an evil, but talented hacker. Like many talented people you might be quite intelligent. Given your intelligence, would you spend all your time, effort and resources to crack and/or abuse these complex and sophisticated technologies? Perhaps you might, either for the thrill of a challenge or in hopes of finding a new “hole”. Yet, these hard hacking techniques are not as common as one would think. As there are far easier ways to get in than this, they aren’t an effective use of your time. The truth is most organisational breaches do not occur from exotic or sophisticated (and expensive) zero-day malware. What is this “easy way”?
The answer is user credentials.
What method would you, as the intelligent hacker, choose? The easy way or the hard way? I think we all know the answer.
After reviewing many high-profile breaches through 2016 it was determined that the vast majority were successful by targeting user credentials. Verizon Business’ Data Breach Report of 2016 concluded that 63% of the breaches analysed stemmed from some form of credential compromise. Sometimes attackers abused the logic within websites’ code to gain entry. Yet more often than not, attackers tricked users into giving up their credentials through social engineering, or otherwise stole, sniffed, phished, or even guessed the user’s password! So while expensive packet sniffers and log monitors snooped on the company’s network in hopes of finding “bad stuff”, the user – our attacker -- just logged in.
In several well-publicised examples (such as the U.S. Office of Personnel Management, Target, Tumblr, among others), even simple two-factor authentication would have likely thwarted these attempts, forcing the intelligent hacker to resort to so-called hard hacking techniques. Strong authentication may not be the final line of defence, but at a minimum it increases the time, effort and resources required to perpetrate a breach.
Take the massive breach of the popular business networking site LinkedIn. The attackers simply sniffed an employee’s static password and logged in with it. No expensive intrusion detection or log monitoring would have caught this. The result? 165 million LinkedIn users’ passwords were posted online and a $5 million class action lawsuit was brought forward.
Next, Yahoo, the largest breach in Internet history with over 1 billion accounts and passwords leaked online. How did this happen? Hackers used a specially crafted web cookie to circumvent static passwords altogether. If strong authentication (i.e. two-factor or multifactor) were in common use at Yahoo, this technique would not have been as trivial to implement as it was.
The issue also comes from passwords and the way users use them. Many people repeatedly use the same password across many different sites and services. Of course if their password is stolen or leaked from one website with weak security it can then be misused in another.
File sharing service Dropbox, whom after being misattributed as being breached, used the opportunity to remind their users to take advantage of their two-factor authentication feature to protect accounts. This case is interesting because the misreported Dropbox breach actually turned out to be associated with an actual incident at Tumblr. And how was Tumblr breached? You guessed it; stolen credentials.
User identity has been characterised as “the new perimeter”, and frankly deserves more attention. While many organisations know this, it can be a thorny problem to solve. This involves platforms that must be linked into backend HR systems, identity repositories, and front-and-centre business applications. Furthermore, many organisations are moving more apps and data to cloud, adding further complexity.
Add strong authentication to the mix and suddenly the business needs to radically transform how day-to-day work gets done. This can evolve into a large and transformative exercise. Sadly, many IT budgets cannot embrace all of the technology for all of the problems, but managing identity is often #2 or #3 on the priority list. It should be #1.
Yes, finding and fixing vulnerabilities is important. Malware can cause huge problems. But managing user identities is critical too. If the IT budget is disproportionately spent on technologies to prevent or detect malware-related threats, the organization has to skimp on identity management (and authentication). User identities present a far easier attack vector for the motivated hacker. And as proven by the breaches you hear about (which are only the tip of the iceberg), organisations that ignore this threat are simply not secure.
Seeing as this is the beginning of the new year of 2017, let’s make a prediction: This year we will see yet another “largest breach in the history of the Internet” and it will be caused by stolen credentials.
- The week in security: ASD updates security best-practice guidelines as invisible malware looms
- Consequence-Based Security Underpinned by Threat Intelligence
- The week in security: IoT attacks hit 80% of companies; time to destigmatise data breaches?
- 36 Android phones arrived at two firms with malware pre-installed