Balasubramanian Venkatramani
Mar 13 · 6 min read
Weak passwords, password reuse, password sharing, hard-coded credentials, lax measures to storing credentials are rampant even in big enterprises leading to massive breaches.
I happened to read a fascinating research titled “2021 Credential Stuffing Report” by F5 Labs. The report revolves around all aspects of stolen credentials, including theft, sale, and fraudulent usage. It throws light on the supply and demand sides of the market for stolen credentials in great detail and also captures the different stages of credential abuse by cybercriminals.
Among the many interesting findings, two things grabbed my attention – on the supply side of the credential spill:
These findings are not surprising. While many cybersecurity practices have changed or evolved over the years, the way organizations and IT teams handle sensitive passwords remains the same across the globe!
While I was going through the F5 report, another headline in social media grabbed my attention:
A hacker group has claimed that they breached a massive trove of security-camera data collected by Silicon Valley startup Verkada Inc., gaining access to live feeds of 150,000 surveillance cameras inside hospitals, companies, police departments, prisons, and schools. Hackers were able to view videos from carmaker Tesla Inc., inside women’s health clinics, psychiatric hospitals, and the offices of Verkada itself.
Quoting the hackers, media reports say that the hack was quite an ‘unsophisticated’ one: Verkada apparently exposed an unprotected internal development system to the Internet. It contained credentials for an account that had super admin rights to the Verkada network. From there, they were able to access the entire company’s network, including root access to the cameras themselves, which, in turn, allowed the group to access the footage of some of Verkada’s customers.
If media reports about the cause of the incident are correct, this is a classic case of a breach happening due to the lack of adoption of password security best practices for super admin level accounts. Hardcoding of credentials is a dangerous practice and all it requires is an accidental exposure to suffer a shocking breach.
This is just a single case in point. Sometime back, Uber suffered a similar breach. An Uber employee had hardcoded the credentials in source code. A hacker found it on GitHub and used them to gain administrative access to Uber's AWS instances resulting in the exposure of information belonging to 57 million customers.
Recently, an intern at Solarwinds was blamed of using “solarwinds123” as the password for a file server and it was discovered as being available on the internet by a researcher. Industry behavior around password storage and management remains poor and continues to result in breaches.
It is too common to see the same passwords assigned to multiple IT assets; developers reusing passwords across their personal and work accounts; passwords on spreadsheets circulated across departments; a departing IT staff exiting with a copy of all the credentials, and similar practices.
The F5 report reveals another shocking truth. When it comes to storing customer data, many organizations are still storing sensitive data like passwords in plain-text. A few others were found to be using weak hashing algorithms like MD5 or SHA-1. No wonder plain-text storage was responsible for the majority of credential spill incidents in 2020.
Industry analysts repeatedly point out that more than 80% of data breaches involve stolen credentials. Yet, IT divisions and security departments concentrate more on deploying advanced security systems and technologies but tend to overlook the basics like password security mainly due to the belief that they won’t fall under the radar of hackers. This leads to a sort of complacency with respect to adopting the security basics. Almost all of the victim organizations too believed ‘this won’t happen to us’ and eventually faced the attack.
Credential spill incidents have become too common nowadays and have been happening quite for some time. A total of 3.2 Billion such breached credentials (username and password combinations) are freely available on the web today. This includes over 25 million passwords belonging to the employees of Fortune 1000 companies, states a study by SpyCloud. About 133,000 passwords of C-Level executives of many organizations have also been exposed.
As most of the users have the habit of reusing the same credentials across multiple sites (including their work accounts), not just their personal accounts, but also corporate accounts face the risk of cyberattacks. Many business establishments face cyberattacks simply due to the password reuse practices of their employees.
The credential spill is just one part of the attack equation. Credential abuse, which follows the credential spill has far more serious consequences and could affect hundreds of thousands of businesses. Hackers could use the credentials to gain unauthorized access to various networks. But poor password security practices give rise to credential spill in the first place.
It is a vicious cycle – ignoring password storage and management best practices leads to credential spills, which in turn leads to credential abuse.
Credential spill is posing a grave threat to businesses of all types and sizes. Ignoring the very basic principles of password security often lands organizations in trouble.
Organizations should take various measures to avoid becoming a victim of a credential spill on the one hand; on the other side, they need measures to combat hackers who are using compromised credentials to perpetrate attacks. Here is a summary of some important action items.
When storing credentials in the database, mere hashing of passwords is not enough. A strong hash function should be used in combination with a salt as part of the hashing process. The hash should then be encrypted. This way even if a credential spill happens, hackers will have a tough time deciphering the data.
Users should be warned about the perils of reusing the same password across multiple accounts. Passwords used on personal accounts should never be used on any of the corporate accounts.
Every single corporate login account should have a strong, unique password. The most common weak passwords like ‘password123’, ‘qwerty123’, ‘123456’ etc. should not be used even for testing purposes.
To meet various business needs, programmatic access of various IT resources and databases is required. Developers normally tend to hardcode the passwords on applications, scripts, and configuration files. Hardcoding should be avoided; instead, the passwords should be securely stored in a digital vault and the applications could programmatically access the credentials using APIs.
Periodically review the password usage across the organization and verify if any of the passwords used by employees matches the list of compromised credentials available on the web.
Passwords of corporate accounts should be randomized at periodic intervals – ideally once in 45 days or 90 days. It is reported that it takes a few months for hackers to exploit the stolen credentials. Periodic password randomization helps avoid credential abuse.
Access to the passwords should be controlled strictly based on job roles and responsibilities. For sensitive assets, just-in-time access should be enforced.
Failed login attempts, number of password reset requests are some critical factors that should be continuously monitored. Abnormal patterns on these key activities might be an indicator of an ongoing attack.
These are just the basic security measures. Though organizations certainly require advanced technologies and a variety of cybersecurity arsenals, losing sight of the security basics often leads to attacks. Password security is the foundation of information security. Internalizing this fact is critical.
Manual approaches to enforcing best practices are cumbersome and error-prone. They can be automated by using Password Management / Privileged Access Management solutions like Securden.
Endpoint Privilege Management: Filling the gaps in Intune (Part 2)
Intune EPM (Now Microsoft Entra) helps organizations manage admin rights in a very basic manner ...
Shyam Senthilnathan
Oct 10 · 3 min read
Endpoint Privilege Management: The local admin rights dilemma (Part 1)
The debate over giving unrestricted admin rights is a constant struggle between IT staff and ...
Shyam Senthilnathan
Oct 6 · 4 min read
2013 Target Data Breach: 10 Years On, but the Same Threat Pattern Looms Large!
Hackers targeted the low-hanging fruit, launched an unsophisticated attack, and carried out a...
Himaya Presthitha
July 25 · 6 min read
Password management best practices: Practice or Pay!
Passwords leaked from data breaches in the past continue to cause ripples in 2023, even amidst...
Shyam Senthilnathan
May 26 · 5 min read
Identity thefts and data breaches - The aftermath of privileged access mismanagement
Cybersecurity is a growing concern for businesses of all sizes, as advanced hackers and cybercriminals...
Zaheeruddin Ahmed
Dec 27 · 4 min read
Spate of cyberattacks rock the land down under
Lack of API security, exposed credentials, and misuse of privileged access continue to cause harm...
Rajaraman Viswanathan
Nov 25 · 4 min read
Make this Thanksgiving a memorable one. Treat yourself to a surprise!
We're planning to make this year's Thanksgiving extra special.
Zaheeruddin Ahmed
Nov 21 · 2 min read
The Spooky Season is here early! Recent data breaches re-emphasize the significance of password security
As Halloween is dedicated to remembering the martyred, organizations falling victim to data breaches remind us...
Shyam Senthilnathan
Oct 20 · 4 min read
We're at GITEX, Dubai. Come, meet us!
Are you planning to participate in GITEX, Dubai? If yes, this is a great opportunity to meet our product experts and get a ...
Zaheeruddin Ahmed
Oct 10 · 2 min read
May God defend me from my friends
As stories of trusted insiders causing information security breaches continue to unfold, it’s time organizations woke up to...
Raja Viswanathan
Dec 21 · 4 min read
Ransomware attack on Colonial Pipeline: Executing cyberattacks, now a child's play!
With the easy availability billions of compromised credentials on the dark web, and the practice of password reuse rampant, hackers...
Balasubramanian Venkatramani
jun 7 · 5 min read
Eliminating Admin Rights and Controlling Applications (Part 3)
One of the most effective approaches to reducing risks is eliminating the local admin accounts altogether and...
Raja Viswanathan
May 17 · 4 min read
Looking for a Passwordstate alternative?
Passwordstate, an enterprise password manager developed by Click Studios, suffered a supply chain attack between...
Jithukrishnan
Apr 30 · 3 min read
Local Admin Accounts Management: Microsoft LAPS Vs. PAM (Part-2)
In the previous post, we dealt with the importance of local admin accounts, the associated security risks, and...
Raja Viswanathan
Apr 06 · 3 min read
Top 10 password policy recommendations for sysadmins in 2021
Passwords are omnipresent in our personal and business digital environments. An average person has at least...
Jithukrishnan
Jun 12 · 8 min read
Local Admin Accounts - Security Risks and Best Practices (Part 1)
We are all too familiar with the local administrator account that gets created automatically when installing a Windows...
Raja Viswanathan
Mar 19 · 4 min read
Poor password security practices cause massive security breaches
Weak passwords, password reuse, password sharing, hard-coded credentials, lax measures to storing credentials...
Balasubramanian Venkatramani
Mar 13 · 6 min read