I know most of you are sitting around pondering what the most common threat to data is (or is that just me?). Could it be ransomeware? Spyware? Keyloggers? Backdoors? Vulnerability exploits? No, no, no, no (what's a backdoor? Perhaps a blog for another time) and no. According to data compiled by Verizon in their 2019 Data Breach Investigation Report the number one threat is credential theft.
What is Credential Theft?
Credential Theft is exactly what you think it is. Some ne'er do well has nicked your user name and password somehow and is actively using it to, most likely, perpetrate some sort of financial crime. Financial crime can include scenarios like logging into your bank account as you to transfer funds or, more likely, logging into your work email to send messages on your behalf to have funds transferred somewhere that they shouldn't be. The classic example of this is the email from the boss asking the accounts department to pay an invoice immediately to the so and so third party.
How are credentials stolen?
There are a few ways that credentials can be stolen but they usually boil down to 2 methods.
Method 1, Phishing - Phishing is 20 years old but still represents 90% of targeted attacks. Nearly 1 in 4 people who receive a phishing email open it and around 4% of those that open it will click on the malicious link or attachment. Once a user has handed over their credentials, these can be on-sold on the dark web or used to directly commit fraudulent transactions.
Method 2, Theft of customer databases - There have been a significant number of large companies caught out losing potentially damaging customer information including usernames and passwords. LinkedIn had 167 million accounts breached, Adult Friend Finder had 412 million, Ebay 145 million, Sony Playstation Network 77 million and these are just a few of the big ones. While you may think, so what, we don't have anything to do with these companies, you are not considering password reuse. The 2019 Google Online Security Survey showed that 52% of all users 'reuse the same password for multiple (but not all) accounts' with a further 13% reusing the same password for every account including work accounts. This high level of reuse gives rise to an attack known as credential stuffing.
How are these stolen credentials used?
Regardless of the method that was used to steal credentials, the ultimate goal of your average fraudster is to log into a server or service with the intention of doing something that they should not. Phishing is usually targeted for a specific service (bank details, ebay details). Credential stuffing uses an automated scattergun approach to try and break into multiple systems at once with breached credentials.
What is this 'Silver Bullet' you speak of?
Vampires have a stake in the heart, Superman has Kryptonite, Werewolves have... Silver bullets and credential theft has Multi Factor Authentication (MFA). MFA is a security system that helps to verify a users identity by requiring multiple credentials. In addition to the usual username and password combination, a user must have another identifier prior to being given access to a resource. This could be in the form of a time based code on an app, a one time code from a text message or some sort of biometric test (fingerprint / facial recognition).
MFA is so successful at stopping the effects of credential theft that Microsoft estimates that MFA alone will block over 99.9% of account compromise attacks. Imagine that you had an insurance policy that could offer a result like that. It is essentially a no-brainer when you consider that:
- Credential theft is easy, high reward and low risk. It is the fastest growing type of crime and more lucrative than drug related crime.
- Password theft is constantly evolving and thieves are coming up with better methods and techniques in the ongoing battle between users and fraudsters.
- Due to reuse, it's not just your systems you need to worry about, it is also the services and systems provided to your employees in their personal lives that could have an impact. Fun Fact: Employees of smaller businesses have been shown to have higher rates of password reuse!
- Your customers won't care that it wasn't your fault that an employee password was breached. Your reputation is on the line and so is your wallet if you need to pay reparations to affected entities.
How can I get some of this MFA Action?
I'm glad you asked. There are a number of MFA products in the market. What you will need for your business depends greatly on what applications and services you are looking to secure, what MFA methods these same applications support and who will be managing the MFA system for you once it is implemented.
For a little light reading, check out Duo, Google Authenticator, Microsoft Authenticator or authy to get a feel for what is available. Your in-house or outsourced IT provider should be able to help steer you to an option that will fit you and your business or talk to a Sentrian Client Services Manager
In writing this blog I have relied on a number of sources. For your reading pleasure, please do check out:
Proofpoint Credential Phishing Ebook
CSO Australia - The 18 biggest data breaches of the 21st Century