Categories
Security

Why securing credentials is more important than ever

Passwords. They’re the bane of our existence—whether you work in IT, IS or just have trouble remembering them all. Passwords may have originated as a security measure, but now, at least alone, they’re a liability. Why? Unintentional user negligence and intentional cybercriminal enterprise have rendered the username/password combo, otherwise known as credentials, practically moot.

Thanks to countless years of desks left unattended and phishing scams coercing users into entering their personal information, millions of credentials are readily available to be stolen, sold, and/or leaked online. That’s why credentials—or more importantly, the security measures we use to verify identity and grant access—need protecting now more than ever.

Unfortunately, many businesses continue to rely on outdated credential security models that leave their networks exposed—a situation only exacerbated by remote work.

Securing credentials for the 2022 threat landscape

Once upon a time, before the pandemic ushered in the era of Zoom fatigue and cloud-based-everything, access to the corporate network could be protected by a level of security provided by the four walls of the workplace. Traditional on-premises security inferred onto employees an automatic level of trust. Swipe a badge, gain entry. From there, identity could be verified by simply recognizing a familiar face at work.

This trusted access extended to all systems and networks, empowering organizations to follow the “trust, but verify” model, in which users were given full access to the corporate network once their login credentials—typically just a username and password—were substantiated.

As cybercrime tactics advanced, however, this approach was like handing threat actors the keys to the proverbial castle: If criminals had just one employee’s credentials, they could gain access to the entire corporate network, including sensitive data like financials or employee records.

In fact, cybercriminals have developed a wide range of sophisticated (and some unsophisticated) methods for targeting credentials, ranging from key loggers and credential-harvesting malware to spear phishing and business email compromise. Before the pandemic brought about the mass migration to remote work, organizations were already in need of revamping their credential security to better adapt to modern-day threats.

Remote work further compromises credential security
Enter: the sudden, intense shift of organizations’ entire workforces to the WFH model. It’s no secret that, while beneficial in many ways for businesses and their employees, remote work has dramatically expanded an organization’s threat surface. The sheer number of new, potentially vulnerable access points introduced by remote employees alone—including personal devices, home networks and IoT—would be enough to instigate the type of credential policy change advocated here.

Many work-from-home (WFH) devices and networks are under-secured, with minimal or no identity verification required. A single remote employee might introduce a handful or more of new vulnerabilities: Using a personal laptop without entering credentials. Connecting to the corporate network from a home network that isn’t password-secured. Using a home assistant and smart refrigerator with their default credentials settings still in place.

Add to that a remote workforce that may not be up-to-date on the latest WFH best practices, and you have the perfect recipe for a breach.

Cyber criminals are, unfortunately, well aware that remote work has weakened businesses’ security postures. A steep rise in cybercrime has paralleled the adoption of remote work—especially cybercrime targeting credentials. With compromised credentials cited as the most common cause of security incident, it’s clear that organizations should re-imagine how they protect credentials and prove identity when providing access to their remote employees.

Best practices for credential security today
With cybercriminal tactics for targeting credentials becoming more sophisticated, with users (both on-premises and remote) in need of more acute security awareness, and with WFH environments contributing to a burgeoning collection of new vulnerable access points, it’s time for organizations to follow more contemporary principles of credential security.

Want to get started? The following tools and policies help improve both credential and overall security:

Password hygiene:  Password hygiene remains a problem for most people—two-thirds of users reuse their passwords across multiple accounts; 59 percent use their birthday in their password; 43 percent have shared their password with someone—so it’s no surprise that login credentials alone provide little security.

With criminals increasingly credential stuffing, aka using stolen credentials to access other peoples’ accounts and services, preventing password reuse and requiring stronger, more frequently-updated passwords is a first step in the right direction.

  • Set maximum password age limits to ensure passwords are changed, as well as minimum age limits so they can’t be quickly changed back.
  • Require passwords meet complexity requirements, like containing at least one uppercase and lowercase letter, a number, and a special character.
  • Set minimum password lengths and encourage employees to create long passphrases unrelated to their personal information—so no birthdays, street numbers, names, etc.
  • Use Enforce Password History policies that store old passwords and restrict repetition.

Multifactor authentication (MFA): There are 8.4 billion or more passwords stolen from data breaches that have been leaked online— in a single hacker forum. With criminal access to so many credentials, requiring a second or third layer of identification through MFA helps thwart many attempted cyberattacks. MFA calls for at least two modes of identification, including:

  • Something the user knows, such as a password, PIN number, or answers to personal security questions
  • Something the user has, such as a security token, USB device, smartphone, or other physical object
  • Something the user is, a unique physical characteristic, like fingerprints, voice recognition, facial recognition, or retina scanning

Single sign-on (SSO): Besides credential theft, password fatigue is also a key contributor to security breaches. When users are prompted to change passwords frequently, they often make too-simple alterations, such as swapping one special character for another or capitalizing a different letter of an existing password. In addition, having to remember different passwords for dozens of accounts encourages reuse.

Using SSO authentication—i.e., allowing one set of login credentials to access multiple systems—can mitigate risk by reducing both password fatigue and credential theft. When implemented securely (in combination with MFA), SSO benefits include:

  • Reducing password fatigue by eliminating password re-entry.
  • Minimizing risk of accessing third-party sites because passwords are no longer stored externally.
  • Decreasing the likelihood that users will store passwords insecurely (e.g., by writing them down on post-its).

Businesses looking to further improve credential security should consider adopting the latest thinking in best practices. The prevailing philosophies are:

Least-privileged access: One of the most menacing aspects of credential compromise is that cybercriminals can gain access to your entire network with only a low-level user login. Following a principle of “least-privileged access” helps limit damage that might be done by a hacker or malicious insider with unauthorized access.

Least-privileged access involves restricting users’ access rights to only the data and systems they need to perform specific tasks. Least privileged access can also be used with segregation of duties policies to limit users’ access to specific functions.

Zero trust: Traditional perimeter-based security is no longer enough to protect against modern-day risks to corporate credentials, thanks to cybercriminal innovation in credential-stealing methods and the difficulty organizations now face in verifying the identity of their remote workers.

Employees themselves will always be a security risk—albeit one mitigated by successful security education programs—but now their working environments are unsecured and unmanaged by IT. Even least-privileged access could allow bad actors to gain a foothold into the corporate network. Zero trust offers an even more secure approach.

Zero trust follows a “never trust, always verify” philosophy, where every user and device must be continuously validated before receiving access, and access is only granted upon request. Instead of authorizing broad access to a collection of network resources, zero trust grants access to specific resources on an as-needed basis. Users and devices are never trusted by default, even if they had been connected to company resources before.

Implementing this many layers of credential security may take a great deal of time and money—or it might not be possible for many small businesses or start-ups right now. That’s okay—any small improvement in credential security makes a difference. But understanding the threat landscape and the tools, policies, and philosophies that are best recommended helps organizations develop a credential security model to strive for.

To learn more about password hygiene: https://blog.malwarebytes.com/cybercrime/2019/03/hackers-gonna-hack-anymore-not-keep-reusing-passwords/

For a deeper dive on zero trust: https://blog.malwarebytes.com/explained/2020/01/explained-the-strengths-and-weaknesses-of-the-zero-trust-model/

For more information on best WFH practices: https://blog.malwarebytes.com/how-tos-2/2020/03/security-tips-for-working-from-home-wfh/

Categories
Security

Casino fish tank hack a cautionary tale for businesses using IoT

Pinch me if you’ve heard this one. In 2017, a casino was breached through a smart thermometer used to monitor the temperature of an aquarium installed in the lobby. Threat actors exploited the smart thermometer to penetrate the casino’s network and steal information from its high-roller database. Yikes.

The fish tank hack has already gone down in history as the ultimate cautionary tale for installing IoT in your home or business. Yet adoption of IoT has steadily risen over the last five years for consumers and organizations — despite, or in some cases because of, the COVID-19 pandemic causing a serious wrinkle in basically everything.

IoT security is no longer a fringe concern. Business owners and security teams alike should be looking at ways to build IoT security protocols into their plans for adoption — especially because many such devices have little protection built into their own functionality.

Weak IoT security should concern consumers, businesses as adoption increases

Back in 2017, IoT was still a baby-faced newbie. The technology was not yet well understood, but early adopters were keen to demonstrate their savvy with the latest and greatest. However, that lack of understanding carried with it grave consequences — especially for one North American casino.

In July of that year, the casino was breached through rather unorthodox means: a fish tank. Not just any fish tank, of course. The high-tech aquarium was installed in the casino’s lobby and its temperature and salinity were remotely monitored via Internet-connected thermostat, which also allowed for automated feeding of the fish.

Unfortunately, lack of proper security protocols like network segmentation and antivirus protection meant the smart device also allowed hackers to easily access the casino’s network and exfiltrate 10 GB of data from its high-roller database. The data, which may have included information about some of the casino’s biggest spenders, along with other private details, was sent to a remote server in Finland. By the time the casino discovered its error, it was too late.

The story has become something of a cybersecurity legend; a parable for IoT security. Four years later, adoption of IoT has increased ten-fold, yet the lessons learned from the fish tank hack have yet to penetrate the masses. Consumers and organizations might know much more about the benefits of smart devices, but many remain ignorant of their security deficits. And despite the US government getting involved and passing IoT laws, there is still a lack of regulation across the industry.

Today, IoT devices are in hot demand. The global market for IoT was valued at $761.4 billion in 2020, according to Mordor Intelligence, and it is expected to top $1.3 trillion by 2026. Juniper Research says that there will be 83 billion IoT connections by 2024, up from 35 billion recorded in 2020. That’s a whole lot of IoT, especially considering the pandemic derailed the global economy, employment, and entire industries for more than a year.

IoT adoption among consumers has picked up pace over the last five years, with smart phones and home automation particularly driving growth. The global home automation market alone stood at $45.8 billion in 2017 and is projected to reach $114 billion by 2025.

The most popular smart home devices include home assistants like Alexa or Google Home, smart thermostats such as Nest, and smart doorbell/security devices like Ring. Other IoT home products include smart locks, refrigerators, washers and dryers, wristwatches, baby monitors, and toys. Almost all cars made today have some form of Internet connectivity. Even medical devices and health/fitness apps count as IoT.

Each of these devices carry with them known vulnerabilities. Alexa and other home assistants have been known to record conversations without any such deliberate request from their owners. Smart thermostats and locks have been exploited by domestic abusers looking to trap and torture their victims. Baby monitors and smart toys have invited creepers to look in on sleeping babes and record interactions with said wee ones. And cybercriminals have used IoT devices to snatch or modify patient data and penetrate hospital networks, not unlike the methods used to access the casino’s high-roller database.

The pandemic only sweetened the pot for cybercriminals looking to take advantage of the hasty shift to remote work, which was (and still is) reliant on IoT, cloud computing, and users’ security hygiene to function smoothly. Add to that a home assistant all-too-eager to record company secrets shared over Zoom meetings, and you have the recipe for a much-weakened security perimeter.

Yet organizations — nay, entire industries — have jumped on the IoT bandwagon, with adoption skyrocketing over the last few years and projections showing continuing growth through the middle of the decade. Right now, about 40 percent of companies are deploying IoT within their business infrastructures, according to Eclipse Foundation’s 2020 IoT Commercial Adoption survey. However, Microsoft’s 2020 IoT Signals Report states that 1 in 3 decision makers plan to up their IoT investments.

Certain industries are mostly responsible for driving growth in organizations’ IoT adoption rates. The industrial sector, including manufacturing, agriculture, and retail will account for over 70 percent of all IoT connections in just three years, according to Juniper Research. Technologies such as smart cities, factory automation, precision farming, and e-commerce will contribute to such growth.

One industry particularly impacted by IoT is healthcare. The global healthcare IoT market is expected to reach $14 billion by 2024, says Zion Market Research, driven largely by healthcare facilities’ growing use of cloud computing and medical management apps. To protect patients from potential exposure to COVID-19, virtual appointments for non-emergency care have become the norm, and smart thermometers now scan patients for fever, a telltale symptom of the virus.

In addition, the global IoT medical device market is growing steadily at a rate of about 15 percent between 2019 and 2025 and is expected to generate around $63 million by 2025 (Zion Market Research). IoT is likely to transform conventional paper-based healthcare by simplifying access to real-time patient data and remote monitoring. From diagnostic biotech to smart pills that automate administration of medication, there’s no shortage of IoT applications in the medical field.

Between all of this IoT use at home and in the office, as well as in manufacturing, agriculture, retail, and healthcare, the lack of strong security protocols only introduces more and more opportunities for cybercriminals to penetrate organizations’ defenses. That’s why it’s important for individuals, business owners, developers, and IT and security teams to understand how to protect IoT devices as they’re being built and once they’ve been deployed.

For an overview of why IoT security is so lacking, plus a few recommended solutions for boosting IoT defenses, check out this blog on Malwarebytes Labs:
https://blog.malwarebytes.com/101/2017/12/internet-things-iot-security-never/