Chief Product Officer and Co-founder of SpyCloud, helping companies around the world discover and prevent account takeover (ATO) attacks.
If you didn’t think password security was important before, there’s no way to turn a blind eye to recent events. The head of Colonial Pipeline told Congress that cybercriminals were able to launch a ransomware attack on his company — effectively shutting down half of the country’s fuel supply chain — by stealing one password.
According to Mandiant (which worked with Colonial Pipeline post-breach), the VPN login belonged to an employee believed to be inactive. The firm noted that the employee “may have used” the password on a different website that was previously compromised, costing the company $2 million in ransom alone and setting off one of the biggest supply chain crises in recent history.
Ransomware attacks like these are becoming more frequent. JBS, the world’s largest beef supplier, paid $11 million to hackers who launched a ransomware attack on its network in May. This came on the heels of an attack that involved SolarWinds in December 2020 that continues to impact thousands of U.S. federal agencies and contractors. Many believe that the attack may have stemmed from poor password security, and it could take years and upwards of $100 billion in taxpayer money to repair the damage.
Many ransomware attacks can be linked back to very basic credential security and identity management. Cybercriminals don’t even have to work hard; they simply take advantage of sloppy password habits that millions of consumers are guilty of. These types of attacks are now an imminent threat to both critical U.S. infrastructure and every business’s bottom line, but there are basic steps you can take to gain back control.
MORE FOR YOU
Ransomware only works if cybercriminals have access to your network. Some of these attacks stem from account takeover (ATO), which often starts with poor password hygiene. In an ATO, criminals leverage stolen passwords obtained from previous data breaches to log in to an existing account to perpetrate fraud. Because of the prevalence of password reuse, a compromised password on a personal account that has been reused in a business setting can put your company at risk. Our researchers recovered nearly 1.5 billion stolen credentials on the dark web last year, adding it to their collection of 25 billion recaptured passwords. This is the type of data cybercriminals are leveraging to gain access to company systems.
First, clean up your employees’ password habits. Follow the latest NIST password guidance, which also covers tackling the password reuse problem. For instance, some managed identity providers allow the use of password filters that can extend your organization’s password policy to align with NIST standards when creating a new account password or changing an existing one.
As proved by the Colonial Pipeline attack, cybercriminals often use passwords that were compromised weeks, months or even years prior to gain access to new accounts. The strongest password in the world won’t protect you if it’s already been exposed in a prior breach. In 2020, our researchers observed a 60% password reuse rate among users exposed in data breaches in the last year. Providing a password management tool for employees can be a good way to discourage this.
Since the risk associated with password reuse is especially high outside the corporate environment, making password managers accessible to your employees for personal accounts is also a good idea. However, it’s nearly impossible to enforce this completely. That’s where you need a system to continuously monitor for exposed credentials and stolen personally identifiable information. This extra layer of security will notify you immediately if a password in your network has been exposed in any other breaches so that you can take immediate action and prevent an attack.
This system should give employees “guardrails” when creating passwords (such as a list of banned passwords) and continuously test variations of each employee password to see if they’re recycling exposed passwords with minor changes. It’s ideal to automate remediation as well to reduce the administrative burden of individual employee communications and password resets.
To further discourage password recycling, organizations should stop implementing policies that force a password rotation every so often and make access to a password manager an employee benefit.
Lastly, fortify your users’ logins with multifactor authentication (MFA). Colonial Pipeline’s CEO admitted that the VPN system used to infiltrate the company’s network did not have MFA in place. That second security hurdle could have made it harder for criminals to perpetrate the attack. Many single sign-on solutions from identity management solutions support mandatory MFA and access control across the organization’s different applications and access points.
Right now is the time to get serious about credential security. Cybercriminals generally rely on poor user hygiene to steal credentials and launch ransomware and other targeted orchestrated attacks. Businesses in every industry and of every size are at risk. It’s no longer just a problem for massive corporations. These attacks have proved to be lucrative, and cybercriminals are going to attempt them more frequently.
The damage from a cyberattack can take years and millions of dollars to fix. It’s much easier to proactively clean up your account hygiene and add extra layers of security. When you know if your employees’ credentials have been exposed, you can help mitigate further damage by taking some of these simple steps.