Tuesday,27 June, 2017

Subscribe to Newsletter

HOME
  NEWS
  Knowledge Center
 
News

Digital Shadows Research Reveals Password and Username Reuse is Major Threat to Enterprise Security

Published May 28, 2017

Digital Shadows, the industry leader in digital risk management, today unveiled research into some of the main techniques cybercriminals are using to target organizations using stolen credentials which have been reused across a variety of sites and online forums. The report “Protect Your Customer and Employee Accounts: 7 Ways To Mitigate The Growing Risks Of Account Takeovers” also outlines what measures organizations can implement to protect against such attacks.

The research reveals that cybercriminals are increasingly turning to credential stuffing tools to automate attempts at account takeover. This is a type of brute force attack whereby large sets of credentials are automatically inserted into login pages until a match with an existing account is found. Based on configurations, the most common targets for these attacks are the gaming, technology, broadcasting and retail sectors.

Last year Digital Shadows found that 97% of businesses in the ‘Forbes 1000’ had their valuable credentials exposed, usually by employees using the same details across multiple sites and platforms. Now criminals are recognizing that employees often have poor username and password discipline to use these in mass automated credential stuffing attacks aiming to gain access to corporate networks.
“Many organizations are suffering breach fatigue due to the huge numbers of credentials exposed via not only high profile incidents like those suffered by Myspace, LinkedIn and Dropbox, but also from tens of thousands of smaller breaches,” said Rick Holland, VP Strategy at Digital Shadows. “But it is critical that businesses arm themselves with the necessary intelligence and insight to manage their digital risk and prevent this problem credential exposure from escalating into an even more severe problem.”

The report also suggests that while multi-factor authentication (MFA) can help to protect organizations and their customers from account takeovers, it cannot be seen as a silver bullet to solve the problem of account take overs.
“Enterprises - and the companies that work for and with them - need to be better prepared for this sort of brute force attack,” added Holland.
Other steps businesses should take to protect against credential stuffing include:
1. Monitor for leaked credentials of your employees. Troy Hunt’s https://www.haveibeenpwned.com is a great resource for this, alerting you to instances of breaches including your organization’s email domain.
2. Monitor for mentions of your company and brand names across cracking forums. This can help to inform the security solutions you invest in. Use Google Alerts for this – Johnny Long some great tips for doing so (http://www.mrjoeyjohnson.com/Google.Hacking.Filters.pdf) and it can help identify the specific risks to your business.
3. Monitor for leaked credentials of your customers, allowing you to take a more proactive response.
4. Deploy an inline Web Application Firewall. Commercial and open source web application firewalls, like ModSecurity, can be used to identify and block credential stuffing attacks.
5. Increase user awareness. Educate your staff and consumers about the dangers of using corporate email address for personal accounts, as well as reusing passwords.
6. Gain an awareness of credential stuffing tools. Keep an eye on the development of credential stuffing tools, and of how your security solutions compare to their capabilities.
7. Implement multi-factor authentication that doesn’t leverage SMS. This can help to reduce account takeovers, but make sure this is balanced against the friction it can cause.
You can access the full report ‘Protect Your Customer and Employee Accounts, 7 Ways To Mitigate The Growing Risks Of Account Takeovers’ at: http://info.digitalshadows.com/AccountTakeover-PR_Registration.html



Rate This:

Posted by VMD - [Virtual Marketing Department]


Poll
What is your favourite search engine?
Google
Yahoo
Bing

Most Viewed
  Riverbed Launches Industry’s Most Complete Digital Experience Management Solution

  Credence Security to Address Growing Market for GRC Solutions in Middle East Through Partnership with Rsam

  New Mimecast Archive Cloud Capability Streamlines GDPR Management for Email

  Planning and Scheduling Software–Helping Manufacturers Keep Their Customers Happy

  Farsight Security and Infoblox Provide Zero-Hour Protection Against Cyberattacks Due to New Domains

  Fujitsu Launches High-Security Biometric Authentication Solution for Active Directory IT Environments

  Rackspace Wins 2017 Red Hat Innovator of the Year Award

  ServiceNow Survey Shows 2018 as the Year of Automation for Routine Enterprise Work

  4 Tech Hacks to Faster Customer Onboarding

  New Mimecast Report Detects 400% Increase in Impersonation Attacks