Minimize your digital risk by detecting data loss, securing your online brand, and reducing your attack surface.
A powerful, easy-to-use search engine that combines structured technical data with content from the open, deep, and dark web.
Digital Risk Protection
Read our new practical guide to reducing digital risk.
New report recognizes Digital Shadows for strongest current offering, strategy, and market presence of 14 vendors profiled
Read Full Report
It’s the opening week of the annual National Cyber Security Awareness Month (U.S.) and Cyber Security Month (Europe). While good security shouldn’t be something we only think about on one month of the year, it’s a good opportunity to educate the general public about the importance of information security. For practitioners and organizations, it’s also a reminder to reflect on the practices we are already implementing and how we can improve these in future. Throughout October, we’ll be posting a series of blogs covering some of the weekly themes in the US and European 2018 campaigns.
Figure 1: National Cyber Security Awareness Month (U.S.) and Cyber Security Month (Europe) 2018 themes
Week One’s theme is Practice Basic Cyber Hygiene, which aims to assist the public in establishing and maintaining the daily practices to stay safe online. With this in mind, I’m going to discuss one element of cyber hygiene in particular: credential hygiene.
Credential hygiene refers to the way we handle credentials in our environments, whether on an individual or organizational level. In the past, exploit kits for popular services such as Flash were a prevalent method of gaining access to victim environments; however, nowadays phishing kits and credential harvesters that steal user password and username combinations are the preferred way. This has many advantages for an attacker, none more so than it’s harder to detect anomalous activity if the attacker is logging into an environment using legitimate credentials from a trusted user. Why pick the lock when you can find the key?
When assessing your credential hygiene practices, it’s useful to consider how attackers can target and acquire our credentials in the first place. Broadly speaking, we can group these into three categories:
The Pony malware logs are also an example of how stolen credentials can end up in public datasets, providing a further opportunity for attackers to acquire credentials. These include: historic breaches such as LinkedIn, Adobe and Yahoo; exposed credentials found on public sources such as anti-combo lists, criminal forums and marketplaces; credential sets located on paste sites; and breached datasets acquired from closed sources, such as gated forums and peer-to-peer chat channels.
Something else to consider is the way in which your passwords are being stored. Typically, passwords are stored in a hash format, meaning they are cryptographically secured using a one-way function. However, hashing is not a fool-proof solution, and some hashing methods are stronger than others. SHA1 and MD5 hashing algorithms are easy for computers to test, and a powerful set of CPUs can do this very quickly. Other hashing functions such as scrypt and bcrypt are far harder to brute force, so it’s worth checking with your IT and security teams to ensure you are using the best methods available.
Both on an individual and organizational level, there are many measures you can put in place to improve your credential hygiene. While not exhaustive, some of the most important are:
Credential hygiene is a big topic. For more discussion on best practices, particularly for security teams trying to improve credential management across their organizations, check out our previous episode of ShadowTalk – Episode 39: Credential Hygiene.
To stay up to date with the latest digital risk and threat intelligence news, subscribe to our threat intelligence emails here.