It’s the opening week of the annual National Cyber Security Awareness Month (U.S.) and Cyber Security Month (Europe). While good security shouldn’t be something we only think about on one month of the year, it’s a good opportunity to educate the general public about the importance of information security. For practitioners and organizations, it’s also a reminder to reflect on the practices we are already implementing and how we can improve these in future. Throughout October, we’ll be posting a series of blogs covering some of the weekly themes in the US and European 2018 campaigns.
Figure 1: National Cyber Security Awareness Month (U.S.) and Cyber Security Month (Europe) 2018 themes
Week One’s theme is Practice Basic Cyber Hygiene, which aims to assist the public in establishing and maintaining the daily practices to stay safe online. With this in mind, I’m going to discuss one element of cyber hygiene in particular: credential hygiene.
What is credential hygiene?
Credential hygiene refers to the way we handle credentials in our environments, whether on an individual or organizational level. In the past, exploit kits for popular services such as Flash were a prevalent method of gaining access to victim environments; however, nowadays phishing kits and credential harvesters that steal user password and username combinations are the preferred way. This has many advantages for an attacker, none more so than it’s harder to detect anomalous activity if the attacker is logging into an environment using legitimate credentials from a trusted user. Why pick the lock when you can find the key?
When assessing your credential hygiene practices, it’s useful to consider how attackers can target and acquire our credentials in the first place. Broadly speaking, we can group these into three categories:
- Stolen credentials. Attackers can use tools such as phishing kits, keyloggers and credential harvesting malware to steal credentials. Usually, they’ll use social engineering techniques to trick victims into visiting sites or entering details into specially-crafted phishing pages that collect your usernames and passwords. Pony is an example of a credential harvester that has been used to steal information out of browsers. Usernames, passwords and personal information collected by the Pony malware have also been released publicly and traded among criminal actors.
The Pony malware logs are also an example of how stolen credentials can end up in public datasets, providing a further opportunity for attackers to acquire credentials. These include: historic breaches such as LinkedIn, Adobe and Yahoo; exposed credentials found on public sources such as anti-combo lists, criminal forums and marketplaces; credential sets located on paste sites; and breached datasets acquired from closed sources, such as gated forums and peer-to-peer chat channels.
- Default credentials. Devices such as routers, modems and many Internet of Things (IoT) devices come with default passwords issued by manufacturers. Users of these devices often forget to change these passwords, and with leaving themselves open to attack. Default password and username lists for many devices are available online, meaning attackers can compromise your machines without needing to phish for credentials. This extends beyond individual devices to much larger, critical applications. In a recent research report on threats to ERP applications, we discovered many adversaries leveraging weak default passwords of SAP applications.
- Weak credentials. Even if you do change your passwords, using simple, easily-guessable credential combinations also plays into an attacker’s hands. With brute forcing and credential stuffing tools a dime a dozen, attackers are able to use automated means of breaking into your account. We covered this in more detail in our our Account Takeover: Protect Your Customer and Employee Accounts report.
Something else to consider is the way in which your passwords are being stored. Typically, passwords are stored in a hash format, meaning they are cryptographically secured using a one-way function. However, hashing is not a fool-proof solution, and some hashing methods are stronger than others. SHA1 and MD5 hashing algorithms are easy for computers to test, and a powerful set of CPUs can do this very quickly. Other hashing functions such as scrypt and bcrypt are far harder to brute force, so it’s worth checking with your IT and security teams to ensure you are using the best methods available.
Top credential hygiene tips
Both on an individual and organizational level, there are many measures you can put in place to improve your credential hygiene. While not exhaustive, some of the most important are:
- Create strong passwords. “Strong” means it would be difficult for someone to guess your password. Ideally your passwords should include at least 12 characters, both upper and lowercase letters, at least one number and symbol. You should also avoid using single dictionary words as these are easy to guess and bruteforce.
- Use unique passwords across each sensitive account. If you re-use a password on different sites and it gets stolen from one, an attacker could get access to all those accounts. Consider having separate accounts for different activities: such as an account for work emails, one for personal use, and another one for sites which bombard you with marketing material. Remembering multiple complex passwords, however, is impossible for most of us, so consider using a password manager to avoid having to write them down.
- Use multi-factor authentication (MFA) where available. Many sites now offer MFA (aka 2FA), so a secondary, one-time proof of identity is needed alongside the password to log in. This can be a device (e.g. SecureID token), software (e.g. Google Authenticator) or an SMS message.
Credential hygiene is a big topic. For more discussion on best practices, particularly for security teams trying to improve credential management across their organizations, check out our previous episode of ShadowTalk – Episode 39: Credential Hygiene.
To stay up to date with the latest digital risk and threat intelligence news, subscribe to our threat intelligence emails here.