A few short months ago in April, Verizon released their annual publication of the Data Breach Investigations Report, and after reviewing the report, we would recommend that you pack up the rod and reel, and throw your waders on because the theme of this year’s report is ‘gone phishing for credentials.’
Credential phishing dominated the top-five list of phishing targets this year at 91%. Secrets followed in a distant second with 6%, and bank, medical and personal targets with 1% each. “What do the attackers ultimately steal? A heck of a lot of credentials”, stated the report. This shows that “static credentials continue to be targeted by several of the top hacking action varieties and malware functionalities”. The investigation’s report also revealed that an astonishingly low 3% of targeted users actually alerted anyone that they had received a phishing email.
The Verizon report made the argument that it’s time to raise the bar for authentication and password management. Companies need to stop treating account and password management as a bush-league sport. Nearly 63% of confirmed security breaches were the result of “weak, default or stolen” credentials.
“We know that a standard username and password combo may very well be enough to protect your fantasy football league. We also know that the implementation of stronger authentication mechanisms is a bar raise, not a panacea. Even with all of that, 63% of confirmed data breaches involved leveraging weak/default/stolen passwords. This statistic drives our recommendation that this is a bar worth raising.”
– 2016 Verizon Data Breach Investigations Report
The 2016 report revealed that of the 905 phishing attacks reported, 89% were perpetrated by organized crime syndicates, and another 9% by state-affiliated actors. Out of all data breaches in the report, 89% were motivated by espionage or financial reasons. One of the most common patterns amongst hackers was targeting web applications in order to execute phishing schemes. Once hooked, the hackers would install malware on their machine, drop in a key logger, begin to export data and then proceed to use the stolen credentials to gain unauthorized access. This information shows us that companies are facing well-organized groups of hackers who are after political/military-related information and any other information that will lead to a profit. They know that targeting end-users will be their way in.
Based on the above-mentioned findings in the Verizon report, organizations can prevent breaches by tackling the issue on three fronts:
- Train their employees better to spot phishing attacks.
- Implement multi-factor authentication where feasible.
- Implement a privileged account management system for personal and shared accounts.
Humans are always, and arguably will always be, the weakest link in the security chain. By conducting routine phishing drills, organizations can test their employees’ ability to spot a phishing attack and report the incident to management. The drill can be as simple as mimicking a phishing email and sending it to all users, with the target URL being an internal website containing a warning that the user could’ve been compromised if this wasn’t a drill and relevant training information. It is better to find out where your weak links lie before an employee gets hooked on a real phishing scheme.
When some users fall victim to a phishing attack, which many will, backup layers of security should be ready to step in and fill the gap. Implementing multi-factor authentication where feasible adds an additional layer of protection in the event a privileged password is compromised. Even if a malicious application like a keystroke logger is installed, the phishermen will still only have half of the required credential information, as solutions like RSA SecureID automatically rotate a unique token code for authentication.
It is also understood and acknowledged that implementing multi-factor authentication isn’t feasible directly on all systems, and in that case, organizations should be utilizing the last and most effective line of defense, a privileged account management solution. A fully featured PAM solution can act as a gateway for the systems, by requiring a multi-factor login in order to fetch the current password. PAM solutions can automatically and regularly rotate personal and shared privileged account passwords, allowing companies can stay ahead of hackers. Target systems can be further protected by requiring users to connect directly from the PAM solution, using a built-in jump-server (such as the CyberArk’s Privileged Session Manager – PSM). A PSM-style solution can record user activity, and at the same time isolate the user’s potentially compromised machine from directly propagating the virus onto the server environment.
CyberSheath’s engineers are well versed in financial industry regulations and government standards and can help establish an effective Privileged Account solution appropriate for your organization. You can learn more about our approach by viewing our Privileged Access Management service area.