Libby Bevin

Lost or stolen user access credentials are a chronic, widespread cause of cybersecurity breaches. By mid-2020, 80 percent of hacking-related breaches and 77 percent of cloud breaches involved the use of compromised credentials. The number of corporate credentials with unencrypted passwords posted on the dark web soared by more than 400 percent, leaving organizations vulnerable to various cyberattacks.

That momentum has not ebbed in 2021. Credentials remain one of the most sought-after data types, well ahead of personal, medical, and banking data.

Moreover, credentials are also the “fastest” data type to be compromised, particularly in 85 percent of phishing attacks. Stolen credentials are an alarmingly common attack vector in ransomware, Magecart, and web application attacks.

To prevent security breaches, you must be more aware of the risks and consequences of compromised credentials and the strategies for protecting your passwords.

The Risks to Corporate Credentials and Consequences of Compromise

When passwords and authentication systems were first invented some 50 years ago, nobody imagined that five decades later, those systems would give bad actors a convenient target to attack enterprise systems and steal valuable corporate data.

Today, however, passwords are among the weakest links in enterprise cybersecurity, especially as IT networks become more complex and cybercriminals become more sophisticated. Here are the most common risks to corporate credentials and the possible consequences of compromise.

Reused Passwords

People often use the same password across different accounts because it’s cumbersome to manage unique passwords for each account. This causes serious security problems for the organization.

In one survey, 95 percent of respondents said that password reuse was one of the biggest security threats to their company. Moreover, reused passwords account for 93 percent of human risk factors, expanding the attack surface and increasing the risk of data breaches.

Weak or Default Passwords

According to one survey, many employees in Fortune 500 companies used passwords so weak they could be hacked in less than one second. These include easy-to-remember passwords like “123456,” “Hello123,” “qwerty,” and “password.” Many employees also write down or share their passwords.

Simple passwords are not only easier for employees to remember; they’re also easier for hackers to guess or obtain through brute force attacks. Then hackers can then mimic legitimate users, breach enterprise networks, access compromised accounts or systems, and steal data.

Privileged Credentials

Credentials with privileged access are also attractive to attackers since they allow the attacker to access and maliciously compromise many business-critical IT assets with one single “key.”

One Password, Many Threats

Even with just one stolen credential, hackers can inflict extensive damage, such as:

• Moving laterally within the network
• Compromising many different systems, accounts, and users
• Launching ransomware or other types of malware attacks
• Gaining access to funds, sensitive data, intellectual property, and customer information

The 2021 attack on Colonial Pipeline was a severe cyberattack that required just one compromised set of credentials. These credentials allowed hackers to gain entry into Colonial’s networks and launch a ransomware attack that forced the company to shut down its systems and led to fuel shortages across the United States.

Data Breaches

Compromised credentials are responsible for 63 percent of data breaches. A single breach investigation, incident response, and remediation can cost organizations $4.24 million on average.

Supply Chain Attacks

Compromised or stolen credentials also increase the risk of supply chain attacks. One famous example is the SolarWinds attack of 2020, where hackers stole credentials to breach 200+ customers of SolarWinds, including global corporations and federal agencies.

Financial and Productivity Costs

Aside from cybersecurity risks, credentials can cause other headaches for businesses too. For example, users may need to manage credentials for multiple service accounts, sometimes with complex password requirements, affecting their user experience and hindering productivity.

Credentials management also has a tangible financial cost for organizations. The annual expenses of password support and infrastructure can go up to $1 million for large organizations.

Further, about 30 – 50 percent of IT helpdesk calls are for password resets, hindering the IT team’s productivity and efficiency. Even a single reset request can cost about $70. These costs add up over time for multiple users and reset requests.

7 Common Ways Credentials Are Compromised

Modern cybercriminals and hackers can compromise, steal, and misuse enterprise credentials in many ways.

Phishing

In 2020, phishing was the top “action variety” in breaches, according to Verizon and the FBI. In fact, 75 percent of organizations experienced a phishing attack, and in a majority of such attacks, compromised account credentials were involved.

In a phishing attack, a threat actor sends fake emails that look legitimate to the victim. The attacker then dupes the victim into revealing his or her credentials on a malicious, attacker-controlled website; that allows the attacker to access enterprise systems, disrupt operations, and steal sensitive data.

Social Engineering

Attackers may use social engineering techniques to gain access to credentials. For example, they may call a victim pretending to be someone from the IT helpdesk or approach a victim in person, and trick the victim into revealing his or her credentials.

Sniffers and Keyloggers

Sniffing is a technique attackers use to infiltrate insecure or unencrypted wireless or wired networks and steal credentials by listening to network traffic.

A keylogger is a spyware that secretly logs everything the user types, including usernames and passwords. It then sends the log file to a malicious server, allowing the cybercriminal to steal the credentials and use them for malicious purposes.

Brute Force and Cracking

Brute force involves the use of automated tools to generate billions of passwords. Attackers then try each password with every possible character combination to access a user’s account until they discover the correct password.

Such attacks often remain undetected if the attacker can get a copy of the system’s password file or download the hashed passwords from a database.

Dictionary Hack

A dictionary is a file containing the most commonly used passwords, such as “123456,” “password,” and “iloveyou.” In this tactic, the attacker automatically tries every word in the dictionary to guess the actual password. Such attacks are especially effective when people use simple, easy-to-remember passwords for multiple accounts.

Rainbow Tables

A rainbow table contains pre-computed hash values to crack the password hashes in a database. The attacker runs a list of passwords through a hashing algorithm and compares the results against an encrypted password file to crack weak (or even complex) passwords quickly.

Shoulder Surfing

This method is common when employees work remotely from public spaces like cafes or libraries: the thief simply looks over the user’s shoulder to note his or her credentials as the user types them into an account or system.

4 Strategies to Detect Credential Compromise and Protect Enterprise Accounts

Detecting the threats of compromised credentials should be a top priority for all security admins. They can do this in multiple ways.

Implement User Behavior Analytics (UBA)

UBA analyzes millions of network events generated by corporate users to detect compromised credentials, insider threats, and risky behaviors on the enterprise network. It can also find evidence of intruder compromise, identify the lateral movement of threat actors within the network, and find other kinds of malicious behaviors.

Since UBA focuses on user behaviors rather than static threat indicators, it can detect attacks that escape traditional detection tools and raise early or real-time alerts about suspicious behaviors or malicious attacks.

Deploy Endpoint Detection and Response (EDR)

Adversaries leverage compromised user credentials to gain access to enterprise assets, move laterally among systems, and stay hidden inside for a long time. For this, they often attack insecure endpoints via ransomware, phishing, malvertising, and drive-by download attacks.

EDR solutions can block and respond to endpoint security incidents. They provide better visibility into endpoints and support continuous monitoring to find possible cases of credential compromise.

Leverage Automated Detection Technology

Automated deception technology can detect password guessing attempts by unauthorized users. It deceives attackers by distributing traps and decoys across the network to imitate genuine assets. By defining a “honey user” and honey credentials for a decoy account, security personnel can get alerts on credential compromise within these accounts.

Use a Strong Password Manager

A password manager securely stores passwords in an encrypted database. It can also generate random, complex, and unique passwords for accounts, minimizing the possibility of credential theft or compromise. Some password managers also warn users if any passwords have been compromised so that quick action can be taken.

Prioritize Business Security with ZenGRC

To protect your enterprise credentials from compromise, you need better visibility into your risk environment. Try ZenGRC to boost your threat detection and risk assessment capabilities.

Leverage a centralized, integrated platform to get a single source of truth into the critical risks affecting your credentials and protect your organization from the dangers of credential compromise. Workflow management features offer easy tracking, automated reminders, and audit trails. Insightful reporting and dashboards provide visibility to gaps and high-risk areas.

Many organizations rely on ZenGRC to increase risk visibility and strengthen their cybersecurity defenses. Schedule a demo to explore ZenGRC for yourself.

This article first appeared on radicalcompliance.com December 12^th, 2021

Last week one of the country’s top banking regulators published its semi-annual report on risks to the financial system, and to no surprise cybersecurity risk was near the top. The more one ponders the findings, however, the more you can see insights about cybersecurity, internal control, and innovation that are worth the time of a compliance professional in any sector.

The report comes from the Office of the Comptroller of the Currency, chief regulator of consumer banking in the United States. OCC publishes a high-level review of risks every six months, and this was its second report for 2021 – 32 pages, not too technical, and a good summary for anyone who wants to understand how macro-economic trends might affect the financial sector.

What caught my eye, however, was how the OCC report described cybersecurity threats: as part of operational risk. In fact, the OCC didn’t just say that cybersecurity threats as part of operational risk; the agency framed rising cybersecurity threats as driving operational risk: “Operational risk remains elevated as cyber attacks evolve, become more sophisticated, and cause damage to a variety of industries.”

Why does that sentence jump out at me so much? Because it brings into sharp relief the usually subtle point that modern business operations rely on technology to work, so you can’t address operational risk without effective cybersecurity. For all practical purposes, the two concepts are one in the same.

Right away, then, compliance, internal audit, and risk management professionals have a powerful argument about why you should be included in the senior management team’s strategic deliberations. Those deliberations are all about how the business should operate to achieve its objectives – but if the success of those operations depends on effective cybersecurity (and its fraternal twin, effective privacy), then you executives in charge of cybersecurity and privacy compliance can’t be an after-thought. To assure strong business processes, with minimal risk to successful operations, a company must consider cybersecurity and privacy risks from the start.

I have no illusions that some senior management teams won’t agree; or they’ll politely say “of course we believe that!” and then relegate cybersecurity and privacy to second-class status anyway. Well, that unholy fusion of cybersecurity and operational risk doesn’t care whether your C-suite grasps the point. The point still remains that cybersecurity risk now drives operational risk, and you need to respond accordingly.

What ‘Accordingly’ Means in Practice

The other reason I recommend the OCC report is that immediately after presenting cybersecurity as a driver of operational risk, the report moved on to the risks of complex supply chains and innovation in products and services.

But, when you think about it, aren’t those just subsets of operational risk? Because last time I checked, all businesses are moving into environments of extended enterprises and digital transformation. Retooling your operations in such a manner is how you stay competitive in today’s world.

So any time the senior management team talks about restructuring operations to embrace the cloud, or upgrading business processes to make them totally digital, or innovating new products and services to drive future growth – we’re still back to operational risk, and therefore to cybersecurity.

The tension that’s going to emerge (that probably has already emerged at many enterprises) is how management balances the drive for innovation in business operations with the need for strong cybersecurity. That will be true whether we’re talking about internal operations to boost efficiency, or customer-facing operations such as product development to drive more revenue.

For example, consider the innovations that OCC report lists in banking:

Examples of areas of continuing innovation include faster and real-time payment products, increased use of mobile and digital technologies to deliver financial services, application programming interfaces, data aggregation services, and contactless payment devices. Distributed ledger technology and digital assets, including stablecoins and other crypto-assets, may broaden delivery channels and the functionality of financial services.

Yes, if a bank could successfully deliver on all those ideas, the benefits would be enormous: faster transactions, higher customer satisfaction, lower support costs for legacy IT, lower real estate costs for physical branches, and more. But the cybersecurity and privacy challenges swirling around those possible innovations – they boggle the mind. They’re also the things the enterprise of the 2020s will need to tame if it wants to survive.

What Becomes Important

I often try to think about emerging issues in risk and compliance by asking, “What capabilities will an organization need to have to solve these problems two to five years in the future? What becomes more important to have, or to be able to do?” That’s a useful exercise here, too.

First, you’ll need more tools and techniques to support transparency into your supply chain. You’ll need to know…

• Who those suppliers are;
• What they supply to your organization;
• The criticality of those services to your own operations;
• Which IT systems of your enterprise they might access;
• The cybersecurity posture of those suppliers, with increasingly better assurance into that posture depending on the sensitivity of the systems they access at your enterprise.

That’s partly a technology problem, and I’m sure any number of GRC vendors would be happy to talk with you about how to solve it. It’s also partly a process problem, which you’ll need to solve yourself. For example, you’ll need contract language to assure that vendors will cooperate with you on these issues, and then mechanisms to assure that your own employees actually put that language to proper use.

Second, you’ll need better risk assessment capability for whatever innovations the First and Second lines of defense want to introduce. For example, if your business wants to move from an in-house sales force to a network of third-party sales people who access corporate data through an online portal – that’s a significant innovation to both lines of defense simultaneously. The CISO, compliance officer, privacy officer, head of sales, and IT director will all need to participate in an assessment of the risks there, and you’ll need robust remediation and documentation systems to assure that everyone knows what they’re supposed to do to address the risk, and then does it.

But third, and perhaps most important: compliance and audit executives will need superb communication skills to work with senior management and the First Line of Defense, to explain to them why your role is so relevant in the modern world.

So often we see voices out there stressing that compliance and audit executives must “know the business.” I would take it further: you need to know why cybersecurity and compliance are so important to the business, and explain that importance in practical terms.

No longer is the answer a simplistic, “We’ll be fined if we don’t do this!” It’s more like, “This technology that could make us rich will also derail us, if we don’t understand how it truly works and how to channel it through the real world of cybersecurity and compliance risks everywhere!”

I’m not saying any of this will be easy. But there are worse problems a profession can have than being crucial to the success of large enterprises for years to come.

7 STEPS TO AGILE RISK MANAGEMENT IN THE AGE OF DISRUPTION

The face of risk has never been more amorphous and elusive. Because the same technologies driving the digital revolution – AI, machine learning, and 5G – are also elevating the sophistication of cyber attacks.

SolarWinds underscored the obsolescence of traditional, reactive approaches to risk management. And the pandemic shattered the paradigm altogether.

Agility is the answer to modern risk management, and it can’t live in a static document or spreadsheet. Your organization’s best defense against the ever-shifting risk landscape is a comprehensive and evolving risk management plan.

See how to create an adaptive plan for risk management in this eBook:

• 10 major risk categories to track
• 6 key elements every risk management plan should cover
• The simple equation for calculating risk (even novel ones)
• 7-step process for devising an agile risk management plan
• Plus, how to expertly pivot in the face of completely unanticipated threats

Reciprocity is honored to be named to the 2021 Deloitte Technology Fast 500™ list of the 500 fastest-growing technology, media, telecommunications, life sciences, fintech, and energy tech companies in North America. Reciprocity grew 352% during this period.

Reciprocity’s Executive Vice President of Product, Michael Maggio, credits this growth to the fact that the market is realizing they need to do even more to mitigate potential risks to their businesses. On average, it takes 280 days to discover and remediate a breach, leading to loss of millions of dollars each year. He explained, “Reciprocity’s ZenGRC platform not only offers infosec teams with an innovative, easy-to-use compliance solution, but also connects the information collected during compliance efforts to enable companies to identify and mitigate their business risk.”

“Each year the Technology Fast 500 shines a light on leading innovators in technology and this year is no exception,” said Paul Silverglate, vice chair, Deloitte LLP and U.S. technology sector leader. “In the face of innumerable challenges resulting from the pandemic, the best and brightest were able to pivot, reinvent and transform and grow. We celebrate the winning organizations and especially the talented employees driving their success.”

“The pandemic has underscored the urgent need for tech solutions in a variety of areas across health care, fintech, energy tech, entertainment, to name a few, so reliance on innovators like the winners of the Technology Fast 500 is more important than ever,” said Christie Simons, partner, Deloitte & Touche LLP and industry leader for technology, media and telecommunications within Deloitte’s audit & assurance practice. “These companies are not only at the cutting edge, transforming the way we do business, but most importantly, recognize the strategic importance of ongoing innovation, especially in the ever-changing world of technology.”

Now in its 27th year, the Deloitte Technology Fast 500 provides a ranking of the fastest-growing technology, media, telecommunications, life sciences, fintech, and energy tech companies — both public and private — in North America. Technology Fast 500 award winners are selected based on percentage fiscal year revenue growth from 2017 to 2020.

In order to be eligible for Technology Fast 500 recognition, companies must own proprietary intellectual property or technology that is sold to customers in products that contribute to a majority of the company’s operating revenues. Companies must have base-year operating revenues of at least US$50,000, and current-year operating revenues of at least US$5 million. Additionally, companies must be in business for a minimum of four years and be headquartered within North America.

Learn more about Reciprocity’s ZenGRC platform and how it’s helping companies identify and mitigate their business risk.

Broadly speaking, threat intelligence monitoring is an organization’s ability to observe and understand various threats to its IT operations and confidential data in the company’s possession. This includes monitoring external threats to your business (say, cyber attackers looking for potential targets) and internal evidence that an attack may have already happened (for example, malware found on computer servers).

Understanding your threat landscape is important. The average cost of a single data breach in 2021 shot up to $4.24 million. Some analysts say ransomware costs worldwide could rise to $265 billion by 2031. These are all serious threats and risks that can affect the business continuity, financial stability, and reputations of all kinds of organizations.

What Are Threat Intelligence and Threat Intelligence Monitoring?

Threat Intelligence

Gartner defines threat intelligence as “evidence-based knowledge, including context, mechanisms, indicators, implications and action-oriented advice about an existing or emerging menace or hazard to assets.”

In other words, threat intelligence is more than raw data about threat actors’ motivations, capabilities, and possible indicators of compromise (IoC). Threat intelligence adds context to this data to produce rich, actionable information so that organizations can prevent or mitigate cyberattacks and improve their defense strategy.

Real-time threat intelligence helps security analysts to identify a breach as soon as one occurs and to respond more quickly to security incidents. Threat intelligence can also identify known malware, viruses, and exploits used in previous attacks.

A threat intelligence program is beneficial for:

• Incident triage and response
• Risk analysis
• Security or IT operations
• Fraud prevention
• Third-party or supply chain risk mitigation
• Vulnerability management
• Cybersecurity decision-making

Threat Intelligence Monitoring

A threat intelligence monitoring solution allows security professionals to find and address security threats that may lead to cyberattacks or data breaches; compromise corporate assets; or result in financial, reputational, or compliance-related losses. For this, analysts use threat intelligence to analyze, assess, and monitor enterprise assets continuously.

What Are the Types of Threat Intelligence?

There are three types of threat intelligence, each with its own purpose and aimed at a specific audience.

Strategic Threat Intelligence

Audience: Business decision-makers such as C-suite leaders, senior managers, board of directors.

Strategic threat intelligence provides a holistic view of the organization’s threat landscape. It shows the potential impact of long-term, large-scale cybersecurity events on enterprise security posture.

This intelligence, which is less technical, helps senior executives to make better business decisions about cybersecurity investments. It requires a lot of research to produce high-level intelligence reports that are actionable. Analysts typically use automation or machine learning-based data analysis solutions.

Operational Threat Intelligence

Audience: CSIRT (computer security incident response team), SOC analysts, vulnerability management team, threat hunters.

Operational threat intelligence helps analysts and response teams to understand the functional aspects of cyber threats — particularly the tactics, techniques, and procedures (TTPs) of threat actors. This technical information helps analysts to streamline and improve cybersecurity operations to protect the enterprise.

Tactical Threat Intelligence

Audience: System architects, SOC analysts, SIEM (security information and event management teams.

Tactical threat intelligence has a short-term focus. It provides information about specific attacks and campaigns, enabling security teams to detect threats, prevent or mitigate potential attacks, improve incident response, and boost the effectiveness of existing security controls.

5 Ways to Know If You Have Been Hacked

Most cyber attack and data breach incidents leave some sort of evidence that allows security teams to prevent the attacks, or at least to minimize the damage.

Here are five warning signs that may indicate an attack or hack:

Unexpected File Changes

Unexpected or sudden changes to document names often indicate a breach. To prevent the adversary from causing further damage, it’s vital to change all company passwords immediately and install encryption software (if it’s not already installed).

Spam Emails Coming from Company Accounts

In spam emails, the “from” address mimics a legitimate sender, but a close look can help distinguish between spam and genuine emails. If spam emails start coming from company accounts, however, that almost always indicates a hack. Security teams should immediately change passwords and install multi-factor authentication to minimize damage.

Unexpected Installations and Random Pop-ups

Hackers frequently install malware, adware, spyware, and ransomware after gaining access to a company’s network. That’s why unexpected apps or add-ons that the IT team did not install or approve could indicate a breach.

Short of blocking every external application or open-source add-on, the only way to address this problem is to check all devices regularly with automated scanners for unauthorized software or toolbars and then remove those items immediately.

Redirected Internet Searches

Cybercriminals often redirect legitimate browser searches to malicious websites so the thieves can steal data from users or make money via user clicks. Again, the only way to solve the problem is to check devices and endpoints regularly for suspicious installations and remove them.

Data Leaks

When confidential company information appears on an online data dump (usually on the dark web), that is a sure sign of a breach. Once the data is already in cyberspace, the company can do nothing to prevent its spread. Security teams, however, can (and should) do a full audit of all security procedures, policies, and infrastructure to prevent a recurrence.

What Are the Benefits of Threat Intelligence Monitoring?

Improve Security Posture

A threat intelligence monitoring solution is an active software program. Security teams can use this solution to gather threat intelligence and convert that information into actionable insights to improve the organization’s security posture.

Moreover, a strong cybersecurity posture is directly related to real-time monitoring and remediation. For this, threat intelligence and a threat intelligence monitoring solution are both crucial.

Prevent Attacks

Threat intelligence enables security analysts and response teams to identify the signs of attack highlighted in the previous section. They can make better security decisions because they understand the attackers and cyber threats.

Specifically, threat intelligence monitoring provides timely warnings on existing or evolving threats, reveals previously unknown threats, prioritizes security vulnerabilities, triages security incidents, and improves investigation and remediation.

Find Evidence of New Threats

Threat intelligence monitoring continuously and consistently analyzes, evaluates, and monitors enterprise IT assets to find evidence of security threats. Once it identifies a threat, it issues an alert and can even stop the threat from damaging or compromising enterprise resources. It can also contain and eliminate in-progress cyber attacks.

Highlight and Deter Advanced Persistent Threats and Zero-Day Attacks

Monitoring software can highlight advanced persistent threats (APTs) against the organization. This visibility allows security personnel to seek out open vulnerabilities that attackers may exploit, and fix them quickly.

These solutions can even identify and prepare for emergent malware or ransomware threats posted on hacker forums, as well as potential zero-day attacks. They can then incorporate strong defensive controls in the cybersecurity ecosystem.

Learn from Threats to Other Organizations

The best solutions go beyond threats facing the organization itself. By assessing threats and vulnerabilities facing other organizations, security teams can find commonalities and then raise alerts. Companies can then take action to address these vulnerabilities highlighted by an attack on another company.

How Does Threat Intelligence Monitoring Work?

The cyber-threat landscape is constantly expanding, so organizations are now faced with a plethora of threats, threat actors, and threat tools. To stay ahead of these challenges, security professionals must shore up defenses for existing threats, as well as emergent or evolving threats. This is where threat intelligence monitoring solutions are critical.

Such a tool automatically collects threat data from various sources and formats. Then it consolidates, normalizes, and enriches this data, so organizations can effectively identify current and potential security gaps. Security teams can then take quick action to prevent a cyber-attack or be prepared to minimize the damage if it does occur.

Once the solution identifies a threat, it issues an alert. Security incident and event management (SIEM) teams check these alerts and take the necessary actions to address the threat. The software removes duplicate information and false positives, allowing teams to focus on real threats instead of wasting time on false ones.

Smart threat monitoring solutions don’t just provide “snapshot,” which nowadays are inadequate and incomplete views of cyber threats. Instead, they constantly scan for risks and threats to the organization and its third-party ecosystem, and provide the most up-to-date security intelligence at any moment in time.

Advanced monitoring tools also perform cyber threat surveillance to monitor business-critical cybersecurity KPIs and metrics continuously, and to deliver actionable security intelligence early before attackers can exploit them.

Make ZenGRC Part of Your Information Security Plans

If your security team is struggling to get visibility into your threat and risk landscape, ZenGRC can help. With this multifaceted platform, you can identify the security risks across the entire enterprise and see where these risks are changing.

Leverage detailed information about the critical risks, threats, and vulnerabilities affecting your organization. Workflow management features offer easy tracking, automated reminders, and audit trails. Insightful reporting and dashboards provide visibility to gaps and high-risk areas.

To see how ZenGRC can support your goal of a more robust cybersecurity posture, schedule a free demo today.