In the spirit of National Cybersecurity Awareness Month, we’re running a three-part series on how to shore up identity security and help prevent a data breach. In our first post below, we’ll take a look at how credential theft really works and how to combat it. Stay tuned for guidelines on controlling broad permissions, plus why it’s important to move critical workloads to cloud-based software-as-a-service (SaaS), infrastructure-as-a-service (IaaS), and platform-as-a-service (PaaS) solutions whenever possible.
Although cyberattacks have evolved in their targeting methods and external appearances, they often exploit a familiar set of organizational vulnerabilities. The National Institute of Standards and Technology (NIST) confirms that many data breaches and other cybersecurity failures trace back to a “relatively small number of root causes.”1 Given the relatively predictable patterns in these attacks, cybersecurity professionals often find themselves surprised when yet another garden-variety threat makes news by succeeding with a massive data breach. In these scenarios, hindsight tends to reveal that the attack could’ve been prevented if the affected organization(s) had more carefully followed standard security hygiene practices like patching operating systems and apps or protecting identities by adding multi-factor authentication (MFA).
Beyond timely installation of security patches, identity security best practices constitute another common missed opportunity and represent one of the most important steps toward preventing a compromise. Cyberattacks that have the power to breach data centers and destroy assets sometimes use stolen credentials to access and traverse a secure environment, so it’s crucial to reinforce authentication systems wherever possible. With a better understanding of how credential theft works, we can determine which precautions will be most effective at mitigating it.
Common Credential Theft Techniques
It’s a common misconception that enforcing password length and complexity requirements will do enough to keep credentials secure. A closer look at how credential theft works in practice, though, helps to underscore how password length and complexity alone are often insufficient protection against an attack. In fact, almost all effective methods of credential theft (other than password spray and brute force cracking) involve stealing the user’s exact password rather than randomly (Read more…)