High-profile data breaches in recent years have created a new and rapidly emerging high-risk reality that businesses must be made aware of, and which can no longer be ignored. This high-risk reality is the creation and accessibility of huge data lakes containing billions of leaked credentials for sale on the dark web that provide exact match access into many organizations sensitive data and corporate intellectual property.
Since the beginning of 2017, the industry has experienced a terrific spike in data breaches leveraging compromised credentials. Verizon’s 2017 Data Breach Report indicated 18% spike of the data breaches leveraging weak and/or stolen password compared to the already high 63% the previous year.
To ignore this risk is to create peril for organizations much like we’ve seen recently with the Equifax breach where a high-risk vulnerability was known, but Equifax chose to do nothing about it. The stakes involving compromised and leaked credentials are exactly that high.
MFA? VPN? Strong Password Policies? That Unfortunately Is Still Not Enough!
Mandatory multi-factor authentication (MFA), virtual private networks (VPN) and a strong and resilient password policy approach that mirrors recently revised NIST recommendations (see section 188.8.131.52) are now the minimum standards that organizations should follow to better secure the enterprise. But even these approaches can no longer provide 100% protection as it relates to authentication and authorization within the enterprise.
Why? Cyber criminals and nation-state actors have access to massive databases of leaked credentials which are already being used as weapons against the enterprise, critical infrastructure and even democracy itself. There are very few cases when MFA solutions are deployed consistently across sensitive assets, or on by default. Using a credential verification service such as CredVerify™ complements MFA and contextual authentication strategies.
Leaked credentials have become the holy grail of dark web possession – one set of credentials to rule all other forms of perceived authentication and access protection. The broad application of leaked credentials against an individual or organization has to do with easy access to such credentials and the high degree of success when they used.
With this new reality of stolen and compromised credentials, organizations must take active measures to detect and verify them, or be prepared to face the consequences.
Detect & Verify Compromised Credentials
As organizations learn more about and increase the adoption of credential verification services, what are the levels of risk that need to be considered to begin protecting against this threat?
Let’s consider two risk levels.
|Level of Risk||When||Where||Action Taken|
|Level 1||When a compromised account and password are linked to the organization’s identity context||During login and self-service password reset||Force change password; step up authentication; revoke user access|
|Level 2||When a compromised password or account is known to be breached||Risk score, user and org dashboard||Assess degree of risk; display a warning|
Level 1 Scenario: When compromised credential is linked to identity context
In this scenario, the detection of leaked credentials is based on a match of the username and the password together. This is the preferred scenario as it eliminates false positives and can deliver a high level of automation. The outcome of the detection is a binary response showing which accounts from organization’s credential store are available for grabs on the dark web and can be used at any time to launch an attack.
The best in class solutions store the encrypted userID and password pairs for comparison. Without the identity context, e.g. using only a password list, you would display 2-6x more unnecessary warnings to users compared to using our service.
Checking the username and password during login using a credential verification service such as CredVerify™ provides the highest level of confidence that the user’s credentials are safe. In this case, credentials are compared as part of the authentication workflow. If a leaked username and password pair is detected, then your policy engine may automate the remediation step, which can include immediately forcing a user to change his or her password or forcing a step-up authentication, thus preventing unauthorized access attempts and potentially prevent the data breach from happening in the first place.
Level 2 Scenario: When a compromised password or account is known
In this scenario, the detection of leaked credentials is based on a comparison of the username only and additional contextual information about the breach is used to limit the false positives.
This scenario is used when the organization cannot use passwords for detecting leaked credentials. Instead, leaked usernames and metadata from breach data and other contextual attributes can be used as indicators of risk of compromised credentials.
Even though the comparison is only based on the username, users do reuse passwords across services.
- Based on a SecureAuth study, 81% of Americans use the same password for at least two of their accounts.
- In benchmark tests we performed in our lab, we found that between 15-40% of a typical company’s credentials already exist in our database.
Detecting an organization’s compromised credentials is an easy step that can significantly reduce the attack surface of your organization. Organizations can no longer afford to ignore this threat as data breaches continue to increase in both frequency, scale and cost. The risks are quite high and cannot be mitigated through any other means other than applying rapid due diligence to the issue. As attackers acting against organizations continue to iterate, organizations must do the same in order to counter cyber-attacks.
Detect the compromised credentials in your organization by signing up for a free trial of our premium service, CredVerify™ and gain visibility into dark web threats that can undermine your existing security controls.
Stan has over 16 years of product management experience. He worked on Microsoft Windows and Microsoft Online Services security features. In 2014 he co-founded, VeriClouds, the leader in credential verification. The company provides detection of leaked credentials which helps organizations single out the compromised credentials of their employees or customers before hackers do. VeriClouds uses the same data attackers do, proactively monitoring the dark web and systematically reducing the user-centric risk.