In late March of this year, Apple and its customers were hit with a startling demand: pay a ransom to a group calling itself The Turkish Crime family, or face having millions of iPhones, iPads and Macs remotely erased.
It all turned out to be a bit of a hoax because The Turkish Crime Family had not in fact penetrated the iCloud infrastructure at all. Instead what they more than likely had done was pieced together a very targeted database from vast lakes of leaked and stolen credentials data readily available on the Dark Web.
(You can read our report and analysis of this hack here.)
Leaked Credentials The Latest New Imminent Threat
Leaked credentials represent the latest new imminent threat on the cybersecurity landscape. These vast databases of credentials have been created based on recent massive hacks such as Yahoo!, LinkedIn, AshleyMadison, FriendFinder, MySpace, DropBox and many others, representing billions of stolen credentials.
These are credentials that provide hackers a ready key for easy access into your company. All that must be done is to find and apply the right combination. This is not hard to do and in fact is already being done all over the globe. The threat of breach from this specific attack vector isn’t going away any time soon. In fact, it now represents an ever-growing threat.
Leaked Credentials & GDPR
So, what does this have to with GDPR? Well… quite a lot.
GDPR (General Data Protection Regulation) is right around the corner. Article after article describes this new compliance reality in the enterprise. Leaked credentials are pertinent to GDPR and carries significant implications and potential consequences to the business.
Leaked credentials intersect GDPR specifically in breach compliance and breach regulation. With almost assuredly a credential combination to your enterprise already available on the Dark Web, again, all that is left is for those keys to the front door to be found to allow anyone to simply open the door and walk right in, undetected.
Tactical Breach Strategy & GDPR
Tactically speaking, enterprise breach strategy and protocol is very new. Companies have only now coming to the conclusion that breach in some form is inevitable (or has already occurred) and therefore establishing and maintaining a breach protocol has become an essential part of any cybersecurity strategy.
At a high level, a breach protocol or strategy could look like the following diagram as a leading practice.
Mapping this kind of strategy as a tactical approach to comply with GDPR will be very important work for CISOs to do in the coming months, if they haven’t done so already.
The very best breach compliance would be of course to not get breached at all. But in the event of a breach, that breach has got to be detected and responded to quickly. And finally, GDPR stipulates that breaches require disclosure and notification. Once disclosure has taken place, companies must begin the process of remediation and then the posture of breach prevention, monitoring and detection takes back over again.
GDPR, Risk Aware IAM & Leaked Credentials
If GDPR has screamed anything loudly, it is that companies will need IAM and policy enforcement controls to become more risk aware. If you’ve been looking to justify implementing or enhancing your Identity Management system, GDPR could easily end up being the best thing to happen to you.
One essential element Identity Management systems must address is password management and password governance. In the coming world of GDPR and with the imminent threat of easy breach through stolen and leaked credentials, adding leaked credentials intelligence to password management and governance has practically become essential.
Breach Disclosure Short-Circuited Through Leaked Credential Intelligence
When Identity Management systems are augmented with the intelligence of a leaked credentials threat intelligence service, paths taken and maintained between breach prevention, monitoring and detection are recommended to short-circuit the need to perform any breach notification and disclosure based on easy credentials stuffing and matching.
In terms of breach prevention, passwords that are detected as already compromised can be mitigated through your IAM system in any number of ways – forced password changes, step-up authentication, account locking and so forth. To prevent breach access through accounts easily accessed via compromised credentials, all that is necessary for breach prevention is a changed password or to make those accounts inaccessible.
In terms of breach detection, tied into intelligence around already compromised credentials, passwords chosen that match on compromised credentials can and should be disallowed. And logins detected using compromised credentials can trigger real-time alerts leveraging SIEM.
This kind of posture around password management and credentials stuffing is enormous in the face of GDPR mandatory breach disclosure which stipulates that fines be calculated from the time of the actual breach and not from the time of breach discovery. Thus, mean time to detection is vital, and if not acted upon in a timely fashion, can be fatal to a business.
Rapid discovery of breach activity through compromised credentials is next to impossible to detect immediately without leaked credentials intelligence already integrated into your infrastructure.
Conclusion
Weak and/or stolen credentials are an ever growing threat to business. A new level of risk aware IAM needs to account for this threat and prevent, detect and mitigate these threats in order to minimize the risk of significant GDPR fines and the erosion of trust and privacy in an increasingly digital world.