According to Verizon’s 2023 Data Breach Investigations Report, the use of stolen credentials was the most common entry point for breaches last year. The report also states that 74% of all breaches include the human element, with people being involved either via error, privilege misuse, use of stolen credentials, or social engineering.
Supporting these findings, IBM’s X-Force Threat Intelligence Index 2024 notes: “For the first time ever, abusing valid accounts became cybercriminals’ most common entry point into victim environments.” The report goes on to explain why we’re seeing such a surge in credentials theft: “Attackers have a historical inclination to choose the path of least resistance in pursuit of their objectives. In this era, the focus has shifted towards logging in rather than hacking in, highlighting the relative ease of acquiring credentials compared to exploiting vulnerabilities or executing phishing campaigns.”
Industry data has been backed by frequent real-world headlines of high-profile data breaches caused by stolen credentials. Okta and 23andMe are just two recent examples of cyberattacks with credentials at the core. As these incidents demonstrate, even though credentials are designed to guard against unauthorized access and potential cyber threats, when they aren’t secured properly, they can actually introduce risk rather than mitigate it.
To help organizations secure their credentials against cybercriminals’ increasing and relentless efforts, here are 10 essential measures to consider:
1. Advanced Password Policies: Eliminating passwords should be every organization’s goal, but if that’s not a near-term possibility, implement advanced password policies that exceed traditional standards. Encourage the use of passphrases with a minimum length of 16 characters, incorporating complexity through variations in character types, as well as password changes every 90 days. Additionally, advocate for the use of password managers and passkeys, where possible, and educate end users on the dangers of reusing passwords across different services.
2. Passwordless and Phishing-Resistant Multi-Factor Authentication (MFA): Adopt passwordless MFA technologies, such as Certificate Based Authentication (CBA), FIDO2 security keys, or phishing-resistant mobile apps – all of which offer a higher security level by eliminating password vulnerabilities and significantly reducing the risk of phishing attacks.
3. Dynamic Account Lockout Mechanisms: Employ smart account lockout policies that balance security and user convenience. Use risk-based analysis to adjust lockout thresholds dynamically based on user behavior and threat context, minimizing disruption while preventing brute-force attacks.
4. Encryption and Secure Storage of Credentials: Ensure the encryption of credentials using advanced cryptographic algorithms and manage encryption keys securely with hardware security modules or cloud-based key management services. Implement zero-trust architectures to safeguard encrypted data further.
5. Granular Access Control and Privilege Management: Implement least privilege access controls, which give users only the minimum level of access needed to do their jobs, and regularly audit permissions. Use just-in-time (JIT) and just-enough-access (JEA) principles to dynamically grant access as needed, reducing the attack surface by limiting excessive permissions.
6. Adoption of Secure Authentication Protocols: Leverage modern, secure authentication protocols such as OAuth 2.0 and OpenID Connect for federated identity management. These protocols enhance security by enabling token-based authentication and authorization, reducing the need to store and manage sensitive credentials.
7. Proactive Access Monitoring and Anomaly Detection: Implement sophisticated monitoring technologies that use machine learning to detect anomalous access patterns and potential security breaches in real time. Regularly audit and analyze access logs to identify and respond to threats promptly.
8. Comprehensive Patch Management: Develop a robust patch management strategy that includes automated tools for consistent deployment of updates across all hardware and software. This strategy should prioritize critical security patches and ensure timely application to mitigate vulnerabilities.
9. Cybersecurity Awareness and Training: Foster a culture of cybersecurity awareness through ongoing training programs that highlight the latest threats, including sophisticated phishing scams and social engineering tactics. Use interactive training platforms and simulations to engage employees and reinforce best practices.
10. Continuous Security Assessments and Response Planning: Conduct regular security assessments, such as penetration testing and vulnerability scans, to identify weaknesses. Develop and maintain an incident response (IR) plan that includes procedures for addressing compromised credentials. This will help ensure readiness to respond to and recover from security incidents effectively.
Fortify Defenses for Cyber Resilience
If stolen credentials are the primary way cybercriminals are gaining access to organizations, then it only stands to reason that organizations need to fortify this entry point to keep bad actors out. Implementing these 10 measures will help shut the door on cybercriminals by securing access credentials while reducing the risk of unauthorized access and evolving cybersecurity threats – and that is a winning formula for cybersecurity and cyber resilience.
