Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

4/28/2020
02:00 PM
Tony Howlett
Tony Howlett
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Increased Credential Threats in the Age of Uncertainty

Three things your company should do to protect credentials during the coronavirus pandemic.

In these strange times, companies face increased and expanded cybersecurity threats. Enterprise security perimeters expanded exponentially almost overnight as both employees and vendor reps work from their homes. Threat actors are using the pandemic to create new devious phishing and social engineering campaigns with which to lure your staff. And during extreme events such as a pandemic, it is more likely that employees or former employees could go rogue because of financial distress. This oversized, increased threat is even more magnified for third parties accessing your network.

With the uncertainty that the COVID-19 pandemic has brought into the world, it's likely that some internal employees may think to sell their login credentials. Values of credentials of all kinds have been rising every year, with healthcare logins topping the list at $500 per record according to a VMware study. However, if an internal employee only has one to sell, this would provide external hackers with little value unless they were able to go lateral and infect other machines. Additionally, they'd have to have the technical knowledge on how to go on the Dark Web, navigate the depths of its many murky marketplaces, and be able to take payment in Bitcoin.

Even internal administrators have only one credential to sell. Hackers like to buy wholesale and in bulk. Think about it — they take the same risk in making a transaction to buy one credential versus 1,000, except that the latter is infinitely more valuable to them.

This is why your vendors, particularly technology vendors, represent the greatest risk in terms of credential theft and sale. A vendor rep for those companies may have access to hundreds or even thousands of companies, often at a privileged level. This means that a technical rep has a very valuable asset and might be tempted to monetize that asset in these scary times. And the damage that one person can do with this power to each of his or her enterprise customers is immense. 

Now, the vast majority of technology vendors and their employees are never going to violate their customers' trust, in good times or bad. But the fact remains that in desperate times, some people do desperate things, including your vendor's employees.

Enforce Single Sign-on
Having your vendors credentialed through a single sign-on (SSO) system makes removing them quickly when they are terminated much easier. Typically, this requires having them in your internal credential directory services which can require additional management overhead in onboarding them. You can add an additional level of protection and streamline the process by federating the authentication process down to your vendor's directory system. This has the added benefit of making the removal of terminated vendor reps almost in real time because companies typically remove employees from their directory service immediately upon the end of employment.

Ensure Credential Vaulting
Credential vaulting, such as that available in vendor privileged access management (VPAM) systems, can provide a key roadblock for users of stolen credentials. [Editor's note: The author's company is one of a number of vendors that sell VPAM systems.] These systems basically keep all privilege credentials in an encrypted vault, never allowing users to see the actual login information. It allows them to check out the right to use it, which is logged and then passes the encrypted credential to the appropriate system, initiating the login for the user automatically.

This can keep a key credential from being stolen because they never had the login information in the first place. They also provide valuable usage and tracking information for all your privileged logins for use in monitoring and audit efforts.

Implement a Vendor Management Platform
A strong defense against third-party credential abuse is an integrated vendor management system that provides controls and protections at each step of the process. VPAM is designed to treat vendors differently than internal users at each stage of access; identification, onboarding, authentication (credential vaulting), authorization (granular least privilege), monitoring (detailed logs with video capture and keystrokes of vendor sessions), and instant offboarding. These systems provide all the key controls you need to limit vendor and third-party risk from credential abuse and theft, both during crisis times and normal operations, all in a single platform.

Whichever strategy and tool set you choose, make sure you also tweak your key policies such as your incident response and business continuity plans, your education programs, and other communications in order to integrate your new efforts with your existing programs and controls for third-party risk management.

Related Content:

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

Tony Howlett is the Chief Information Security Officer at SecureLink where he is working to make vendor privileged access secure and efficient. Previously, Tony was Chief Technology, Security, and Privacy Officer at Codero where he first learned about the issues and ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/1/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Attacker Dwell Time: Ransomware's Most Important Metric
Ricardo Villadiego, Founder and CEO of Lumu,  9/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19393
PUBLISHED: 2020-10-01
The Web application on Rittal CMC PU III 7030.000 V3.00 V3.11.00_2 to V3.15.70_4 devices fails to sanitize user input on the system configurations page. This allows an attacker to backdoor the device with HTML and browser-interpreted content (such as JavaScript or other client-side scripts) as the c...
CVE-2020-16844
PUBLISHED: 2020-10-01
In Istio 1.5.0 though 1.5.8 and Istio 1.6.0 through 1.6.7, when users specify an AuthorizationPolicy resource with DENY actions using wildcard suffixes (e.g. *-some-suffix) for source principals or namespace fields, callers will never be denied access, bypassing the intended policy.
CVE-2020-24620
PUBLISHED: 2020-10-01
Unisys Stealth(core) before 4.0.132 stores Passwords in a Recoverable Format.
CVE-2020-25017
PUBLISHED: 2020-10-01
Envoy through 1.15.0 only considers the first value when multiple header values are present for some HTTP headers. Envoy’s setCopy() header map API does not replace all existing occurences of a non-inline header.
CVE-2020-25018
PUBLISHED: 2020-10-01
Envoy master between 2d69e30 and 3b5acb2 may fail to parse request URL that requires host canonicalization.