Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

4/28/2020
02:00 PM
Tony Howlett
Tony Howlett
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Increased Credential Threats in the Age of Uncertainty

Three things your company should do to protect credentials during the coronavirus pandemic.

In these strange times, companies face increased and expanded cybersecurity threats. Enterprise security perimeters expanded exponentially almost overnight as both employees and vendor reps work from their homes. Threat actors are using the pandemic to create new devious phishing and social engineering campaigns with which to lure your staff. And during extreme events such as a pandemic, it is more likely that employees or former employees could go rogue because of financial distress. This oversized, increased threat is even more magnified for third parties accessing your network.

With the uncertainty that the COVID-19 pandemic has brought into the world, it's likely that some internal employees may think to sell their login credentials. Values of credentials of all kinds have been rising every year, with healthcare logins topping the list at $500 per record according to a VMware study. However, if an internal employee only has one to sell, this would provide external hackers with little value unless they were able to go lateral and infect other machines. Additionally, they'd have to have the technical knowledge on how to go on the Dark Web, navigate the depths of its many murky marketplaces, and be able to take payment in Bitcoin.

Even internal administrators have only one credential to sell. Hackers like to buy wholesale and in bulk. Think about it — they take the same risk in making a transaction to buy one credential versus 1,000, except that the latter is infinitely more valuable to them.

This is why your vendors, particularly technology vendors, represent the greatest risk in terms of credential theft and sale. A vendor rep for those companies may have access to hundreds or even thousands of companies, often at a privileged level. This means that a technical rep has a very valuable asset and might be tempted to monetize that asset in these scary times. And the damage that one person can do with this power to each of his or her enterprise customers is immense. 

Now, the vast majority of technology vendors and their employees are never going to violate their customers' trust, in good times or bad. But the fact remains that in desperate times, some people do desperate things, including your vendor's employees.

Enforce Single Sign-on
Having your vendors credentialed through a single sign-on (SSO) system makes removing them quickly when they are terminated much easier. Typically, this requires having them in your internal credential directory services which can require additional management overhead in onboarding them. You can add an additional level of protection and streamline the process by federating the authentication process down to your vendor's directory system. This has the added benefit of making the removal of terminated vendor reps almost in real time because companies typically remove employees from their directory service immediately upon the end of employment.

Ensure Credential Vaulting
Credential vaulting, such as that available in vendor privileged access management (VPAM) systems, can provide a key roadblock for users of stolen credentials. [Editor's note: The author's company is one of a number of vendors that sell VPAM systems.] These systems basically keep all privilege credentials in an encrypted vault, never allowing users to see the actual login information. It allows them to check out the right to use it, which is logged and then passes the encrypted credential to the appropriate system, initiating the login for the user automatically.

This can keep a key credential from being stolen because they never had the login information in the first place. They also provide valuable usage and tracking information for all your privileged logins for use in monitoring and audit efforts.

Implement a Vendor Management Platform
A strong defense against third-party credential abuse is an integrated vendor management system that provides controls and protections at each step of the process. VPAM is designed to treat vendors differently than internal users at each stage of access; identification, onboarding, authentication (credential vaulting), authorization (granular least privilege), monitoring (detailed logs with video capture and keystrokes of vendor sessions), and instant offboarding. These systems provide all the key controls you need to limit vendor and third-party risk from credential abuse and theft, both during crisis times and normal operations, all in a single platform.

Whichever strategy and tool set you choose, make sure you also tweak your key policies such as your incident response and business continuity plans, your education programs, and other communications in order to integrate your new efforts with your existing programs and controls for third-party risk management.

Related Content:

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

Tony Howlett is the Chief Information Security Officer at SecureLink where he is working to make vendor privileged access secure and efficient. Previously, Tony was Chief Technology, Security, and Privacy Officer at Codero where he first learned about the issues and ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3493
PUBLISHED: 2021-04-17
The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivile...
CVE-2021-3492
PUBLISHED: 2021-04-17
Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. These could lead to either a double-free situation or memory not being freed at all. An attacker could use this to cause a denial of service (ker...
CVE-2020-2509
PUBLISHED: 2021-04-17
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS 4.5.2.1566 Build 20210202 and later Q...
CVE-2020-36195
PUBLISHED: 2021-04-17
An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia C...
CVE-2021-29445
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...