Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

12/16/2020
03:00 PM
Raz Rafaeli
Raz Rafaeli
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Corporate Credentials for Sale on the Dark Web: How to Protect Employees and Data

It's past time to retire passwords in favor of other methods for authenticating users and securing systems.

Despite how valuable corporate employees' passwords are and the best efforts of companies to protect their systems, user credentials keep ending up for sale on Dark Web forums. Even with the ever-advancing capabilities of the cybersecurity industry, corporate credentials from all industries appear in these notorious virtual auction halls to be used in a wide range of attacks, from simple phishing to complicated brute-force attacks. 

Even cybersecurity companies are not fully immune to such threats. According to ImmuniWeb research, a staggering 97% of cybersecurity companies have data leaks and other security incidents exposed on the Dark Web.

Related Content:

An Inside Look at an Account Takeover

The Changing Face of Threat Intelligence

MFA Mistakes: 6 Ways to Screw Up Multi-factor Authentication

Moreover, the research revealed that 29% of these stolen passwords are weak, with less than eight characters or without uppercase letters, numbers, or other special characters. About 40% of employees from the 162 companies surveyed reused identical passwords from accounts that had been breached. Note that we are talking about cybersecurity industry employees — so awareness is not the issue here. 

When cybersecurity companies that should be well prepared to protect their employee data fail to do so, it seems that the problem is not the lack of protections around the passwords but rather passwords themselves. The time has come to question the use of passwords as a suitable authentication method. 

High-Severity Account Takeover Exposures on the Rise
Leveraging stolen credentials is the No. 1 tactic used by hackers in recent years due to its relative ease and effectiveness. And since March 2020, the number of high-severity account takeover exposures where corporate credentials with plaintext passwords were exposed has increased by 429%, according to Arctic Wolf.  

The prevalence of credential leaks highlights the impossible task enterprise security teams face. Password reuse on third-party sites beyond the borders of a company's perimeter is the main culprit behind most breaches. Unfortunately, we can't simply wish this problem away. Even though 91% of people know password reuse is insecure, 75% do it anyway, according to LastPass. Apart from nicely asking employees not to have such risky password hygiene, there are limited options for what company security teams can do. 

LastPass also reports that an average employee keeps track of 191 passwords. The reality is that we cannot change human behavior. Humans will always opt for the path of least resistance, and in this case, that means convenience over security. Workers shouldn't be expected to come up with 191 unique login/password combinations that are complex enough to pass the requirements. But that is exactly what many organizations are asking for. 

Addressing the Root Cause: The Password
There's one way to fully eliminate the vast majority of data breaches, ransomware attacks, and other devastating cyber incidents, and that is to stop depending on passwords. Secrets memorized by humans will always leave a huge crack for attackers, so why not eliminate this entirely?

Authentication based on something the user knows (such as a password, passphrase, or PIN code) is easy to steal, share, or reuse. Moreover, it requires constant management and handling by users and IT managers.

Passwordless authentication verifies user identities without relying on memorized secrets. Instead of passwords, identity can be verified based on:

  • A "possession factor," which is an object that uniquely identifies the user, such as a one-time password generator, a registered mobile device, or a hardware token
  • An "inherent factor," such as a person's biometric signature, like a fingerprint, face ID, or retina scan

Passwordless authentication is inherently more secure, offers a better user experience, lowers costs and IT overhead, and offers complete visibility into identity and access management by eliminating the possibility of credential reuse, sharing, or exposure.

We can't expect employees who are overwhelmed with passwords to keep good password hygiene. It is simply humanly impossible. The whole idea of a password is broken, as the unprecedented growth of credential-based attacks shows, and passwordless authentication fixes today's problems, rather than trying to wish them away.

Raz Rafaeli, CEO and Co-Founder at Secret Double Octopus, is a results-driven business executive with more than 25 years of technology and leadership experience in the software, security, semiconductor, and telecom industries. Previously, Raz was the CEO of MiniFrame and ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Attackers Leave Stolen Credentials Searchable on Google
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
How to Better Secure Your Microsoft 365 Environment
Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: We need more votes, check the obituaries.
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3317
PUBLISHED: 2021-01-26
KLog Server through 2.4.1 allows authenticated command injection. async.php calls shell_exec() on the original value of the source parameter.
CVE-2013-2512
PUBLISHED: 2021-01-26
The ftpd gem 0.2.1 for Ruby allows remote attackers to execute arbitrary OS commands via shell metacharacters in a LIST or NLST command argument within FTP protocol traffic.
CVE-2021-3165
PUBLISHED: 2021-01-26
SmartAgent 3.1.0 allows a ViewOnly attacker to create a SuperUser account via the /#/CampaignManager/users URI.
CVE-2021-1070
PUBLISHED: 2021-01-26
NVIDIA Jetson AGX Xavier Series, Jetson Xavier NX, TX1, TX2, Nano and Nano 2GB, L4T versions prior to 32.5, contains a vulnerability in the apply_binaries.sh script used to install NVIDIA components into the root file system image, in which improper access control is applied, which may lead to an un...
CVE-2021-1071
PUBLISHED: 2021-01-26
NVIDIA Tegra kernel in Jetson AGX Xavier Series, Jetson Xavier NX, TX1, TX2, Nano and Nano 2GB, all L4T versions prior to r32.5, contains a vulnerability in the INA3221 driver in which improper access control may lead to unauthorized users gaining access to system power usage data, which may lead to...