How to Protect Your Company from Credential Leakage
December 18th, 2018
This is why you shouldn’t share your password with anyone.
Whether you're a SysAdmin or CISO, there's a good chance you have recurring nightmares about credential leakage. Direct credentialed access is the easiest and best way to access a network or system. Accounts can be obtained through phishing, social engineering, or many other means, then used or sold on the dark web.
Stolen credentials are one of the biggest threats to a company because it can provide direct access to a protected system. A username and password provide the ability to login to computers, email, cloud storage, and secure networks; the damage can be catastrophic. Good security practices can mitigate the damage that a single set of compromised credentials can cause.
Managing credentials and leakage requires a combination of internal and external strategies to help protect against unauthorized parties accessing your systems.
Internal Security Measures
First things first, you need to make sure you have security policies designed with risk reduction in mind. Your password policy is the foundation of credential security, so make sure it matches your needs. This may include a handful of policies to match the needs of different user groups.
Should someone get access to credentials, you are limiting how long they can be in your system. You can apply a standard policy across all accounts or use specialized policies set per user group enforcing, for example, standard users to reset every 90 days while more valuable admin accounts be changed every 30 days.
This prevents people from getting around the password expiration policy by requiring users to set a password that hasn’t been used before. You can also choose how many passwords to save in history.
Minimum Password Age
This is different from password expirations, which determine how long before someone must change their password. The minimum password age sets how long a user must wait before changing their password again. This prevents people from changing a password multiple times until they are past the history requirement, then changing back to their original password.
This involves limiting the access that a single account has. For example, don't give employees access to areas they don't need. This includes using different levels of admin accounts, super-admins should not be used for day to day IT operations.
Having a second factor (in addition to a password) that is needed to login always makes your systems more secure. This most often takes the form of a randomly generated code that only the user should have access to. There are many different ways to implement 2FA, including authentication apps on smartphones, codes sent via SMS messaging, or hardware keys that are either plugged into a computer or display the code on a screen.
These steps will help to limit the damage an attacker can do with credentials, but this is a more reactive approach to security. To protect your company from cyberthreats, you need to actively be searching for potentially compromised credentials externally.
External Credential Monitoring
Monitor for Stolen Credentials
A key step to proactively protecting your organization from credential leakage is to identify compromised accounts externally. Monitor various sources across the clear, deep and dark web for hackers posting or selling stolen credentials from your organization. They can often appear in chatrooms, forums, pastebins or black market sites.
Disable Compromised Credentials
When you have found stolen credentials, the next move is to take action on the affected accounts. There are typically two options: disable the account outright, or require the user to change their password the next time they login.
When it comes to locking down stolen credentials, time is of the essence. Automation is key to ensuring leaked credentials are validated and closed quickly before they’re used against you.
Automate the Process
Monitoring and disabling accounts is a simple and straightforward concept, but in practice this is nearly impossible for individuals to do effectively on their own. The internet alone is too vast for someone to monitor, not to mention the size and risk involved with browsing the dark web. When it comes to actually disabling an account, waiting for an administrator to take action wastes precious time. An effective solution for protecting credentialed access needs to be automated from beginning to end.
IntSights’ Enterprise Threat Intelligence & Mitigation Platform mitigates the risks of leaked credential attacks by continuously monitoring for compromised credentials, validating them against your Active Directory, and enabling you to reset or lock down those credentials through policies.
Active Threat Monitoring & Alerting
Our platform is constantly searching the entire Internet (clear, deep and dark web) to identify the threats that directly impact you. Add your digital assets to IntSights and leverage your digital footprint to find the threats that are relevant to you.
Filter Out the Noise
Monitoring for any credential that matches your email domain(s) can be noisy, as cybercriminals often recycle old credentials that are no longer active. Stop wasting time chasing down these false alarms. Thanks to our AD integration, when IntSights finds possible credentials it will automatically verify them against current user accounts to check if credentials are active or not. This approach means you are only focusing on credible threats that need action.
Not only does IntSights find and notify you of threats, but our integrations also mean we can automatically take steps to resolve identified problems. This includes requiring password changes or disabling accounts that have been compromised so you are protected from threats as soon as they arise.
Request a demo today to see how IntSights protects your company and employees from external threats.
Stay up to Date!
Subscribe to the blog to stay up to date with all the latest industry news and updates from IntSights.