Reusing passwords can be a major security risk
A recent report from risk management firm Digital Shadows revealed that cyber criminals extensively use stolen passwords and other credentials to access various platforms and websites.
Their report “Protect Your Customer and Employee Accounts: 7 Ways To Mitigate The Growing Risks Of Account Takeovers” lays out the steps every organisation can take to avoid being victimized by a hacker.
According to this report, hackers most often use credential stuffing tools to gain access to an account. This is known as a “brute force attack,” or an attack in which hackers systematically guess an enormous number of passwords with the hope of eventually guessing the correct one. The gaming, technology, retail, and broadcasting sectors are the usual targets of such an attack.
Last year, Digital Shadows noted that 97% of the companies listed on the Forbes 1000 list have unknowingly exposed their sensitive information. They added that the major cause of these exposures was employees using the same credentials across every platform and website. Many employers have not properly trained their employees in cybersecurity, and often have poor username and passwords. This can lead to criminals gaining access to sensitive corporate information.
Rick Holland is the VP Strategy at Digital Shadows. He said that there are multitudes of organisations that suffer from breach fatigue and failures. Hackers can often guess credentials websites such as Dropbox, LinkedIn, or Facebook, and use that information to access a variety of different accounts belonging to the same person. He added that it is necessary for businesses to prepare for these threats by intelligent and insightful management of major digital risks. This can prevent the problem of exposed and overused credentials.
The report also says that multi-factor authentication (MFA) can assist in the fight against account takeovers. MFA is a security system that requires more than one method of authentication to verify a user’s identity. But MFA cannot single handedly solve the problem.
Holland says that organisations have to be prepared for digital brute force attacks like credential stuffing.
How to defend against credential stuffing:
1. Monitor leaked credential of your employees. Make them aware of this. Use Troy Hunt’s https://www.haveibeenpwned.com so that you can be alert when such breaches occur.
2. Use Google Alerts to see if your company is mentioned on a cracking forum.
3. Monitor leaked credentials of your customers and train them on how to monitor themselves.
4. Enhance user awareness by educating staffs and consumers against using same passwords across different websites
5. Understand how credential stuffing tools and attacks work. Know the recent developments in credential stuffing. Make sure your defenses and security plan are prepared to deal with such an attack.
6. Implement MFA that does not take SMS into account. But make sure that your implementation does not hinder the signing in process.
7. Deploy a Web Application Firewall. You can use WAFs to recognize and block credential stuffing attacks.
Julia Sowells960 Posts
Julia Sowells has been a technology and security professional. For a decade of experience in technology, she has worked on dozens of large-scale enterprise security projects, and even writing technical articles and has worked as a technical editor for Rural Press Magazine. She now lives and works in New York, where she maintains her own consulting firm with her role as security consultant while continuing to write for Hacker Combat in her limited spare time.