Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

4/28/2020
02:00 PM
Tony Howlett
Tony Howlett
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Increased Credential Threats in the Age of Uncertainty

Three things your company should do to protect credentials during the coronavirus pandemic.

In these strange times, companies face increased and expanded cybersecurity threats. Enterprise security perimeters expanded exponentially almost overnight as both employees and vendor reps work from their homes. Threat actors are using the pandemic to create new devious phishing and social engineering campaigns with which to lure your staff. And during extreme events such as a pandemic, it is more likely that employees or former employees could go rogue because of financial distress. This oversized, increased threat is even more magnified for third parties accessing your network.

With the uncertainty that the COVID-19 pandemic has brought into the world, it's likely that some internal employees may think to sell their login credentials. Values of credentials of all kinds have been rising every year, with healthcare logins topping the list at $500 per record according to a VMware study. However, if an internal employee only has one to sell, this would provide external hackers with little value unless they were able to go lateral and infect other machines. Additionally, they'd have to have the technical knowledge on how to go on the Dark Web, navigate the depths of its many murky marketplaces, and be able to take payment in Bitcoin.

Even internal administrators have only one credential to sell. Hackers like to buy wholesale and in bulk. Think about it — they take the same risk in making a transaction to buy one credential versus 1,000, except that the latter is infinitely more valuable to them.

This is why your vendors, particularly technology vendors, represent the greatest risk in terms of credential theft and sale. A vendor rep for those companies may have access to hundreds or even thousands of companies, often at a privileged level. This means that a technical rep has a very valuable asset and might be tempted to monetize that asset in these scary times. And the damage that one person can do with this power to each of his or her enterprise customers is immense. 

Now, the vast majority of technology vendors and their employees are never going to violate their customers' trust, in good times or bad. But the fact remains that in desperate times, some people do desperate things, including your vendor's employees.

Enforce Single Sign-on
Having your vendors credentialed through a single sign-on (SSO) system makes removing them quickly when they are terminated much easier. Typically, this requires having them in your internal credential directory services which can require additional management overhead in onboarding them. You can add an additional level of protection and streamline the process by federating the authentication process down to your vendor's directory system. This has the added benefit of making the removal of terminated vendor reps almost in real time because companies typically remove employees from their directory service immediately upon the end of employment.

Ensure Credential Vaulting
Credential vaulting, such as that available in vendor privileged access management (VPAM) systems, can provide a key roadblock for users of stolen credentials. [Editor's note: The author's company is one of a number of vendors that sell VPAM systems.] These systems basically keep all privilege credentials in an encrypted vault, never allowing users to see the actual login information. It allows them to check out the right to use it, which is logged and then passes the encrypted credential to the appropriate system, initiating the login for the user automatically.

This can keep a key credential from being stolen because they never had the login information in the first place. They also provide valuable usage and tracking information for all your privileged logins for use in monitoring and audit efforts.

Implement a Vendor Management Platform
A strong defense against third-party credential abuse is an integrated vendor management system that provides controls and protections at each step of the process. VPAM is designed to treat vendors differently than internal users at each stage of access; identification, onboarding, authentication (credential vaulting), authorization (granular least privilege), monitoring (detailed logs with video capture and keystrokes of vendor sessions), and instant offboarding. These systems provide all the key controls you need to limit vendor and third-party risk from credential abuse and theft, both during crisis times and normal operations, all in a single platform.

Whichever strategy and tool set you choose, make sure you also tweak your key policies such as your incident response and business continuity plans, your education programs, and other communications in order to integrate your new efforts with your existing programs and controls for third-party risk management.

Related Content:

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

Tony Howlett is the Chief Information Security Officer at SecureLink where he is working to make vendor privileged access secure and efficient. Previously, Tony was Chief Technology, Security, and Privacy Officer at Codero where he first learned about the issues and ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Another COVID-19 Side Effect: Rising Nation-State Cyber Activity
Stephen Ward, VP, ThreatConnect,  7/1/2020
Lessons from COVID-19 Cyberattacks: Where Do We Go Next?
Derek Manky, Chief of Security Insights and Global Threat Alliances, FortiGuard Labs,  7/2/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15600
PUBLISHED: 2020-07-07
An issue was discovered in CMSUno before 1.6.1. uno.php allows CSRF to change the admin password.
CVE-2020-15599
PUBLISHED: 2020-07-07
Victor CMS through 2019-02-28 allows XSS via the register.php user_firstname or user_lastname field.
CVE-2020-8916
PUBLISHED: 2020-07-07
A memory leak in Openthread's wpantund versions up to commit 0e5d1601febb869f583e944785e5685c6c747be7, when used in an environment where wpanctl is directly interfacing with the control driver (eg: debug environments) can allow an attacker to crash the service (DoS). We recommend updating, or to res...
CVE-2020-12821
PUBLISHED: 2020-07-07
Gossipsub 1.0 does not properly resist invalid message spam, such as an eclipse attack or a sybil attack.
CVE-2020-15008
PUBLISHED: 2020-07-07
A SQLi exists in the probe code of all Connectwise Automate versions before 2020.7 or 2019.12. A SQL Injection in the probe implementation to save data to a custom table exists due to inadequate server side validation. As the code creates dynamic SQL for the insert statement and utilizes the user su...