Credentials: Check and Protect

Alex Haynes
CISO Cheshire Datasystems Ltd.

Today, breaches continue unabated at the same alarming rate to which we have grown accustomed. More than 36 billion records were exposed in 2020 alone and that’s only counting those we know about. The real figure will rise far higher. The rate of these data leaks is so frequent that it is hard to track how exposed we are. Can any credentials in these breaches be used against your company? How can you find out? How can you protect credentials? Why should you even check? 

There are two issues at play here. The first is password reuse. This issue is as old as the internet and it will not go away for some time. Humans are not wired to remember long and random alphanumeric strings that are liberally sprinkled with special characters; therefore, most passwords that people use end up being words with a few numbers at the end. Add to this the sheer volume of login and password combinations we are asked for on a day-to-day basis, it is no wonder many people have resorted to password-reuse: the act of using the same password everywhere, whether on a Gmail or Facebook account, or even shopping sites and forums, often used with company email addresses. 

The second issue is the surge in cloud usage and the presence of “shadow IT” within companies. Shadow IT typically refers to using tools and software within an organization without its explicit approval. Think Dropbox, Google Docs and many other cloud apps that people use because they are more convenient than what a company has to offer. On top of this, there are legitimate cloud apps that people now use in the enterprise space. Office365, Salesforce, AWS, and any other Software-as-a-Service (SaaS) or Infrastructure-as-a-Service (IaaS) offerings that fall into this category. 

Now, back to breached data. Hackers are people, too, and like to avoid hard work if they can. If hackers want to go after a company, they will come at them sideways, from the point of least resistance.

Let’s say we want to attack Acme Corp., our fictional company. We would first scour public data leaks for anything that contains @acme.com. With luck, in these leaks, we will find passwords, either in cleartext or hashed. If they are hashed, there are free tools that can quickly discover weak passwords.

Then these credentials are used on cloud apps that companies use. Outlook web access and Office365 are the prime targets here because they are typically exposed to the entire internet and often can be accessed without multi-factor authentication. After that, we would try the shadow IT culprits, like Dropbox and Google docs. If we wanted to go further, we could attempt using the credentials against their personal email address – which nowadays only requires a bit of digging on social media to discover. To save time we could punch their private email into various sites that deal in the disclosure of leaked information and it will tell us instantly if that email address has been involved in any other breaches. From there, we could get the data directly from the source, or just pay a small fee for the raw data.

Once we have these, we could then try the process again on the sites that didn’t work in the first place. Chances are password reuse is in play here as well.

Note the above does not require any technical skills. Once you infiltrate corporate email, then information becomes exponentially easier to come by and other vectors of attack open, the most obvious being phishing and malware.

How to Check Credentials and Protect Credentials

There are a few options depending on your resources. The first is to monitor the information leakage. You can actively monitor sites like Pastebin where public leaks appear for company emails or keywords relating to your company. It has a free keyword alert feature which you can use. Other tools exist like @Dumpmon, which is a Twitter bot account that automatically provides updates when it has detected any leaked data. This approach has a few downsides, namely that you have to check all the alerts yourself to decide whether it has value or is just another false-positive. 

The alternative approach is to pay someone to do it for you and these companies specialize in ‘leaked credentials monitoring’. Keep in mind that no one can guarantee 100% coverage, however, these companies provide alerts the second they detect something relevant to your domain. They can also monitor metadata, such as public-IP addresses, or company keywords that may appear on leaked-data, even if it doesn’t involve login-password combinations.

CONCLUSION

Focus on your email domain, (eg. @acme.com) since this is a sure sign that a credential is involved. Once it leaks, the first step is to find out if that user still has active accounts in your company. If they do, you can either check if their company password matches their leaked password (tools like l0phtcrack are ideal for this) or simply just force a password change if you are not sure. Senior Executives should aim to monitor their personal emails too, as many use them for business. Do not try to cover the personal emails of all your employees, instead run awareness campaigns to push them to use free sites (haveibeenpwned.com is a good one) so that they are aware of their own exposure. 

These are a few simple steps you can take to protect your credentials and mitigate the risks of a data breach. 


Alex Haynes

Tags: , , , , ,