As a board member, you are well aware that cyber adversaries have had much success, these past few years, leveraging weaknesses in their victims’ security controls at each stage of the attack life cycle. You have responded by approving your CIOs and CISOs requests for millions of dollars of security equipment designed to prevent and detect cyber adversaries. And you are thinking to yourself, “I got this.” You’ve seen the risk and mitigated it to acceptable levels. But there is one more thing you must consider: credentials theft.
Cyber adversaries have basically two ways to penetrate their victim’s networks. They can either work their way down the attack life cycle—which is hard, since you just spent millions of dollars trying to prevent them from doing just that–or they can somehow steal employee login credentials and use them to legitimately access your network.
Login credentials are those USERID and PASSWORD combinations that we all use to access our favorite web sites, laptops, and servers—those places where we store our sensitive and personal data. If cyber thieves can obtain those tokens, they can simply just log in as a legitimate employee and search for the data they came to steal or destroy. It’s not more complicated than that. This is exactly what happened to Target, in 2013. Cyber adversaries stole proper credentials from an HVAC third-party contractor and used them to infiltrate Target’s network and steal 40 million credit- and debit-card numbers.
Clearly, it is not enough to simply deploy state-of-the-art security controls at each phase of the attack lifecycle. When adversaries steal legitimate credentials, they by-pass that sophisticated security equipment. Therefore, you should be asking your security executives two additional questions:
- What are they doing to reduce the damage cyber thieves can do who penetrate the network using legitimate credentials?
- What are they doing to prevent cyber thieves from stealing credentials from employees in the first place?
To the first question, you should be hearing things that sound like “reducing the attack surface.” What that means is that those high-end security controls should have some way to limit employee data-access to only the data they need to do their jobs. For instance, the marketing department should not have access to the product code base, and system developers should have no access to the legal department’s M&A documents—that kind of thing. In the 2013 Target breach, once the cyber adversaries legitimately logged into the corporate network, they were able to wander around anywhere they wanted, including hitting the point-of-sales devices where all the credit cards were stored. In other words, Target had not implemented any controls reduced the attack surface.
To the second question, you should be hearing answers that sound like “preventing employees from giving their credentials to non-corporate environments.” To understand that, consider what cyber criminals must do to steal your credentials. They essentially must trick the employee into handing this information out. We call that social engineering. One way they might do that is to contact the employee on the phone or via email, say they are from the IT department, and convince the employee that they need his or her password to fix an error in the payroll database system or the employee will not get paid this month. Another way is for the bad guy to compromise a watering hole website–websites that employees typically like to visit. The adversary compromises the website and waits for visitors to type in their credentials. There are ways you can mitigate these social engineering campaigns and your security executives should be talking to you about them.
Board members should be asking their security executives how they secure their employee credentials and how they can make sure that, if the credential is compromised, the attacker cannot necessarily get to all the organization’s valuable data. In the end, the theft of employee credentials, in many ways, is a much less complicated attack scheme than the traditional approach of working down the attack life cycle. But it is also one that might be harder to detect and stop.