When planning an organization’s security architecture, there has commonly been a focus on traditional approaches like managing firewalls and ensuring systems are patched. While these are critical components of any organization’s best security practices, there have been several key areas of security planning that have been overlooked.
One such area of planning is the issue of password hygiene and account takeover prevention. Given the fact that compromised passwords account for a majority of all data breaches, it is worth looking at how they fit in with other major areas of security planning to ensure an organization is doing everything in its power to prevent data breaches.
Compromised Credentials Need to be Identified
Account takeover has become a serious issue even for organizations that have not suffered a major data breach. The vulnerability is due to password reuse by end-users who may have been part of a third-party data breach. To help eliminate the issue, organizations need to have a way to identify when user credentials have become compromised.
Many users will reuse the same password for personal accounts that they use for their business accounts. If that password becomes compromised through their personal accounts, it then presents a risk for any business accounts associated with that user since threat actors have been known to target businesses using lists of passwords taken from compromised personal accounts.
If an attacker successfully compromises one of that user’s business accounts, then they have access to everything that user has. To stop these types of attacks, an organization should have proper password policies in place. This includes ensuring that users are doing things like creating passphrases rather than just passwords, avoiding commonly used passwords, and forcing them to have a significantly different password from any previous password when a new one is created.
A highly effective way to prevent account takeovers is to make sure that there is a way to identify any potentially compromised passwords being used by end-users. Checking passwords with tools such as Enzoic at the time of password creation can ensure that a compromised password never has the chance to be put into use in the first place.
Implement the Principles of Least Privilege
Following along with the idea of preparing for an account takeover scenario, the next area of planning that should be accounted for is making sure that proper policies are in place following the principle of least privilege.
Organizations should only be giving their end-users permission to data that is directly relevant for their job and nothing more. This ensures that in the event something like an account takeover does potentially happen the attacker only can access a very limited set of the organization’s data and not potentially open them up to a much larger and more costly data breach.
Additionally, any user that does have an account privileged to sensitive data needs to have additional layers of monitoring added to ensure they are not working improperly with the data they have access to. These tools could include insider threat monitoring systems or data loss prevention solutions which can watch for improper use of certain data sets.
End-User Education is Important
Combined with the previous two areas of planning another major concern for organizations should be on the training of their end-users. While some account takeover scenarios come from issues of password reuse there are a significant number of these scenarios that come from end-users giving up their credentials to phishing and social engineering attacks.
Most end-users that end up becoming a risk to organizations aren’t doing it intentionally. They just simply don’t know better. If end-users understand what these types of threats are and how to identify and properly respond to them then they will be able to significantly reduce risk to the organization of a breach happening because of these types of attacks.
Multi-Factor Authentication is Essential
Another way that organizations can help avoid the issue of account takeovers is by implementing multi-factor authentication for access to any sensitive data. This way even if a threat actor has gained access to a compromised password, it will be more difficult for them to take over an account and expose private data since they will not readily have access to the additional pieces of authentication.
While focusing on traditional methods of securing an organization is recommended and cannot be overlooked, it is essential to also be incorporating newer policies that can greatly increase overall security without adding much additional overhead or work for IT staff.
Implementing proper password use policies, following principles of least privilege, adding multi-factor authentication, and educating end users are all relatively quick and inexpensive ways to boost security. Added all together they will greatly decrease the risk of an account takeover and the headaches that come along with it from a data breach.