In a recent analysis of the top 1,000 global companies, 97 percent were found to have had leaked credentials that were made publicly available on the Web. While this statistic is disturbing enough by itself, what is more troublesome is how that information is captured and made public.
Many leaked credentials come as the result of an organization suffering from a data breach, but another method that attackers are using is to steal credentials from a third-party source, similar to what happened when Spotify and Pandora were attacked. In both of these incidents, corporate emails used to sign up for accounts were either published or sold. Dating and adult websites are also common places where corporate emails are inappropriately used to create accounts, resulting in more than 300,000 corporate or government worker email addresses being exposed.
The Problem with Exposed Email Addresses
At one time, security was all about protecting the perimeter. Smart attackers, however, have always gone after the easiest route into the network: compromising a user account. That is why an email address being published is of such concern. With a valid email address in hand, the attacker can do the following:
- Attack the owners of these known, valid email addresses (ransomware attacks cost individuals and businesses $34 million every year).
- Spoof the email address to launch a phishing attack that compromises other accounts.
- Use the email address to socially engineer other account credentials tied to that user.
- Attempt to crack the email password and other accounts using that email address, with brute-force tools or simple password-guessing. Likely, more than one of those accounts reuses passwords across multiple systems, so those exposed credentials are extremely handy.
Identity and Access Management
With so many user credentials being exposed, it is more important than ever to understand who is in your network; know that your users are who they claim to be; and control who has access to sensitive, confidential information. This is where identity and access management (IAM) solutions work to protect you against the new threat landscape where your user accounts are the stepping stones that attackers use to access your most sensitive and business critical data.
If you treat your IAM solution as the core of your security program, you can defend against this new breed of attack in several ways. To begin with, you remove the potential for human error inherent to the manual provisioning and deprovisioning of user accounts. IAM solutions make it possible to manage who has access to which systems and data. They also help eliminate the fear of accidentally granting a user privileges of a higher access than he or she actually needs by using predefined user groups and/or templates to automate the provisioning process. Deprovisioning automation also reduces, if not eliminates, orphaned user accounts that attackers can use as entry points to your network.
The right IAM solution can even grant time-based access to high-security data and systems. This way, you limit the amount of time an attacker has access to data in the event that he or she is able to compromise a user’s account. Time-based access also helps control accounts given to seasonal workers, contractors, and other third-party vendors and partners that may need access to your systems and data. Add the ability to maintain access logs and audit user accounts, and you have a solid foundation with which to protect your company.
A Solid Plan
Your IAM solution needs to be the core of your security plan because it gives you:
- Full lifecycle management of your user accounts—not only for your employees, but also for vendors, contractors, and partners alike. From the day the account is created until the day it is deprovisioned, the right IAM solution gives you transparency and control over who your users are and what they can do.
- Privileged access management that makes it easy to adhere to the principle of least privilege through user groups and templates, making automation easier. The right IAM solution also includes on-demand access for users who need privileged access to sensitive data or systems in order to complete a specific task or project, while allowing this privileged access to be time-boxed, so that access does not carry over unknowingly.
- Adaptive authentication that can change authentication requirements based on what is being accessed, who is accessing data, or from where the user is accessing data. A user accessing sensitive information from a mobile device or during off-hours may require multi-factor steps to ensure he or she is who he or she claims to be.
When you add user awareness training that helps employees better understand the threats they face and how they are leveraged by attackers through phishing attacks and malware, you stand a better chance of thwarting the entry point that so many attackers seek to exploit. Security has evolved into a space where success comes from reducing the threat landscape and responding to incidents faster. Without an IAM solution in place, you run the risk of making it easier for your attackers to leverage your user accounts against you.