According to F5’s new 2021 Credential Stuffing Report, although breach volumes have declined, poor security practices continue the downstream risk of credential exposure. The report “makes it clear that credential stuffing will remain an enormous risk to organizations of all types.” The F5 team collected the data to focus on three aspects of the ecosystem surrounding stolen credentials: theft, sale, and fraud use.
<p>The report states: ‘Organizations are also poor at detecting breach attempts: median time to discovering a credential spill between 2018 and 2020 was 120 days, while the average time to discovery was 327 days.’</p> <p> </p> <p>I think this is the key point. Hackers are going to find a vulnerability somehow, someway – we are all being scanned. And once that flaw is found, e.g. an unpatched server, a weak password, an open network device – the hacker will be on our systems. From there, we MUST be able to detect their actions. The known pattern of behaviors of attackers makes identifying compromised credentials (hacked accounts) possible. We know that a hacker is going to want to move around the network (lateral movement) and escalate their privileges of the overtaken account (privilege escalation). This latter action, privilege escalation, is what hackers use to take normal \"user\" accounts and turn them into \"admin\" accounts. This allows them access to more networks, more servers, and more data.</p> <p> </p> <p>These privilege escalations are detectable if the enterprise is conducting regular and triggered access and privilege reviews, and is what cloud identity governance does for the enterprise.</p>
<p>These statistics paint a useful picture of the crisis we’re in, but they also show that too many organizations are still running ad hoc and expanding the problem because they don’t know in a timely way when breaches happen. There are four simple steps that every organization should take. The first is passwords – company and customer account passwords should never have less than 20 characters because they’re just too easy to crack. Companies need to enforce stricter password policies, both for the good of the organization and for their customers’ sakes. Everyone should be using password managers at this point, and also be warned never to reuse a password on or from any other account. It’s just too easy for passwords to get stolen and exploited, and yet people still reuse their favorite passwords across accounts.</p> <p> </p> <p>Second, MFA needs to be enabled and required, and not just SMS, but MFA that allows the user to take advantage of an MFA app. Third, security must be embedded during site development. If an organization is using open source code, they need to invest in scanning to ensure that it’s safe, and remember that anything you use for free needs an investment behind it. Last, invest in detection tools, backups, and encryption – all of which are essential and should be universally employed at this point.</p>
<p>The recent report from F5 on the state of credential theft volumes and their use in cyberattacks over the last four years is interesting, and shows many organizations are still not following industry best practices for securing user credentials.</p> <p> </p> <p>Credential theft can have long reaching and expensive aftereffects in lost revenue, incurred mitigation costs, and loss of customer trust – which is itself difficult to put a price on. Preventing or blunting attacks before they lead to a major breach is generally much less expensive than suffering the fallout from an attack. By following best practices and making sure the organization\’s security stack is up to date, including MFA, security analytics, and other technical measures, organizations reduce their risk of being breached in the first place, and can prevent extensive damage.</p>