Skip to content

2 April, 2023

Subscribe Advertise About Us
  • My Account
  • Register
  • Log In
  • Log Out

Board Agenda

  • Governance
  • Strategy
  • Risk
  • Ethics
  • News
    • Categories

      • View All
      • Board Moves
    • NED Awards 2023: Winners who managed through disruption with an eye on sustainability

      This year's winners include the chair of National Grid, a "true British success story", a...

    • executive pay Vistry News round-up: this week in governance

      NEDs quit over CEO pay proposal; 91% of consumers seek improved ESG; 'We need regenerative...

    • resilience reports Resilience reports will involve ‘difficult decisions’

      New government requirements mean boards will need to disclose planned responses to risks—leading to tough...

  • Insight
    • Categories

      • View all
      • Governance
      • Strategy
      • Risk
      • Ethics
      • Board Expertise
      • finance
      • Technology
    • non-compete clause

      When employees become the competition

      How might you be affected by a global move towards the banning of employment contract...

    • data decision

      How to boost decision making

      Innovative digital tools can help boards to deliver against strategic objectives, but it is the...

    • remote working

      Navigating the new world of work

      Firms need to focus on building an inclusive environment and a culture of trust to...

  • Comment
      • View all
    • regenerative business

      Let’s talk about ‘regenerative business’, not sustainability

      Sustainability and net-zero commitments may not be enough. We need companies to take a long-term...

    • uncertainty in 2023 Being a CEO in 2023: how to navigate uncertainty

      Agility, planning in the shorter term and bravery will all stand chief executives in good...

    • A week of business moving to the centre of human rights

      A week of events signals the initiatives underway to have companies play a central role...

  • Interviews
      • View All Interviews
      • Podcasts
      • Webinars
    • life sciences podcast Reform of NHS levy ‘harms UK competitiveness’

      Boards in the pharmaceutical and life sciences sector face increasingly difficult decisions, according to a...

    • Board priorities 2023 Board priorities 2023: tact, trust and transparency

      We asked key figures what would help boards this year. The answers ranged from 'smarter...

    • Group of investors/shareholders in glass building Climate issues likely to figure prominently at next year’s AGMs

      A recent webinar heard that say-on-climate voting is expected to rise, while ESG remains a...

  • Careers
      • View all
      • Selection
      • Board Moves
    • female ceo Less than a third of FTSE 100 executives are women

      In Europe as a whole, only 7.7% of top companies’ chief executives are female, gender...

    • board size Performance declines as boards grow in size

      Researchers found that investment dropped by 2-3 percentage points as companies passed from 12 to...

    • Silicon Valley governance Silicon Valley improves its governance

      Big technology companies are stealing a march over other top corporates when it comes to...

  • Resource Centre
      • White Paper Downloads
      • Book Reviews
      • Corporate & Advisory Services
    • Diligent report

      Forrester: The Total Economic Impact Of Diligent Board & Leadership Collaboration

      Diligent Board Leadership & Collaboration reduced the risk of confidential material loss, supported decision-making, and...

    • Gender diversity barometer

      Barometer of Gender Diversity in Governing Bodies in Europe

      The 2023 Barometer of Gender Diversity in Governing Bodies in Europe looks at the 16...

    • geopolitical risk airmic

      Navigating geopolitical risk

      Today, the future feels less secure, and optimism is more restrained. Taking decisions in an...

  • Events
  • Search by topic
    • Governance
    • Strategy
    • Risk
    • Ethics
    • Regulation
    • ESG
    • Investor Relations
    • Selection
    • Board Expertise
    • finance
    • Technology

Identity crisis: the threat of malicious credential abuse

by Kamal Bechkoum

The security risks posed by malicious credential abuse is fast becoming every chief information security officer’s worst nightmare.

Employee credentials login screen

Image: Bakhtiar Zein/Shutterstock.com

IT security should be a simple concept—it’s essentially about being able to prove you are who you say you are.

The “you” in this context might be an individual logging into a network or service, a device interacting with an application programming interface (API), one network talking to another, or a host of other potential scenarios.

The corresponding proof of identity could be a certificate, a Secure Socket Shell (SSH) key—this is a special network protocol leveraging public-key cryptography, which enables authorised users to remotely access a computer or other devices—or a confirmation code, facial or fingerprint recognition, and not forgetting the enduring favourite, the increasingly outdated and yet seemingly un-killable password.

The basic password and its use on computers dates back to the 1960s and is one of the most familiar and also most heavily abused forms of credential used in computer authentication processes. Technology has since progressed rapidly but the password has not.

Malicious credential abuse is an important security threat which is fast becoming every chief information security officer’s (CISO) worst nightmare. The seriousness of such attacks stems from the fact that they can lead to a widespread penetration of critical network infrastructures.

What is credential abuse?

Credential abuse can come in many guises. One of the most common is when an employee “borrows” a colleague’s user ID and password. The purpose may be benign—to complete a piece of work on time—or malicious, but this behaviour occurs frequently throughout industry and makes a nonsense of assigning privilege levels to specific individuals.

Attackers often masquerade as legitimate users to penetrate the organisation’s systems and gain illegitimate access to data

These situations are further complicated by attackers who often masquerade as legitimate users to penetrate the organisation’s systems and gain illegitimate access to data, which can include even more credentials. Such attacks are likely to result in significant financial or reputational damage, meaning resilience against them should be part of every CISOs’ planning and business recovery processes.

However, just because these attacks are among the most commonplace does not mean a CISO should implement countermeasures based purely on trends or the “popularity” of a threat. A good CISO and their team will work closely with the board to develop an understanding of organisational priorities and what needs to be defended.

The board should also provide business guidance and have an agreed strategy with the CISO. This should include building defence in depth using ISO 27000 series (thematic defence), in conjunction with a Kill Chain response such as the Lockheed Martin Kill Chain for a process or temporal-based defence. In addition, the CISO should develop, and periodically review, these protocols against organisational intelligence developed from horizon scanning or scenario planning, enabling the CISO to prioritise credential abuse tactics against a wider overview.

Brute Force and credential stuffing

Attacks vary. Traditional credential theft and the manipulation of business practices were used in combination in the Scattered Canary attack on US financial benefits early in the Covid-19 pandemic. Built on credential theft, and presumably the storage of credentials, this approach took advantage of the non-verification of financial claims.

A Brute Force attack uses trial-and-error to guess, for example, individual user names and passwords. All possible combinations are attempted in the hope that one of them will result in the correct information. The search space within which the “algorithm” is looking for answers can be very large and, depending on the length and complexity of the password, cracking it using Brute Force can take anywhere from a few minutes to decades. The smaller the search space, the higher the rate of success and the quicker access is gained.

Credential stuffing reduces the search space that Brute Force needs. It uses exposed data from leaked databases or other illegitimate access. The availability of this data dramatically reduces the number of possible correct answers needed to gain access. Both Brute Force and credential stuffing are effective when dealing with accounts that use weak passwords, or whose owners are not particularly cyber-savvy, but less so with more secure systems.

AI-augmented algorithms

The use of AI-augmented algorithms adds sophistication to the attacker’s arsenal. AI Bots are used to gather pertinent data—for example, chatbots realistically befriending employees on social media and using convincing impersonations to bypass controls.

This reconnaissance phase limits the search space and algorithms in the form of machine learning password crawlers are then applied to guess credentials in a matter of seconds. These AI-augmented attacks need AI-based solutions to counter them. Bot management defence systems use rate-limiting in combination with an IP reputation database to stop malicious bots from making login attempts without impacting legitimate logins.

A major facilitator behind credential abuse is simply a gap in users’ behaviour

One example of a defence mechanism is the Cloudflare Bot Management, which uses machine learning algorithms to collect data from over 400 billion requests routed through the Cloudflare network each day, identifying and stopping credential-stuffing bots with very high accuracy.

But let’s keep things in perspective: although AI-powered algorithms can be an efficacious tool within the attackers’ arsenal, these algorithms are largely used for Distributed Denial of Service or cryptocurrency calculations.

A major facilitator behind credential abuse is simply a gap in users’ behaviour, otherwise known as “intellectual laziness”—using the same password for several applications. Many of us do this because one or two passwords are easier to remember. According to TeleSign, 71% of users use the same passwords for multiple accounts. There have been approximately 360 breaches in the past five years, resulting in three billion accounts and 550 million unique passwords being leaked.

While using a strong password, or pass-phrase, provides a solid protection against Brute Force attacks, it offers little protection against credential stuffing if the password or pass-phrase is shared across several accounts.

External and internal threats

Where does this threat come from? According to the Data Breach Investigations Report 2020, external attackers were responsible for the majority (70%) of stolen data, compared with 30% insider threats.

The only sector with a bigger insider problem, according to DBRI, is the healthcare sector, where the split is nearly 50-50 between external and insider attacks. Malicious issues in healthcare include simple human error and employee misuse, such as medical workers accessing patients’ records out of curiosity.

So what can boards do to prevent this?

The first step in developing resilience protection against credential abuse is education. This requires a commitment from the board to continuous training and staff development programmes that nurture higher levels of cyber hygiene among employees, clients and other stakeholders within the supply chain.

Credential stuffing can happen as a result of a compromise at other organisations, suppliers or partners

Simple steps like using strong pass-phrases and not repeating them across multiple access points will help reduce the threat. IT departments, and security teams also need to take necessary steps to ensure that the IT infrastructure is as secure an environment as possible for employees to operate in.

Detection tools and processes need to be in place to identify any possible credential-stuffing attacks at the earliest opportunity. This is important because stolen credentials are rarely ever used immediately. Attackers require time to analyse the data they capture before exploiting it. This means that the faster an organisation can detect an attack, the better position it is in to reduce or nullify its impact.

One of the biggest challenges that organisations face stems from the fact that the source of their problem is not necessarily entirely within their control. Credential stuffing can happen as a result of a compromise at other organisations, suppliers or partners which don’t have high-level defence systems or protocols in place.

No organisation, or individual for that matter, is immune from this kind of attacks. Large corporates may be able to afford stronger technology infrastructure and better staff training programmes. But this is a continuous battle that requires constant vigilance in pro-rata, depending on whether it’s an individual user, an SME or a large organisation.

Professor Kamal Bechkoum is head of the school of computing and engineering at the University of Gloucestershire.

  • Facebook
  • Twitter
  • Google+
  • LinkedIn
  • Mail

Related Posts

  • Paul Manduca takes the wheel as chair of Eurowag
    September 16, 2021
    Paul Manduca, Eurowag

    The former chair of Prudential and Aon UK has joined the board of the commercial road transport services provider.

  • Cutting quarterly reporting may undermine the value of companies
    November 2, 2021
    Quarterly results in cityscape

    Research suggests a decrease in quarterly reporting is linked to decreased company value—and impacts smaller firms more than larger firms.

  • Companies must put equality at the heart of the race to zero
    November 10, 2021
    Trees reflected in buildings

    Singular pursuit of net-zero by 2050 could exacerbate inequality and derail our chances of a climate-resilient future.

  • Ian Dyson named as new chair of the board at Asos
    October 15, 2021
    ASOS package

    Nick Beighton will be stepping down as CEO of the online fashion retailer, while Jørgen Lindemann joins as non-executive director.

For thoughtful journalism, expert insights on corporate governance and an extensive library of reports, guides and tools to help boards and directors navigate the complexities of their roles, subscribe to Board Agenda

AI, cyber crime, cybersecurity, data breaches, data security, Kamal Bechkoum, Technology, technology risk

Search


Sign up to our Newsletter

Receive independent news, thoughtful journalism & expert insights about leadership, corporate governance & key boardroom issues straight to your inbox every week.

SIGN UP

Follow Us

 

 

 

 

Most Popular

  • Could ChatGPT technology join the board?
  • Investors seek commitment to net zero planning
  • US firms show equity in governance standards
  • Working from home? Stay alert to the risk of cyber-attacks
  • News round-up: this week in governance

Featured Partner Profile

Diligent

Diligent

Diligent Corporation, which was founded in 2001, is headquartered in New York, NY with a European HQ in London. Diligent’s modern governance platform empowers leaders and teams at every level of the organisation to digitally transform and create ...

Featured Partner Resources

2022 AGM Season Forecast: An Eye on The Horizon

To help prepare for AGMs in 2022, Equiniti (EQ) hi...

Stakeholder Engagement: A Roadmap for UK Plc Boards

This guide aims to provide directors and their col...

Digital Boards: How Technology Adoption is Driving Culture Change and Resiliency

Digital tools proved their worth to boards during ...
Leadership in AI report

Leadership in AI

This report from Board Agenda and Mazars, in assoc...
Creativity in a Crisis: a Boardroom Map for Innovation

Creativity in a Crisis: a Boardroom Map for Innovation

In the uncertain times at the height of any crisis...
Board Directors Guide to D&O Liability Insurance - November 2020 - AIG & Board Agenda

Board Directors' Guide to D&O Liability Insurance

Directors face liability over a range of new threa...
Leadership-in-Risk-Management-Board-Report

Leadership in Risk Management: Board Report

Board Agenda, in association with Mazars and INSEA...
Director's Guide to Internal Investigations

A Director's Guide to Conducting Internal Investigations

An internal investigation must be handled meticulo...

 


 

ADVERTISE – FREE CORPORATE LISTING

FREE - Add your company profile to our Corporate & Advisory Directory.
ADD

ADVERTISE – PROMOTE YOUR REPORTS & WHITEPAPERS

FREE - Add your company profile to our Corporate & Advisory Directory.
Add Resource

Register Free

Register to receive free article views, selected resource downloads, and all the latest news alerts straight to your inbox. Register


  • Editors & Contributors
  • Editorial Advisory Board
  • Corporate & Advisory Services
  • Media Marketing Solutions
  • Contact Us
  • Careers
  • Board Director Network
  • Terms & Conditions
  • Privacy Policy
  • Cookies
  • Sitemap
|