In the 2016 Data Breach Investigations Report, Verizon identified that, “63% of confirmed data breaches involved leveraging weak, stolen, or default passwords.” The data from the 2017 version of the report suggests a significant uptick, claiming that the misuse of stolen or weak credentials has now reached 81%.
For MSPs and IT providers, this data shows that credential management should be central for protecting personal data under the European General Data Protection Regulation (GDPR) or any other regulation. However, in the battle to secure passwords, you face a number of cybercriminal tactics. Let’s take a look at a few of them—and what strategies you can use to help mitigate the risk.
Login credentials that use simple passwords or dictionary words aren’t adequate for defending against password-guessing attacks. Unfortunately, all too often, users create passwords using these weak techniques, making it easier for someone to guess the password.
Typical brute force attacks are often directed at Outlook Web Access, VPN connections, or remote desktop services connected to the internet. These attacks can be incredibly noisy, causing the log to show thousands of failed sign-in attempts (most likely from the administrator account). If you see these signs, you can bet that someone likely tried to brute force your clients’ login credentials.
The best defense is to protect all external services via hosted VPN service with multi-factor authentication. This prevents the chance a poor password will lead to account compromise. Keep this in mind—if nothing is exposed to the internet, the bad guys have nothing to brute force.
Cybercriminals often use fake password-reset emails or a fake login page for hosted services to trick unsuspecting users into giving up their username and password. Many users have fallen victim to these scams, thinking the emails came from people working with eBay, PayPal, or Apple.
To combat this, you’ll need a multilayered approach. Email protection and filtering can intercept many of these emails before they even arrive in users’ inboxes. Web filtering and network protection can keep the user from visiting the fake login site, as long as the site has been flagged by the filtering service. Finally, there is no substitute for awareness training when it comes to this sort of attack. Training can help users be more cautious when they receive emails that could be false. If you’re an IT service provider or MSP, it’s worthwhile selling user awareness training and including information on avoiding phishing attacks in the curriculum.
Unfortunately, if an account has been breached in the past, its information can often be purchased on the dark web. These lists frequently include user credentials in the form of an email address and password. This can be deadly, as many users have a favorite password they use for all their online services. The same account credentials could grant access to many other online services for the person. The cybercriminal is likely to try several online services to find one that works.
There are two very effective tactics against this attack. First, have users try a password manager to create and track different passwords for each service. If one of the web services they use is breached, the damage would be contained rather than spreading to every service that user uses. For example, if their Netflix or Hulu password is stolen, they’ll be protected from further damage if their work email doesn’t use the same password.
Second, data breach notification services are extremely helpful. Haveibeenpwnd, a popular, free risk-assessment tool, will notify a user if their user id (typically an email address) has appeared in a recent list from a data breach. If the user employs a common password across all their online accounts, the notification will remind them to change their passwords to something new. This may save the user from an account compromise.
In 2011, Benjamin Delpy built an open-source tool called Mimikatz. It was designed to gather and exploit Windows credentials. As you can imagine, this powerful tool was immediately embraced by cybercriminals. Both the NotPetya and Bad Rabbit ransomware/cyberweapons used tweaked versions of Mimikatz to steal credentials off an infected workstation. If a user downloaded a payload with Mimikatz, all passwords (including local administrator accounts) would be compromised, allowing the cybercriminals to “jump” to other machines. Once a machine with a domain administrator account was discovered, the criminal could compromise the complete network. This process was frequently automated, allowing it to complete in moments.
In addition to using robust anti-malware defenses that look for Mimikatz-like activity or its malware signature, network segmentation can impede the bad guys trying to use this tool. Preventing workstation-to-workstation communication limits the ability of the bad guys to move to other machines. Strictly restricting administrative logins to a limited number of systems, perhaps located in a management VLAN, also prevents account compromises as well.
Cybercriminals will continue trying to steal user passwords in order to take personal data from a network or drop a ransomware payload. And if they steal personal data, that sort of breach must be reported under the GDPR 72-hour breach notification requirement if you are the Controller of that data.
Protecting account passwords—especially ones with privileged access—requires robust defenses and vigilance. One of the telltale signs a customer has been breached is when personal data is gathered and compressed in a file, which a cybercriminal then attempts to ex-filtrate from the organization. If your customers don’t use FTP or SSH externally, it would be prudent to block them outbound at the firewall. Also, be on the lookout for a sudden increase in outbound bandwidth—that’s a sign that a great deal of data is suddenly leaving the organization. If the data that leaves is personal, you have a likely have a data breach on your hands.
1. “2016 Data Breach Investigation Report,” Verizon Enterprise. http://www.verizonenterprise.com/resources/reports/rp_DBIR_2016_Report_en_xg.pdf (accessed December 2017).
2. “2017 Data Breach Investigation Report,” Verizon Enterprise. http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/ (accessed December 2017).
For even more on GDPR, click here to visit our GDPR resource center
This document is provided for informational purposes only and should not be relied upon as legal advice or to determine how the EU General Data Protection Regulation (GDPR) may apply to you and your organization. We encourage you to work with a legally qualified professional to discuss GDPR, how it applies to your organization, and how best to ensure compliance. SolarWinds MSP makes no warranty, express or implied, or assumes any legal liability or responsibility for the information contained herein, including the accuracy, completeness, or usefulness of any information.
The SolarWinds and SolarWinds MSP trademarks, service marks, and logos are the exclusive property of SolarWinds MSP UK Ltd. or its affiliates. All other trademarks are the property of their respective owners.