How to avoid Credential Abuse
According to many industry surveys, malicious use of credentials is responsible for over 80% of breaches worldwide. The most common way to start a cyber attack is by impersonating real users, using credentials found on the dark web, harvested through phishing attacks, or by using techniques such as password spraying. Once credentials have been compromised to gain a foot in the door, attackers might then work to achieve privileged access by gaining control of the credentials of a more privileged user to install ransomware, download confidential information or to access other user accounts.
Credential stuffing is a widely used technique by cyber criminals, preying on poor password practice. Typically, most users will have an average of 3-5 different passwords for different online services with a few variations.
Bulk attacks are commonly used when targeting consumers; for example, to get access to accounts to make purchases and personal bank accounts. It’s also very common to use those attacks to install ransomware within a company network. Botnets are also quite useful to perform credential stuffing in a fast way. They are widely used to get access into routers and IoT devices using a password spraying technique with common and default passwords for devices, such as ‘admin’. But they can also be used to automate the attack process, launching simultaneous attacks, which gives less time for companies to react.
The answer is MFA
Two Factor Authentication (2FA) or Multi-Factor Authentication (MFA) can help to solve the problem of credential abuse. A recent document from Gartner says that because of the pandemic, companies that don’t implement MFA are five times more likely of being attacked than companies with it.
Despite the clear benefits, many companies and SMEs in particular, still see MFA as costly and complex to deploy and manage. However, new cloud-based MFA solutions take away much of the pain and up-front investment of deploying MFA. By managing MFA all from the cloud, implementation can be done in hours, not weeks, and ongoing management such as adding a user or application is quick and simple. Cloud-based MFA dispels the view that MFA has always been out of reach for SMEs due to cost, complexity and management issues – so there is no excuse.
Read the full article from Alexandre Cagnoni, Director of Authentication at WatchGuard Technologies in Infosecurity Magazine: