How you can stop corporate login credential theft

Enterprise cybersecurity spending continues to rise. The latest estimate puts the average figure at more than $5 million for 2021. Yet in the same year, U.S. organizations reported a record number of data breaches. So, what’s going wrong?

An unholy trinity of static passwords, user error and phishing attacks continues to undermine security efforts. Easy access to credentials gives threat actors a huge advantage. And user training alone cannot reset the balance. A robust approach to credential management is also needed, with layers of protection to ensure credentials don’t fall into the wrong hands. 

The problem with passwords

Nearly half of all reported breaches during the first half of this year involved stolen credentials. Once obtained, these credentials enable threat actors to masquerade as legitimate users to deploy malware or ransomware or move laterally through corporate networks. Attackers can also conduct extortion, data theft, intelligence gathering and business email compromise (BEC), with potentially massive financial and reputational repercussions. Breaches caused by stolen or compromised credentials had an average cost of $4.5m in 2021, and take longer to identify and contain (327 days). 

It’s perhaps unsurprising to hear that the cybercrime underground is awash with stolen credentials. In fact there were 24 billion in circulation in 2021, a 65% increase from 2020. One factor is poor password management. Even if passwords can’t be guessed or cracked, logins can be phished individually from users, or stolen.

The common practice of password reuse means that these credential hauls can be fed into automated software to unlock additional accounts across the web, in so-called credential stuffing attacks. Once in the hands of the hackers, they’re quickly put to work. According to one study, cybercriminals accessed nearly a quarter (23%) of accounts immediately post-compromise — most likely via automated tools designed to rapidly validate the legitimacy of the stolen credential.

User education is not a panacea

Phishing is a particularly serious threat to the enterprise and is growing in sophistication. Unlike the error-strewn spam of old, some efforts appear so authentic that even a seasoned pro would have trouble spotting them. Corporate logos and typefaces are faithfully replicated. Domains may utilize typo-squatting to appear at first glance identical to the legitimate ones. They might even use internationalized domain names (IDNs) to mimic legitimate domains by substituting letters from the Roman alphabet with lookalikes from non-Latin alphabets. This allows scammers to register phishing domains that appear identical to the original. 

The same is true for the phishing pages to which cybercriminals are directing employees. These pages are designed to appear convincing. The URLs will often employ the same tactics mentioned above, like substituting letters. They also aim to replicate logos and fonts. These tactics make pages look like the “real deal.” Some login pages even render fake URL bars showing the real website address to trick users. This is why you can’t expect employees to know which sites are real, and which are trying to trick them into submitting corporate credentials. 

This means that user awareness programs must be updated, both to account for specific hybrid-working risks and constantly changing phishing tactics. Short, bite-sized lessons featuring real-world simulation exercises are essential. So is creating a culture in which reporting attempted scams is encouraged.

For phishing pages in particular, encourage users not to click on links to pages from sources they don’t know. Instead, they should go directly to trusted websites and log in directly. Teach employees to always inspect the URL bar to make sure they are on the site they should be on. Another key skill will be showing employees how to inspect and interpret URL links, so that they can distinguish between a legitimate login page and something posing as the real deal. This won’t work in all cases but could help in most.

Towards real-time protection 

But remember, there is no silver bullet, and user education alone can’t reliably stop credential theft. Bad actors only need to get lucky once. And there are plenty of channels through which to reach their victims, including email, social media and messaging apps. It’s impossible to expect every single user to spot and report these attempts. Education must work with technology and robust processes.

Organizations should take a layered approach to credential management. The goal is to reduce the number of sites users have to put passwords into. Organizations should endeavor to implement single sign-on (SSO) for all reputable necessary work applications and websites. All SaaS providers should support SSO.

If there are logins that require different credentials, a password manager would be helpful in the interim. This also provides a way for employees to know if a login page can be trusted, as the password manager won’t offer credentials up for a site it does not recognize. Organizations should also enable multi-factor authentication (MFA) to secure logins.

FIDO2 is also gaining adoption. It will provide a more robust solution than traditional authenticator apps, although those apps are still better than codes sent via text messages. 

Not all of this is foolproof, and risky login pages could slip through the net. A last resort is needed for flagging risky login pages to employees. This can be done by analyzing, in real time, threat intelligence metrics, webpage similarities, domain age and how users got to a login page. This rating can then be used to block high-risk login pages or provide warnings to users to check again for less-risky ones. Crucially, this technology intervenes only at the last minute, so security appears transparent to the user and doesn’t make them feel watched. 

Combined with an architectural approach to security across the full stack, a layered approach to credential management can help reduce the attack surface and mitigate risk from an entire class of threat. 

Ian Pratt is global head of security at HP Inc.