Complex Threats like Credential Stuffing on the Rise; Incident Response is Weak Link in Mitigating Cyber Risk
Every day, the number of threat types, attack vectors and exploitation methods that organizations must address grows exponentially. One such vector that has taken off over the last year – and continues to gain momentum – is credential stuffing, where attackers use e-mail addresses and passwords stolen from one site to attempt to access other sites.
The attacks are enabled by easy-to-use software applications and widespread botnets that can take lists of compromised user credentials and try to log into a variety of sites.
And while it seems that this is largely a consumer-facing problem, the effects are certainly cascading over into the enterprise as the individual user plays an increasingly critical role in organizational security.
User actions, awareness levels and overall security hygiene have the potential to both arm attackers with the sensitive information needed to carry out credential stuffing attacks and grant them unfiltered access to company network and systems if preyed on.
This post also appeared on Security Boulevard.
Faced with a growing army of cyber criminals constantly after their data, businesses are investing heavily in new technology and professionals to close the cybersecurity gap.
The Ponemon Institute surveyed 627 IT and IT security practitioners in the United States to understand how well businesses are addressing cyber risks – specifically, insider threats – and the steps they are taking to make cyber-ends meet.
Several interesting findings transpire from the report, including that incident response is quite the weak link in mitigating cyber risk. And more than one data point suggests that this is an epidemic among US businesses.
“Incident response may be the weakest link in the risk mitigation chain. Gaps on the incident response side may explain why more than half (52 percent) of respondents’ companies use service providers for analysis and incident response,” researchers said.
Organizations are more confident in their ability to handle attacks by external actors than internal attacks or negligence by their own staff. This finding also somewhat correlates to a skill gap. The study shows only 34% of respondents have security personnel with skills needed to identify and resolve malicious insiders.
On April 23rd, a privacy notification by the FBI stated that U.S. businesses are reporting a significantly increased amount of data loss as a result of insider threat actors.
Companies should not assume that this warning falls squarely within the domain of their Information Technology or Chief Information Security Departments. The vast majority of data-loss incidents have a human component. Data security is as much a function of managing people properly as it is controlling a company’s physical and technical environments.
What can HR departments contribute to minimize the “Insider Threat”? In addition to collaborating with their company’s Chief Information Security and Chief Information Officers, it is recommended that there is focus placed on these key components (among others):
Access Controls – carefully designate the level of access a new hire must have in order to perform the functions of their job, but not more; revisit any necessary changes to access control throughout the employee’s tenure and document them; periodically audit access controls for employees; terminate all access to digital/other assets at the time of termination including BYOD devices.
Fully Investigate any data privacy/security incident, as with all other employee issues, either internally or by use of an external investigator; delayed discovery of data incidents is an issue that can be mitigated by clear policies that incentivize early reporting; involve experienced outside attorneys well-versed in data privacy to counsel you during the investigation under attorney-client privilege; consider engaging forensics experts early to verify and document data access and protect the chain of custody for supporting evidence.