Compromised Accounts, Stepping Stones
The list of account compromises over the past week is almost too long to list, and the numbers of verified or estimated compromised accounts has reached ridiculous numbers. With the media spotlight on these current companies’ compromises, we’ll likely get more details on the security weaknesses, outright failures, and more from the narcissistic vulnerability pimps taking credit for exposing those security problems.
Aside from the obvious of changing passwords, what can you and your organization do?
I won’t prognosticate on the list of best practices that may have been violated in these compromises, but they will be reported following the long, detailed, and expensive investigations in coming weeks and months, because most of them will be well-known but for one reason or another not practiced. The media reporting and the company’s public statements will cover those, and they will likely be worth a review for any significant points. We can let them tell the story, again.
Instead let’s focus on some things that people may not know or understand that can actually improve your security around these incidents. We highlighted a couple of these practices in the 2011 Annual Security Report, and more recently in the Emerging Threats Briefing at Cisco Live 2012.
First, let’s help our customers, users, and organizations. Given the opportunity, many people will take the simplest and easiest way. In the case of passwords, that means they will use their birthday, username, “password”, “123456”, and so on. We’ll see these lists of bad passwords in coming weeks too. It’s human nature, and too much work to try and remember all those passwords, right? Which leads to the second point of people that use the same password on multiple accounts (more on this shortly). As security practitioners, professionals,…we too often are setting up our users and organizations to fail. We have to do better, and here’s how. Every security control must have technical controls that enforce and monitor that security control, or we have no idea if it is effective. In the case of passwords, that means creating policies, security controls, and technical controls that require a user to create a strong password and change it regularly. If we let a user create a password of “123456”, they have done as should be expected, and we have failed. Even with the best account credentials, the accounts have to be monitored for suspicious activity with technical controls to alert security teams and users when, for example, a password is changed. For a good reference list see: FY 2011 Chief Information Officer Federal Information Security Management Act Reporting Metrics. Note the account activity items on the list: Locked out accounts, failed logins, dormant accounts, password aging…
There is little a security team can do to prevent users from using the same password on multiple sites, which they have no control or knowledge of, accept to educate their users on the risk and provide them with better security solutions. For passwords this means password management software. It’s easy to use, auto-generates strong passwords, and stores them securely for the user. All the user has to remember is one strong password to access them all, and let the software do the rest. Just so there is no confusion, I am not referring to having your browser or a website remember your password, password management software is different. There are many reviews of these password management products available on the Internet, and Cisco released a blog post with more details on these products last year in our NCSAM Tips series. So pick one, use it, provide it to your users (some are open source and are obtained at no cost), and train your user on how to use it. If you need a little Fear, Urgency, and Doubt to convince them it’s a good idea, read on….
Now to the more important point about these account compromises: they are likely only the first step (i.e. stepping stones) of both more attacks and more serious compromises to come. Sure, the accounts are compromised and someone dropped them on a public page, but that is a beginning, not the end. What will likely happen next is that the criminal elements will quickly take these compromised account lists and attempt to use them to do their bidding: everything from sending spam messages, phishing, malicious codes and bots, to attempts to use the accounts to log into commercial or financial websites or even your enterprise as a trusted and possibly privileged user. How will you know? Failed login attempts, locked out accounts for repeated failures, dormant account login attempts, or attempted logins outside of normal operating hours would all be events worth noting and investigating. Maybe the user doesn’t know their account has been compromised? The security teams that monitor account activity can take the lead and warn their users, and recommend they change their passwords. All account compromises don’t get reported in the media and posted on dump sites. The security teams can capture the lists that get publicly posted and review them for accounts that belong to their organizations. This is probably not something most organizations would want their users doing, particularly from a business system or network. They also would probably not want their users to try the available online compromised account websites, regardless of the claims of those websites security measures. Equate that to doing a search on your social security number, probably not a good idea. Security teams do need to educate and remind their users on these things not to do.
Of course there has to be some sanity placed around these account security practices too. Security teams should not take broad strokes like organization-wide mandatory password resets because they have seen suspicious activity on a few accounts and this is where Incident Response comes in. Incident responders and investigators have to quickly Identify, Contain, Eradicate and Recover those systems. But, the first step in any Incident Response is to Prepare. Have a plan, document it, and practice it so that when an incident does occur, you and yours are ready. Unfortunately, there have been many of these mass account compromises at many large companies. But, the other side of that coin is that the collective experience from these incidents has resulted in well-refined and successful crisis management processes. Again, based on incident response practices; it’s the same no matter where you fall in these incidents. Some have been more successful than others, which is why reviewing the details that come out around these latest compromises is worth reviewing and considering in your own Incident Response and Crisis Management plans as lessons learned. All without the pain of being directly involved in the incident.
In summary, it’s the knowledge of the threat, knowledge of the best security practices, and how we can use those existing best security practices against a specific threat:
- Password management software
- Account activity monitoring
- Incident Response and Crisis Management
It’s no comfort to those already directly impacted by these account compromise incidents, but we can all continue to learn from them, continue to improve our own security practices, and contribute to improving security across the Internet.