Content provided by PNC
Trending Topics represents an executive summary compilation of news, information and perspective on matters affecting businesses and business leaders today. This insight is being provided to keep you up to date on the latest developments and trends influencing these topics. These views do not necessarily represent the views and opinions of PNC. For additional research on these topics, please consult the sources cited in this article.
Cybercriminals are finding corporate credential theft – stealing an employee’s user name and password to access a company’s network and data – to be a lucrative enterprise.1
Stolen credentials enable attackers to masquerade as a legitimate employee and maneuver undetected through a company’s networks. Cybercriminals engage in “credential abuse,” the malicious use of compromised passwords to access and authenticate corporate applications. Attackers steal data, plant malware or conduct other harmful actions. They may use the stolen corporate credentials themselves or sell the credentials to other thieves.
Cybercriminals generally use phishing to steal employee user names and passwords. Phishing is a form of social engineering that manipulates computer users through an email and tricks them into opening an attachment or clicking on an embedded link.
Phishing schemes are popular lures because they are relatively inexpensive and effective. They exploit human behavior as the weak link in a company’s security system. The Verizon 2016 Data Breach Investigations Report noted that 13% of people quickly clicked on a phishing attachment in test situations.2
Phishing schemes used in corporate credential theft are sophisticated. The email or attachment appears to be legitimate, so the employee is lulled into a false sense of security and willingly surrenders credentials. Links lead to fake websites that duplicate legitimate websites so accurately that only close inspection would tip off an employee.
Although some attackers seek corporate credentials for their own purposes, most steal credentials to sell on the “darknet,” the black market for stolen information. Stolen credentials have value because most employees don’t change their passwords often and frequently reuse passwords on multiple accounts.3
Attackers may try to gain remote access to an organization’s network or to cloud-based resources that may have weaker credential protections, or move undetected within an organization’s network once they’ve gained access. Many attackers combine these actions and use multiple stolen credentials to falsify and elevate access privileges to steal sensitive company data.
Attackers often use social media sites such as LinkedIn to target individuals whose work experience and company affiliations can yield corporate credentials that will give them higher-level access to company networks and confidential information.
PROTECTING AGAINST A CREDENTIAL-BASED ATTACK
Experts agree that security awareness training is the first line of defense against sophisticated phishing schemes supporting corporate credential theft. Ongoing employee training and testing should complement network security protocols and programs.
To minimize the threat of corporate credential theft, companies should consider the following suggested actions:4
- Strengthen protocols for developing passwords. The Verizon 2016 Data Breach Investigations Report noted 63% of confirmed data breaches involved weak or stolen passwords or the use of default passwords.5
- Limit the use of corporate credentials to approved sites and block their use for unknown applications and websites.
- Use security products and services to block corporate credentials from leaving the organization’s network to access potentially malicious sites.
- Require employees to change passwords every three months and use different passwords for each of their applications.
- Prohibit employees from using personal account passwords that are the same as their corporate credentials.
- Employ security technology that automatically prohibits employees from visiting credential-phishing sites.
- Use security applications to look for leakage of password-based technology to unknown sites and block the platforms, even if phishing has not yet occurred.
- For corporate systems, require multifactor authentication at the network level to protect critical applications and data.
- Use employee communications and training to continually reinforce good credential habits and the importance of protecting company networks and information from data breaches.
To discuss these topics in more detail, please contact your PNC Relationship Manager.
1 Verizon 2016 Data Breach Investigations Report, page 7. Report is available for download at: http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/
2 Verizon 2016 Data Breach Investigations Report, page 17. Report is available for download at: http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/
3 “Credential-Based Attacks: Exposing the Ecosystem and Motives Behind Credential Phishing, Theft and Abuse,” a white paper by Unit 42 of Palo Alto Networks, 2017. Available for download at: https://www.paloaltonetworks.com/content/pan/en_US/resources/research/unit-42-credential-basedattacks.html
4 Suggestions compiled from: “Stressing Over Stolen and Abused User Credentials?” by Scott Simkin, SecurityWeek.com blog, April 17, 2017. Available at: http://www.securityweek.com/stressing-over-stolenand-abused-user-credentials; and “What Is a Credential-Based Attack?” by Karin Shopen, Research Center blog at Palo Alto Networks, Feb. 16, 2017. Available at: http://researchcenter.paloaltonetworks.com/2017/02/credential-based-attack/
5 Verizon 2016 Data Breach Investigations Report, page 20. Report is available for download at: http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/
PNC is a registered mark of The PNC Financial Services Group, Inc. (“PNC”).
The article you read was prepared for general information purposes only and is not intended as legal, tax or accounting advice or as recommendations to engage in any specific transaction, including with respect to any securities of PNC, and do not purport to be comprehensive. Under no circumstances should any information contained in this article be used or considered as an offer or commitment, or a solicitation of an offer or commitment, to participate in any particular transaction or strategy. Any reliance upon any such information is solely and exclusively at your own risk. Please consult your own counsel, accountant or other advisor regarding your specific situation.
©2017 The PNC Financial Services Group, Inc. All rights reserved.
Content provided by PNC