According to the Verizon 2017 Data Breach Investigations Report, “stolen and/or weak passwords are the leading cause of hacking-related breaches”.
To discuss what can be done to mitigate this security vulnerability, Identity Week (IW) recently spoke with Steve Tout (ST), CEO of VeriClouds. VeriClouds provides a credential verification service that helps organizations detect compromised credentials before hackers do.
IW: It’s well known that there are billions of stolen passwords readily available to anyone on the dark web. This is a widely recognized problem, but can you give us any context of how serious this situation really is and how much worse it may become?
ST: Thank you for having me today. You are right that this is a serious problem, but I don’t think enough business leaders realize how pervasive and serious the situation really is. My own experience tells me that only a handful of companies really understand this and are doing something about it. Unfortunately, most of these companies are not the ones bringing a commercially viable product to market for enterprise adoption. We now know that 80% of users readily admit to reusing passwords and that a company’s infrastructure does not have to suffer a direct breach for its employee or customer passwords to be vulnerable.
Do you remember the OPM data breach? It was a catastrophe. In April 2015, highly sensitive data was stolen on 22 million federal employees. Hackers gained access by stealing credentials and planting malware that further infected systems. The problem doesn’t even have to affect billions of users when sensitive data such as social security numbers, date of birth, pay history, age, gender, race and more can be leaked or exposed due to credentials being compromised and used as an attack vector.
No company or user is immune to this problem. In other words, nearly every company and individual has already been affected, or will be affected by weak or stolen credentials.
IW: Can you provide us with any examples of cases you’ve seen where an organization using stolen credentials suffered from a costly data breach?
ST: The biggest example that everyone knows about are the Yahoo data breach from 2013 where stolen login data affected more than one billion users. That cost Yahoo dearly. In May 2017, Verizon cut the Yahoo (acquisition) transaction price by $350 million. Relative to the entire amount paid by Verizon for Yahoo, it’s a small number, but the absolute value lost is significant as far as data breaches are concerned.
And in December 2013, hackers used compromised credentials to exploit system weaknesses at Target Corporation, the second largest retailer in the United States. As of May 2017, costs reached $300M for a data breach that affected 70M users. I know there are some who argue that it did not affect the long-term stock price, as if to justify apathy towards implementing proper security controls that may have prevented the data breach to begin with. It cost many jobs, and upset many lives.
Not all data breaches are created equal, with the worst of them resulting in devastating loss of privacy and control, potentially putting human lives and critical infrastructure at high risk. In the public sector, data breaches are a matter of national security; these threats should be taken seriously.
IW: Your company provides a solution to specifically protect against the use of known stolen passwords. Describe some use cases for this solution.
ST: I often hear from fans of two-factor authentication (2FA) – and the vendors who profit from that technology – that they are using that so they don’t need a credential verification service. Don’t get me wrong, I am a huge supporter of 2FA and I personally enable it on as many SaaS and social services that support it. Let’s cut to the chase: if 2FA was as good as vendors claim, then we shouldn’t be seeing 81% of data breaches being caused by weak or compromised passwords. 2FA is hard to implement properly and presents its own set of user experience problems. 2FA, even when multiple factors are required (MFA), has challenges with coverage for legacy apps and is not always deployed consistently throughout an enterprise. These technologies are not well positioned to over-deliver on its promises.
In spite of 2FA and MFA [strengths] the recent NIST guidelines now require that public sector organizations check all new user passwords against a database of compromised credentials, among other things. This is a new area that even forward-thinking companies have just started to consider. We just released a feature that supports password policy enforcement of the latest NIST guidelines. It’s not enough to change passwords once in response to a data breach. Continuous protection through intelligent password policy enforcement is required to get ahead of the attackers in this regard.
IW: Your company’s solution deals with common end-user passwords, but what about the more powerful privileged account passwords that are prevalent in large organizations?
ST: I am a big fan of privileged access management capabilities. Vendors in this space accomplish some amazing feats to minimize the risk of overprivileged access and prevent abuse. But there are many layers to a privilege access management system and some requirements that random and one-time passwords do not address. With the web portal, enhanced protection is available to minimize the risk of compromised credentials for privileged and end users. When we are talking about the high stakes in protecting critical infrastructure, Wall Street and banking/financial systems, military systems and trade secrets, I don’t want to settle for the minimum investment in cybersecurity, do you? It effects nearly everyone. Cybercriminals and state sponsored cyber attackers don’t work at owning their next victim from 9-5 or give up after a few failed attempts and then call it quits.
IW: Describe the process of how your solution operates.
ST: Our solution begins with our research team and data scientists collecting and validating the quality of breach data from various sources, such as public forms, pastebin, the dark web and so forth. We perform all our own research and collect all our own data independently, and now have more than 6 billion records in our repository. All this data is then encrypted and stored securely in our database to prevent leaking PII from tampering or unauthorized access. All our crypto operations for password comparison happens in an on-board hardware security module to assure the highest levels of data security and privacy in the industry.
Our solution operates at the detective layer of an organizations security controls. We have a Restful API sitting in front of our database that offers connectivity to any client that needs to check for compromised accounts and compare passwords for policy violations. Currently we have an extension for Microsoft Active Directory that connects to our database while scanning the users in the directory and setting a flag for each account that is at risk. We also have an app for Splunk which gives members of a SOC team the ability to pull our data about compromised credentials into their SIEM and proactively address risk from their findings. As you heard this week, we just completed our integration with the Lieberman RED – Rapid Enterprise Defense™ Suite which gives joint customers real-time visibility and automated response to threats that VeriClouds detected on the dark web regarding their account security. In short, our solution was designed to complement most adaptive/risk based authentication systems, identity management systems, privilege access management systems and SIEMs on the market today. We handle the detection and provide actionable intelligence. They handle the response, policy enforcement and remediation.
Credential verification and identity protection is a multi-billion user opportunity right now that we must assign our nation’s best talent and resources to if we are ever going to disrupt the norm of passwords being the weakest link in cybersecurity, and by far the biggest cause of data breaches today.
If you like this topic, please leave a comment below.
You can also follow us on Twitter.
And you can subscribe to our RSS feed to get future posts delivered directly to you.