Last Updated on March 16, 2023
You know passwords are a major security risk. Hackers love to use compromised passwords in credential stuffing and phishing attacks to take over business accounts and gain access to corporate networks. And users—65% of whom reuse passwords across multiple applications—love to play right into their hands.
What can you do to reduce your organization’s risk from compromised passwords?
To share the latest techniques to help organizations reset leaked credentials before hackers can exploit them, we invited Josh Amishav-Zlatin, Founder and Technical Director at BreachSense, to join a recent episode of The Virtual CISO Podcast. As always, the show’s host is John Verry, Pivot Point Security CISO and Managing Partner.
A worst-case attack scenario
As a worst-case scenario of what hackers can do with just a leaked password, consider the recent Colonial Pipeline breach. All that gas price fluctuation and panic buying was caused by a single leaked password that had been reused for admin-level access to a Colonial VPN. After leveraging credential stuffing to infiltrate Colonial’s network, the attackers launched a highly successful ransomware attack. Colonial ended up shutting down business-critical systems, leaving the firm (among other things) unable to bill for the fuel in their pipeline.
Is MFA the answer?
If only they had multi-factor authentication (MFA) on that network, Colonial would have been OK… Right?
Not necessarily, says Josh: “It really depends how the MFA is implemented. This is an example that was relevant a couple of years ago, but there are applications that support hardware token MFA, which is generally thought to be significantly more secure than software-based MFA. But the application allowed you to log in through an iPad as well. iPads don’t have USB ports, and they obviously can’t support a security token. In which case, if you logged into the application via an iPad, you were able to bypass the MFA requirement, and then you were able to gain access, and you’d be able to… If you had breached credentials, you’d be able to get access. So that’s one example, which is something you have to be aware of.”
“MFA is a great solution, and it should be enabled wherever you can,” Josh qualifies. “But I’ve bypassed personally, as a pen tester, MFA on numerous occasions using phishing attacks. So, we’d set up like a fake login, send the phishing email to the employees in the organization. And then as long as you did it in real-time, we’d have 30 seconds or 60 seconds, however long before the MFA token timed out, that the user would put that in. We just grab it and put it in on our end, and then we’d be able to bypass it that way. So, MFA is great, but it doesn’t give you complete protection. You’ve just got to be aware of its limitations.”
You still need visibility on password risk
Even with MFA, you still need visibility on compromised passwords to block account takeovers. This is what the BreachSense service is all about.
What BreachSense does is reduce your exposure to password attacks by alerting you in near real-time when a password in use within your domain has been compromised, so that you can quickly and smoothly force a reset. This kind of intel is very challenging to distill from all the breach data “noise” out there, leaving most organizations with little to no visibility into this major risk vector.
Looking to reduce password-related risk? Don’t miss this podcast episode with Josh Amishav-Zlatin.