Protecting Corporete Credentials Against Threats 4 48159 wgw03071_usen
1. IBM Software
Thought Leadership White Paper
September 2014
Protecting corporate credentials
against today’s threats
How proactively blocking credentials exposure can help close the
door to cybercriminals
2. 2 Protecting corporate credentials against today’s threats
Contents
2 Introduction
3
4
6
7
Targeting end users
The new threat landscape
Preventing corporate credentials theft
Conclusion
7 For more information
7 About IBM Security solutions
Introduction
Corporate credentials. They’re the keys to your enterprise and
more than likely you’ve taken many steps to protect them.
However, what many CISOs and security managers are finding
is that traditional approaches to preventing credentials theft—
from implementing stringent identity management policies to
deploying anti-malware software—are no longer sufficient as the
threat landscape changes.
Sophisticated and highly directed spear phishing emails are
tricking employees to input their credentials on very convincing,
yet fraudulent websites. And increasingly complex password
policies are driving the user behaviors that companies are trying
to prevent—the reuse of corporate credentials on unapproved
third party sites.
Cybercriminals know this and now regularly target third party
sites as they work to obtain employee log-in credentials and gain
access to intellectual property and sensitive corporate data.
It has become evident by the number of high-profile credentials
thefts that a new approach is needed to protect corporate
credentials.
In this whitepaper, you’ll learn:
●●
Why credentials are the first steps in modern attacks and the
techniques criminals use to steal user credentials.
●●
Why education and awareness programs can’t keep your
employees from falling victim to sophisticated phishing, spear
phishing, and watering hole attacks.
●●
Why third party attacks are just as dangerous as targeted
attacks to your enterprise.
●●
What steps you can take to prevent credentials threats in this
new landscape.
●●
And how IBM® Security Trusteer Apex™ Advanced Malware
Protection software can help.
3. 3IBM Software
Targeting end users
For cybercriminals, corporate credentials represent the path of
least resistance as they work to gain access to corporate networks
and data. So it’s no surprise that stealing employee usernames
and passwords has become a primary focus for attackers.
In fact, investigations of current breaches reveal that lost or
stolen corporate credentials play a significant role in allowing
advanced threat success, with an estimated 76 percent of
network breaches due to lost or stolen credentials.1
And Forrester reports that two out of three of the top data
breach types last year involved corporate credentials.2 This
includes both authentication credentials, such as usernames and
passwords, along with personally identifiable information
(names, addresses, phone numbers, social security numbers, etc.)
that is often used in security challenge questions.
Today’s cybercriminals commonly steal usernames and passwords
through one of the following methods:
Malware
Attackers use various techniques to compromise user machines
with malware—from drive-by downloads to watering hole
attacks to infected USB drives and more. Key-logging features
that capture user keystrokes during login and send the
information to the attacker are found in almost every malware
family today.
Customer Data
& Intellectual
Property
Employees /
Contractors /
Partners
Cyber
Criminals
Difficult
Easy
Easy
Employe
e Protection
Enterpri
se
Protection
Firewall
Intrusion Prevention System
Anti-Virus Gateway
Encryption
Criminals attack the weakest link
4. 4 Protecting corporate credentials against today’s threats
While the perception is that these attacks cast a wide net, the
reality is that they are often part of advanced persistent threats
targeted at specific companies or industries.
Investigations of recent credentials thefts have uncovered that in
each case—whether the user was sent a weaponized attachment
with an exploit or visited a compromised site—the event was
part of a planned and directed attack on the enterprise.
Phishing and spear phishing
In recent years, the FBI has issued warnings about the rise of
spear phishing attacks as part of larger advanced persistent
threats.
Here, the goal is to trick users to revealing their credentials
versus tricking the systems into downloading malware.
These emails lure employees to fraudulent websites that closely
resemble a website they trust. Once employees enter their login
and password information onto the phishing site, the credentials
are automatically sent to the attacker.
It only takes one employee to fall for a spear phishing email for
attackers to gain access to the corporate network. Once in,
attackers can easily increase their success using a trusted
employee account to obtain additional credentials and wider
access to applications and data.
Consider one attack in which spear phishing emails were sent to
a company’s employees directing them to a fake login page.
While most of the employees deleted the email, at least one
employee logged into the exploit site. Security personnel
detected the attack and asked employees to reset their passwords.
However, knowing this, the attackers then launched a new spear
phishing attack, asking users to reset their passwords on a fake
password reset site.
This ultimately enabled the attackers to access not only a
number of corporate accounts, but also the organization’s social
media account. The attackers published their own content on
the site, promoting their cause and damaging the organization’s
reputation and brand in the process.
Third party breaches
As password complexity increases, employees are more likely to
reuse their usernames and passwords on e-commerce,
subscription and social media sites, despite corporate policy.
Because of this, cybercriminals have turned their focus to obtain
user information from popular websites, knowing there is a high
likelihood that those same credentials could be used for logging
in to other systems as well.
The headlines are full of high-profile breaches on leading
websites, some in which hundreds of millions of user accounts
were compromised. Significant new vulnerabilities, like the
Heartbleed bug, highlight the risk that companies face from
password reuse. As news of Heartbleed broke, the big question
for companies was: If a third party site is compromised, will we
be part of the story?
The new threat landscape
Traditionally, companies protect corporate credentials in three
ways:
1. Stringent identity and access management policies and
solutions that guide password creation and use
2. Extensive employee education and awareness programs
regarding the risks and user responsibilities
3. Anti-malware and threat detection technologies
5. 5IBM Software
While each is critical in maintaining a strong security posture,
they are no longer sufficient for preventing credentials theft in
today’s landscape. In fact, in many highly publicized breaches,
each company affected had implemented the traditional
technologies and programs, and still lost corporate credentials
during an attack.
The reason: human behavior.
Attackers know it’s just a matter of time before an employee d
one of the following:
●●
Mistakenly clicks on a link in an email and enters credential
in what appears to be a trusted website.
●●
Reuses his or her corporate credentials on third party sites,
because it’s easier to remember one password instead of six
passwords or more.
●●
Unknowingly falls victim to a drive-by download, watering
hole attack or infected USB drive.
As a result, one of the biggest challenges companies face in
protecting corporate credentials is in enforcing existing policie
and preventing criminals from exploiting user behavior.
Increased password complexity increases likelihood of
password reuse
It’s common for corporate security policies today to require
employees to create eight-or-more-character passwords that
include uppercase and lowercase letters as well as digits and
symbols.
However, the more complex the password, the harder it is for
employees to remember, and this has created an unintended
consequence. As password strength has increased, so has the
likelihood that employees will reuse their passwords, or a
derivative of the same password, across both corporate and
non-corporate applications.
One study shows that up to 51 percent of users reuse their
credentials across sites, placing their companies at risk.3 Even
with education to help users create “secure but memorable
passwords,” reuse remains high.
Employee education can’t prevent human error
To help enforce password policies, IT and security organizations
have long delivered education awareness programs that teach
employees about the risk of password reuse and how to
safeguard their corporate credentials. However, most companies
have no way of enforcing these policies, or even knowing
whether employees follow them. As noted earlier, industry
statistics indicate that up to half of all employees don’t observe
these directives.
Even when employees are diligent about following policies,
cybercriminals know that one well-crafted spear phishing email,
using information gained from social engineering tactics, can
sometimes convince even a seasoned security expert.
Anti-malware software provides a false sense of security
Companies also use anti-malware software to help detect and
prevent malware-based threats, but this approach doesn’t prevent
credentials theft for two basic reasons.
First, cybercriminals are continually creating new malware, and,
occasionally, these new variants avoid detection. In fact, in one
publicized attack, a spear phishing email deployed advanced
malware on an employee’s system that circumvented the
company’s anti-malware software. The criminals gained access to
the user’s machine, captured his credentials, and accessed
corporate systems and applications as a result.
Second, cybercriminals don’t always use malware to steal an
employee’s credentials. They only need to trick users to enter
their username and password on a phishing site, and the result is
the same.
oes
s
s
6. 6 Protecting corporate credentials against today’s threats
Preventing corporate credentials theft
Today, effectively preventing the theft of corporate credentials
from advanced threats requires the following three essential
capabilities:
●●
Preventing malware from compromising the user system, and,
in cases where malware avoids detection, helping prevent
malware from communicating out to expose corporate
credentials. This preempts malware communication from
sending stolen keystrokes to a cybercriminal.
●●
Validating that corporate credentials are used only to log in to
approved corporate applications—whether those applications
are hosted internally, or delivered by a SaaS vendor or
business partner, or through the cloud.
●●
Automatically preventing corporate credentials from being
sent to unauthorized sites. This can help prevent users from
submitting their credentials on phishing sites, as well as help
stop the reuse of corporate credentials on unapproved third
party sites, such as social networks.
By focusing on both the usage and transmission of the
credentials themselves, companies can realize greater success in
enforcing security policies and preventing credentials theft.
How IBM Security Trusteer Apex Advanced Malware
Protection can help
IBM Security Trusteer Apex Advanced Malware Protection
software offers a new threat prevention approach that provides
unparalleled protection against spear phishing, credentials theft
and advanced information-stealing malware. By monitoring how
and when corporate credentials are used, and automatically
preventing exposure, Trusteer Apex software helps companies
protect their corporate credentials as the threat landscape
evolves.
Unlike other approaches designed only to block malware,
Trusteer Apex software helps prevent advanced malware and
advanced persistent threats from compromising user endpoints
and includes special protections that help prevent corporate
credentials theft and exposure. These protections include:
●●
Helping block malware communications. Trusteer Apex
software helps blocks malware and malicious communications
from malware to help prevent corporate credentials exposure.
Even if malware has infected an employee’s machine, the user’s
credentials can’t be exfiltrated.
●●
Helping prevent corporate password exposure on phishing
sites. Trusteer Apex software helps protect employee
credentials from phishing attacks by validating that employees
are submitting their credentials only to authorized login
URLs. When users attempt to submit their enterprise
credentials to an unauthorized URL, Trusteer Apex software
will require the user to provide different credentials.
●●
Helping prevent re-use of corporate credentials on non-
corporate sites. Trusteer Apex software also helps prevent
corporate employees from re-using their corporate credentials
to access public sites, such as ecommerce and social media
sites. The software monitors when corporate credentials are
used and can require users to change their credentials before
logging in to a non-approved website. As a result,
organizations can easily support access to both corporate and
approved third party SaaS and cloud applications, while
preventing exposure on unauthorized sites.
Delivered as a lightweight software agent and deployed through
the IBM cloud, Trusteer Apex software transparently runs on
both managed and unmanaged endpoints (including consultants
and partner endpoints) to help protect corporate credentials
without impacting performance or access.
7. 7IBM Software
Conclusion
Recent attacks have demonstrated that traditional identity
management policies, user education programs and threat
detection technologies don’t fully protect corporate credentials
against evolving threats. As a result, while companies may be in
compliance with regulatory and industry requirements, they still
may be vulnerable.
Advanced malware that circumvents anti-malware software,
sophisticated phishing attacks using social engineering tactics,
and vulnerabilities in third party networks have all been linked
to cases of credentials theft.
Without the ability to automatically prevent phishing and the
reuse of corporate credentials on non-corporate sites, companies
are at risk. Trusteer Apex software offers a new approach to
protecting corporate credentials that focuses on prevention—
helping companies block transmission before employee
credentials are compromised.
For more information
To learn more about protecting corporate credentials and
IBM Security Trusteer Apex software, please contact your
IBM representative or IBM Business Partner, or visit the
following website: ibm.com/security
About IBM Security solutions
IBM Security offers one of the most advanced and integrated
portfolios of enterprise security products and services. The
portfolio, supported by world-renowned IBM X-Force®
research and development, provides security intelligence to help
organizations holistically protect their people, infrastructures,
data and applications, offering solutions for identity and access
management, database security, application development, risk
management, endpoint management, network security and
more. These solutions enable organizations to effectively
manage risk and implement integrated security for mobile,
cloud, social media and other enterprise business architectures.
IBM operates one of the world’s broadest security research,
development and delivery organizations, monitors 13 billion
security events per day in more than 130 countries, and holds
more than 3,000 security patents.
IBM Security Trusteer Apex software specifically protects employee credentials—a prime target for cybercriminals.
Legitimate
corporate site
Credentials theft
via phishing
Corporate
credential reuse
WWW
Unauthorized
legitimate site
Phishing
site
Authorized
site
Submit: Allow
Enter password
Detect submission
Validate destination