These findings are significant and quite noteworthy as these compromised credentials continue to be used for spear phishing attacks and other cyber attacks. All businesses should be taking the threat of leaked credentials seriously and should leverage mechanisms to monitor for these types of compromises.
Many of you may have seen a great deal of bluster in the main stream media and general interest IT circles over the last few days concerning the possible breach and release of tens of millions of Google, Yahoo, and Microsoft credentials. This breach was attributed to a Russian hacker after a huge, low cost dump of credentials flooded the black market. I have personally seen multiple emails and alerts floating around the Internet from “experts” spreading large quantities of FUD (Fear, Uncertainty and Doubt), claiming that passwords should be rotated immediately, not only for Google, Yahoo, and Microsoft, but also any other systems that might have the same or similar credentials. Fortunately, professionals in the IT Security community saw through this hoax fairly quickly and never raised the red flag. The data dump in question proved quickly to be more than 98% dummy data. Even on the black market, too good to be true usually means it is not what it appears to be.
So what should be the takeaways and lessons learned from this type of event? We can certainly learn a great deal from these types of false alarms. Here are a few of my thoughts and suggestions:
- Don’t overreact – Wait for the IT Security professionals and the vendors in question to weigh in before assuming that all is lost. Google, Yahoo and Microsoft were quick to verify the data was false and confirm that a breach had not occurred. Though I am never against periodically rotating passwords, sometimes these hoaxes are designed to fuel a mass password change panic which is then exploited by phishing attacks and other credential harvesting techniques by the bad guys.
- Don’t focus only on passwords – Consider utilizing multi-factor authentication for web mail and social media accounts. Twitter, Linkedin, Google, Yahoo, Microsoft and others all support free, multi-factor authentication mechanisms as a protection against the theft of usernames and passwords. Multi-factor authentication basically means that in order to sign into a service, either via your PC or your mobile device, you must have something you know (your username and password) and something you have (your smartphone text message or token). This type of protection can buy you the time you need to investigate alerts while knowing your credentials are safe from misuse.
- Lessen the impact of lost credentials – Always use separate passwords for different services and accounts. In the event a credential is lost or compromised, you are only exposed for that one service or resource. I fully realize this strategy creates some overhead in managing lots of usernames and passwords, but fortunately there are many great password management tools on the market today to help remedy this problem. I am personally a fan of tools like 1Password and LastPass.
- Have good resources on stand-by to help – IT Security is an ever-evolving, specialized field. Make sure your IT services team has expertise on staff and is ready to help. Consider finding trusted sources you can follow via an RSS feed or Twitter to know what is really going on in the world of IT security so that you can better differentiate between the hoaxes and the real threats.
This is a great example for the need to have robust file integrity monitoring in place for sensitive web facing systems.
These are very good and sound tips that can also be easily integrated into exception-based SIEM alerting and reporting. I believe the time and effort to configure and monitor is well worth it. Be alert!