Fighting back against credential theft

David Higgins, Technical Director: EMEA, CyberArk.

Comedian Jerry Seinfeld often told a joke on how to secure your home. He recommended putting in six locks but then only locking three of them. When the would-be burglar picks the locks, they'd always end up locking three of them in the process!

Of course, security does not work that way. But the punchline plays on a fact: The easiest way to break into anything is to have the key. In terms of cyber security and digital environments, that key is inevitably a user's credentials. And much like a key and lock, user credentials began in an era when parameters defined security. That has all changed, says David Higgins, Technical Director: EMEA at CyberArk: "If we look at the factors changing modern security, three stand out: The cloud, remote working and third party access. Each reaches beyond the traditional company parameter and, as such, the traditional digital fortifications cyber security relies on. Specifically, it's causing some problems in terms of user credentials. Those are now effectively in the wild and outside of that carefully created safe zone inside the parameter."

If an employee arrives at work, sits at their desk and logs in, they are likely who they claim to be. But when someone logs in remotely or into a cloud service, it's not nearly as certain they are the authorised individual. And if they are from a third party, such as a software supplier, security administrators have even less control. In many cases, they simply trust the third party with a minimum of diligence – a perilous choice, as the SolarWinds hack demonstrated.

Cyber criminals exploit this gap: According to Cyberark's The CISO View 2021 Survey: Zero Trust and Privileged Access report, 97% of respondents said credential theft is on the rise. Criminals are taking advantage of remote workers who often don't sit behind similar layers of security or have easy access to IT staff as they would at the office. There is also a distinct rise in phishing attacks targeting specific individuals such as senior staff (a practice called spear phishing).

Credential theft has long been the cyber criminal's preferred means to break into systems. In the 1992 movie Sneakers, a team of security experts steal a password by using binoculars to see a user's keyboard. Today's criminals rely on tactics such as phishing and malware.

A matter of trust

Criminals have realised that credentials – the digital keys to open cyber security locks –are particularly vulnerable and lacking safeguards.

But it's possible to fight fire with fire. If criminals target credentials, then it's time to weaponise credentials through zero trust, explains Higgins: "Identity security is quickly emerging as the primary line of defence for most organisations, because it allows security teams to tailor each user's access proportionately based on the needs of their job role. Underpinning this model is zero trust – the practice of treating all accounts with the same minimal level of access until authenticated."

Zero trust is part technology but primarily a philosophy. Today's user accounts are likely to have many more nuanced and individual permissions assigned to them. These permissions are typically based on job functions instead of blanket permissions that are more common in traditional security environments.

Under normal circumstances, such granular levels of permission would make it harder to manage security. Zero trust addresses that by taking a very user- and behaviour-centric approach to credentials. For example, zero trust dissuades the practice of permanent or standing access to information, data and assets, instead only granting access when needed. Reflecting this advice, 87% of surveyed CIOs classed the reduction of standing privileges as "important" or "very important".

Trust that evolves with security needs

Zero trust incorporates just-in-time responses and management tools that make it easier for security teams to apply and monitor permissions to credentials. Zero trust also evolves with new capabilities. For example, some companies use artificial intelligence to spot strange behaviours, such as users accessing systems at strange times or from unusual locations.

The concept of zero trust is not new. It was first coined in 2010 and has been a buzzing phrase for several years. Until recently, it was ahead of its time. Yet the combination of remote working, the cloud and third-party access is graduating zero trust from a good idea to best practice.

"The need to protect privileged credentials won't disappear any time soon, particularly as we continue to feel the reverberations from the SolarWinds attack," says Higgins. "Organisations must stop attackers from gaining high-level access, and as new identities multiply, it's clear their approach to identity security must be based on a strong zero-trust foundation. It's paramount for security leaders seeking to mitigate the risks of spear-phishing, impersonation attacks and other forms of compromise, in a world of evolving threats."

Putting more locks on digital doors is not enough. Criminals are after the keys – credentials – and zero trust is how companies can ensure that those stop working if they fall into the wrong hands. As security becomes more decentralised, zero trust is how we can fight back against credential theft. 

Read more