Protecting corporate credentials against today’s threats

8
IBM Software Thought Leadership White Paper September 2014 Protecting corporate credentials against today’s threats How proactively blocking credentials exposure can help close the door to cybercriminals

Transcript of Protecting corporate credentials against today’s threats

IBM Software

Thought Leadership White Paper

September 2014

Protecting corporate credentials against today’s threatsHow proactively blocking credentials exposure can help close the door to cybercriminals

2 Protecting corporate credentials against today’s threats

Contents

2 Introduction

3

4

6

7

Targeting end users

The new threat landscape

Preventing corporate credentials theft

Conclusion

7 For more information

7 About IBM Security solutions

IntroductionCorporate credentials. They’re the keys to your enterprise and more than likely you’ve taken many steps to protect them.

However, what many CISOs and security managers are finding is that traditional approaches to preventing credentials theft—from implementing stringent identity management policies to deploying anti-malware software—are no longer sufficient as thethreat landscape changes.

Sophisticated and highly directed spear phishing emails are tricking employees to input their credentials on very convincing,yet fraudulent websites. And increasingly complex password policies are driving the user behaviors that companies are trying to prevent—the reuse of corporate credentials on unapproved third party sites.

Cybercriminals know this and now regularly target third party sites as they work to obtain employee log-in credentials and gainaccess to intellectual property and sensitive corporate data.

It has become evident by the number of high-profile credentials thefts that a new approach is needed to protect corporate credentials.

In this whitepaper, you’ll learn:

●● Why credentials are the first steps in modern attacks and the techniques criminals use to steal user credentials.

●● Why education and awareness programs can’t keep your employees from falling victim to sophisticated phishing, spear phishing, and watering hole attacks.

●● Why third party attacks are just as dangerous as targeted attacks to your enterprise.

●● What steps you can take to prevent credentials threats in this new landscape.

●● And how IBM® Security Trusteer Apex™ Advanced MalwareProtection software can help.

3IBM Software

Targeting end usersFor cybercriminals, corporate credentials represent the path of least resistance as they work to gain access to corporate networks and data. So it’s no surprise that stealing employee usernames and passwords has become a primary focus for attackers.

In fact, investigations of current breaches reveal that lost or stolen corporate credentials play a significant role in allowing advanced threat success, with an estimated 76 percent of network breaches due to lost or stolen credentials.1

And Forrester reports that two out of three of the top data breach types last year involved corporate credentials.2 This includes both authentication credentials, such as usernames and

passwords, along with personally identifiable information (names, addresses, phone numbers, social security numbers, etc.) that is often used in security challenge questions.

Today’s cybercriminals commonly steal usernames and passwords through one of the following methods:

MalwareAttackers use various techniques to compromise user machines with malware—from drive-by downloads to watering hole attacks to infected USB drives and more. Key-logging features that capture user keystrokes during login and send the information to the attacker are found in almost every malware family today.

Customer Data & Intellectual

Property

Employees / Contractors /

Partners

CyberCriminals

Difficult

Easy

Easy Em

ploy

ee Protection

Enterprise Protection

Firewall

Intrusion Prevention SystemAnti-Virus Gateway

Encryption

Criminals attack the weakest link

4 Protecting corporate credentials against today’s threats

While the perception is that these attacks cast a wide net, the reality is that they are often part of advanced persistent threats targeted at specific companies or industries.

Investigations of recent credentials thefts have uncovered that in each case—whether the user was sent a weaponized attachment with an exploit or visited a compromised site—the event was part of a planned and directed attack on the enterprise.

Phishing and spear phishingIn recent years, the FBI has issued warnings about the rise of spear phishing attacks as part of larger advanced persistent threats.

Here, the goal is to trick users to revealing their credentials versus tricking the systems into downloading malware.

These emails lure employees to fraudulent websites that closely resemble a website they trust. Once employees enter their login and password information onto the phishing site, the credentials are automatically sent to the attacker.

It only takes one employee to fall for a spear phishing email for attackers to gain access to the corporate network. Once in, attackers can easily increase their success using a trusted employee account to obtain additional credentials and wider access to applications and data.

Consider one attack in which spear phishing emails were sent to a company’s employees directing them to a fake login page. While most of the employees deleted the email, at least one employee logged into the exploit site. Security personnel detected the attack and asked employees to reset their passwords. However, knowing this, the attackers then launched a new spear phishing attack, asking users to reset their passwords on a fake password reset site.

This ultimately enabled the attackers to access not only a number of corporate accounts, but also the organization’s social media account. The attackers published their own content on the site, promoting their cause and damaging the organization’s reputation and brand in the process.

Third party breachesAs password complexity increases, employees are more likely to reuse their usernames and passwords on e-commerce, subscription and social media sites, despite corporate policy.

Because of this, cybercriminals have turned their focus to obtain user information from popular websites, knowing there is a high likelihood that those same credentials could be used for logging in to other systems as well.

The headlines are full of high-profile breaches on leading websites, some in which hundreds of millions of user accounts were compromised. Significant new vulnerabilities, like the Heartbleed bug, highlight the risk that companies face from password reuse. As news of Heartbleed broke, the big question for companies was: If a third party site is compromised, will we be part of the story?

The new threat landscape Traditionally, companies protect corporate credentials in three ways:

1. Stringent identity and access management policies and solutions that guide password creation and use

2. Extensive employee education and awareness programs regarding the risks and user responsibilities

3. Anti-malware and threat detection technologies

5IBM Software

While each is critical in maintaining a strong security posture,they are no longer sufficient for preventing credentials theft intoday’s landscape. In fact, in many highly publicized breaches, each company affected had implemented the traditional technologies and programs, and still lost corporate credentials during an attack.

The reason: human behavior.

Attackers know it’s just a matter of time before an employee done of the following:

●● Mistakenly clicks on a link in an email and enters credentialin what appears to be a trusted website.

●● Reuses his or her corporate credentials on third party sites, because it’s easier to remember one password instead of six passwords or more.

●● Unknowingly falls victim to a drive-by download, watering hole attack or infected USB drive.

As a result, one of the biggest challenges companies face in protecting corporate credentials is in enforcing existing policieand preventing criminals from exploiting user behavior.

Increased password complexity increases likelihood of password reuseIt’s common for corporate security policies today to require employees to create eight-or-more-character passwords that include uppercase and lowercase letters as well as digits and symbols.

However, the more complex the password, the harder it is for employees to remember, and this has created an unintended consequence. As password strength has increased, so has the likelihood that employees will reuse their passwords, or a derivative of the same password, across both corporate and non-corporate applications.

One study shows that up to 51 percent of users reuse their credentials across sites, placing their companies at risk.3 Even with education to help users create “secure but memorable passwords,” reuse remains high.

Employee education can’t prevent human errorTo help enforce password policies, IT and security organizations have long delivered education awareness programs that teach employees about the risk of password reuse and how to safeguard their corporate credentials. However, most companies have no way of enforcing these policies, or even knowing whether employees follow them. As noted earlier, industry statistics indicate that up to half of all employees don’t observe these directives.

Even when employees are diligent about following policies, cybercriminals know that one well-crafted spear phishing email, using information gained from social engineering tactics, can sometimes convince even a seasoned security expert.

Anti-malware software provides a false sense of securityCompanies also use anti-malware software to help detect and prevent malware-based threats, but this approach doesn’t prevent credentials theft for two basic reasons.

First, cybercriminals are continually creating new malware, and, occasionally, these new variants avoid detection. In fact, in one publicized attack, a spear phishing email deployed advanced malware on an employee’s system that circumvented the company’s anti-malware software. The criminals gained access to the user’s machine, captured his credentials, and accessed corporate systems and applications as a result.

Second, cybercriminals don’t always use malware to steal an employee’s credentials. They only need to trick users to enter their username and password on a phishing site, and the result is the same.

oes

s

s

6 Protecting corporate credentials against today’s threats

Preventing corporate credentials theftToday, effectively preventing the theft of corporate credentials from advanced threats requires the following three essential capabilities:

●● Preventing malware from compromising the user system, and, in cases where malware avoids detection, helping prevent malware from communicating out to expose corporate credentials. This preempts malware communication from sending stolen keystrokes to a cybercriminal.

●● Validating that corporate credentials are used only to log in to approved corporate applications—whether those applications are hosted internally, or delivered by a SaaS vendor or business partner, or through the cloud.

●● Automatically preventing corporate credentials from being sent to unauthorized sites. This can help prevent users from submitting their credentials on phishing sites, as well as help stop the reuse of corporate credentials on unapproved third party sites, such as social networks.

By focusing on both the usage and transmission of the credentials themselves, companies can realize greater success in enforcing security policies and preventing credentials theft.

How IBM Security Trusteer Apex Advanced Malware Protection can helpIBM Security Trusteer Apex Advanced Malware Protection software offers a new threat prevention approach that provides unparalleled protection against spear phishing, credentials theft and advanced information-stealing malware. By monitoring how and when corporate credentials are used, and automatically preventing exposure, Trusteer Apex software helps companies protect their corporate credentials as the threat landscape evolves.

Unlike other approaches designed only to block malware, Trusteer Apex software helps prevent advanced malware and advanced persistent threats from compromising user endpoints and includes special protections that help prevent corporate credentials theft and exposure. These protections include:

●● Helping block malware communications. Trusteer Apex software helps blocks malware and malicious communications from malware to help prevent corporate credentials exposure. Even if malware has infected an employee’s machine, the user’s credentials can’t be exfiltrated.

●● Helping prevent corporate password exposure on phishing sites. Trusteer Apex software helps protect employee credentials from phishing attacks by validating that employees are submitting their credentials only to authorized login URLs. When users attempt to submit their enterprise credentials to an unauthorized URL, Trusteer Apex software will require the user to provide different credentials.

●● Helping prevent re-use of corporate credentials on non-corporate sites. Trusteer Apex software also helps prevent corporate employees from re-using their corporate credentials to access public sites, such as ecommerce and social media sites. The software monitors when corporate credentials are used and can require users to change their credentials before logging in to a non-approved website. As a result, organizations can easily support access to both corporate and approved third party SaaS and cloud applications, while preventing exposure on unauthorized sites.

Delivered as a lightweight software agent and deployed through the IBM cloud, Trusteer Apex software transparently runs on both managed and unmanaged endpoints (including consultants and partner endpoints) to help protect corporate credentials without impacting performance or access.

7IBM Software

ConclusionRecent attacks have demonstrated that traditional identity management policies, user education programs and threat detection technologies don’t fully protect corporate credentials against evolving threats. As a result, while companies may be in compliance with regulatory and industry requirements, they still may be vulnerable.

Advanced malware that circumvents anti-malware software, sophisticated phishing attacks using social engineering tactics, and vulnerabilities in third party networks have all been linked to cases of credentials theft.

Without the ability to automatically prevent phishing and the reuse of corporate credentials on non-corporate sites, companies are at risk. Trusteer Apex software offers a new approach to protecting corporate credentials that focuses on prevention—helping companies block transmission before employee credentials are compromised.

For more informationTo learn more about protecting corporate credentials and IBM Security Trusteer Apex software, please contact your IBM representative or IBM Business Partner, or visit the following website: ibm.com/security

About IBM Security solutionsIBM Security offers one of the most advanced and integrated portfolios of enterprise security products and services. The portfolio, supported by world-renowned IBM X-Force® research and development, provides security intelligence to help organizations holistically protect their people, infrastructures, data and applications, offering solutions for identity and access management, database security, application development, risk management, endpoint management, network security and more. These solutions enable organizations to effectively manage risk and implement integrated security for mobile, cloud, social media and other enterprise business architectures. IBM operates one of the world’s broadest security research, development and delivery organizations, monitors 13 billion security events per day in more than 130 countries, and holds more than 3,000 security patents.

IBM Security Trusteer Apex software specifically protects employee credentials—a prime target for cybercriminals.

Legitimatecorporate site

Credentials theftvia phishing

Corporatecredential reuse

WWW

Unauthorizedlegitimate site

Phishingsite

Authorizedsite

Submit: Allow

Enter password

Detect submissionValidate destination

© Copyright IBM Corporation 2014

IBM Corporation Software Group Route 100 Somers, NY 10589

Produced in the United States of America September 2014

IBM, the IBM logo, ibm.com, and Trusteer Apex are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the web at “Copyright and trademark information” at ibm.com/legal/copytrade.shtml

This document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates.

The performance data discussed herein is presented as derived under specific operating conditions. Actual results may vary. It is the user’s responsibility to evaluate and verify the operation of any other products or programs with IBM products and programs.

THE INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT . IBM products are warranted according to the terms and conditions of the agreements under which they are provided.

The client is responsible for ensuring compliance with laws and regulations applicable to it. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the client is in compliance with any law or regulation.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that systems and products are immune from the malicious or illegal conduct of any party.

1 Verizon. “2013 Verizon Data Breach Investigations Report.” Retrieved from: http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigations-report-2013_en_xg.pdf

2 Eve Maler, Andras Cser with Stephanie Balaouras, and Jennie Duong, “Market Overview: Employee And Customer Authentication Solutions In 2013, Part 1 of 2”, Forrester, December 30, 2013. As presented at: http://buildingtrust.trusteer.com/Unseen-Challenges-Forrester-Webinar_ March2014_Recording

3 Anupam Das (University of Illinois at Urbana-Champaign), Joseph Bonneau (Princeton University), Matthew Caesar (University of Illinois at Urbana-Champaign), Nikita Borisov (University of Illinois at Urbana-Champaign), and XiaoFeng W ang (Indiana University at Bloomington), “The Tangled Web of Password Reuse”; NDSS ’14, 23-26 February 2014, San Diego, CA, USA. Retrieved from: http://www.jbonneau.com/doc/DBCBW14-NDSS-tangled_web.pdf

Please Recycle

WGW03071-USEN-00