Credential Stuffing – The Latest and Greatest Way Cyber Crooks May Be Targeting You

You have to hand it to cyber-criminals. They keep finding new and innovative ways to do the same old thing: rob you.

And what they are after is the coin of the realm in today’s worl: Data. It’s like a bucket of gold with a “Take Me” sign on it. And worst of all, you may not even know it’s happening.

Credential Stuffing. What Is It?

It’s a relatively new form of cyber attack where hackers assault a targeted website with stolen logins, and in doing so, they attempt to gain access to online accounts. This gives them access to your Cloud Data, your databases, financial info and more.

Worse, this new cyber infiltration even has the big boys heads spinning. A perfect example is Yahoo. They had two of the largest credential thefts in history. And you know that if a sophisticated company like Yahoo can be hacked, you can easily be hacked.

However, you can protect yourself, and in some cases, do it better than the big guys. So think carefully about what you can learn here. Credential Stuffing is something you cannot afford to overlook and you really must look out for it.

How It Works

It’s not all that complicated to understand. Hackers enter a huge number of emails, passwords and usernames and barrage a targeted website until one or some of them stick. On a massive level it can be akin to the old, try and try again, until you get in. Once they do gain access they are free to roam around an existing account until they find what they are looking for.

Can This Infiltration Method Apply to You?

It could. Credential stuffing is now the number one method of cyber attack. A Verizon Data Breach Investigations Report of 2017 revealed a frightening statistic: 81% of surveyed organizations had hacker related cyber breaches where an unauthorized person was able to break in using stolen or weak and easily accessed passwords. This percentage is a huge increase from their 2016 report that showed only 18% had some type of data breach infiltration. Those percentages look bad but the numbers they represent are even worse. Three billion records were leaked on the dark web last year. In fact, when we have gotten a chance to talk to the Cyber security pros, they admit that credential stuffing has quickly outpaced other methods and has become their number one priority.

How Do They Do It?

There are about 4 common ways cyber thieves and hackers get their hands on your info.

  1. They steal your databases. That’s the easiest thing for them to do. Usernames and passwords are readily available on the dark web. If you are unfamiliar with the dark web it is the place where anything from illegal drugs to hit men can be found. Studies have shown a veritable supermarket of passwords and logins for sale there. They are placed there for sale in bulk after they are stolen from companies like Dropbox. Hackers or other nefarious agents can buy, sell and trade these emails that offer access to millions of accounts that they can use in their planned attack.
  2. Leaks. Leaks happen more often than you may think. For instance, they might occur when data is transferred either internally or externally to a data center. These leaks are normally accidental and unintentional but they are a prime source of names and password theft.
  3. Going Phishing. Spamming targets with emails that connect to phishing links are not as common, but it happens enough to make it worth your attention. When a phisherman lands you, he can get plain text usernames and logins which are much easier to hack and use them to get access to your data.
  4. Botnets Are Another Way of Infiltration. Botnets and browser injectors increase the ability of attackers to breach your data security. Simply put, they gather and amass login data each time a user enters their information into online fields. Once in, the botnets are implanted into the compromised browser and automatically capture shared information. These methods are easily and often overlooked because a compromised  browser doesn’t know the botnet is even there.

What, If Anything Can These Infiltrations Do to You?

Even the big boys like Sony, Amazon, Ebay have been reeled in and breached by cyber criminals. They get in often by exploiting an employee’s personal communications, contacts and friends lists. This allow them to easily jump over any computer security firewall.

How Bad Could It Get?

Credential Stuffing will impact more than individuals because the individual users often gives access to hackers to other data. Joe@businessname.com, once uncovered will often open the company to numerous break-ins because if there is a Joe@, there will be a Betsy@. And  even though you may have policies in place that forbid workers from using their devices to sign up for online services, as most parents know, saying no is usually not enough. People are people, and it isn’t always in their interest to keep corporate data safe, or they may not realize that infiltration is a real problem. If they get hacked, all your company data will be at risk and that – in addition to everything else – can become a PR nightmare.

What You Can Do

These are a few quick tips that can help you increase your cyber security. These tips were shared with us by the best cyber security professionals in the world, so be sure to implement them right away.

  • Redo your passwords and make them tough. Yes, most of us are lazy and don’t want to memorize some random series of letters numbers and symbols, but that is the most important thing you can do. Make sure you never duplicate any of your passwords.
  • Enable Two-Factor Authentication – This is a quick, easy and smart move and a worthwhile second layer of security. It requires the logger to receive an additional security code sent to their device to gain access.
  • Use a Password Manager – Using a program like LastPass or PassPack allows you to create a unique and strong password for all online accounts inside a secured online password vault. This can relieve some pressure on employees who have to memorize their passwords or codes.

Last but Not Least

Find yourself a cyber-security expert to go through your platforms to uncover any compromised logins. And make your employees aware of credential stuffing and implement a plan to require employees to use unique passwords and two-factor authentication.

If you would like more information, contact LP3. We will be glad to help you make an informed decision on cyber security for your business or organization.

Scott Lawler is CEO of LP3 and provides enterprise cyber security architecture advice to government and commercial clients.

Is Your Company Suffering from Cyber Security Issues?

Data breach.

Vulnerabilities.

IAM security.

To the average business owner these terms are pure mumbo jumbo. But if cyber security is defined as integrity, confidentiality and availability, then it is certainly something you need to understand, and if not then you need to get help to protect your computer information. It’s time you found someone who does understand the meaning of these terms and knows how to protect your business from the damaging effects of these vulnerabilities.

Known in the industry as ICA (Integrity Confidentiality and Availability), proper ICA methods allow your company to recover from and defend against network accidents, hard drive failures and server system power outages. But equally as important, proper vulnerability preparedness can defend against cyber attacks by hostile outside forces, competitors, script kiddies, hackers and fun seekers who derive pleasure simply from taking you down. To be safe and secure, your business needs to plan for business continuity and vulnerability disaster recovery in the event of a PC network security breach.

No Ifs, Ands or Buts

Security must start at the top of your organization. Protection against data breaches is something even your CEO should embrace. The information world we live is a fragile – one that can be entered and attacked – so it demands powerful and constant cyber security controls. All systems – no matter whether you use a server or keep your data in the cloud – should contain certain security standards all employees must be properly trained in and vigorously adhered to. Anything coded by one human can be decoded by another and all code has flaws and bugs that can be exploited.

Security Training Is a Must Do

The weakest link is always the human element which means that if you use developers, they need to be trained to produce secure code. Staff must be trained to take a strong security stance. End users need to understand and look out for phishing and social engineering attacks. Internal panic can be averted when you know what to look for.

It Will Happen – A Breach through a Security Vulnerability is Just a Matter of When

At some point, every company is in danger of a cyber attack even with the best cyber controls. Hackers are always going to attack the weakest point. But if your company practices basic security control many of those attacks are preventable. That operation is often referred to as “cyber hygiene.”

It’s is no different than washing your hands before you sit down to dinner. But in the world of Internet privacy it means employing strong authentication practices and never storing sensitive data where it can be accessible. This may mean finding a good Managed Security Services Provider (MSSP), using cloud security or specialized data breach systems.

The point is you need to be proactive and go well beyond the basics. Hackers today are sophisticated and shrewd. They can circumvent most defenses and their methods are growing in complexity and proficiency every day. And all of us are increasingly vulnerable.

Everything Connected Can Mean Everything Open to Attack

The electric grid, banks, even cars and power plants can now be threatened. Even the once sacred election process is now compromised by foreign sources. And as more and more organization migrate to the cloud, as more employees bring their own devices into the workplace and new challenges arise, businesses need to be prepared and bump up their data penetration testing, as well as their server hardening systems.

A strong, vigilant and constant check and defense of your systems has never been more important.

Privacy Is King

Now more than ever, privacy is king around the globe. Consumers want their information kept safe by vendors and the regulatory climate around consumer privacy is a huge issue today. The European Union’s General Data Protection Regulation (GDPR) is a strict framework for this. It demands that organizations meet the privacy and security mandates of the GDPR and other regulations.

Cyber Professionals Are in High Demand

Business of all types need to protect themselves from a compromised situation. In doing so they need to hire managed security services providers, which means cyber security is a growth industry and will continue as advances are instituted and hackers seek to undo them. Companies need to sharply access their areas of greatest vulnerability and seek out professionals that can defend them.

What Level of Cyber Security Do You Need?

Every company and system is different but there still are general rules and steps we can all use

Network security is a must. Paying attention to network security helps you guard against unauthorized intrusion. Your staff must remember that there are a number of creative hackers out there and they constantly deploy destructive viruses and malware that can compromise your information. In the end, once you implement a few cyber security best practices, you may hear some griping about double passwords or extra logins, but it is worth the effort because just one hack can ruin your day. You may have to sacrifice some productivity, but imagine the productivity loss if your systems get hacked.

Here are a few tools you may want to implement to keep hackers from achieving a data breach:

Flag Alerts – There are tools to monitor security, but they can lull you into a false sense of security because valid alerts are often missed. To avoid that, real time flags and alerts should be considered.

Store It in The Cloud – The cloud opens new opportunities and poses new challenges to cyber security. The problem is that data usernames and passwords are usually insecure.  Breaches occur now with great regularity because of poorly configured cloud instances. As such, cloud providers are rapidly creating new security tools to better secure data, but as we all know, if there are treasures to be found, the diggers will be searching.

Secure Your Applications – Application security (AppSec), begins with secure coding. That is the weak point of most applications. Few companies mitigate to all the OWASP Top Ten web vulnerabilities. Fuzzing and penetration testing remains a must. Unfortunately, DevOps was developed to prioritize business needs over security. That focus will likely change given the proliferation of threats as more and more companies migrate to the cloud.

Internet of Things (IoT) Security – The things referred to include many critical and non-critical cyber physical systems. Examples are appliances, sensors, printers –even security cameras. These devices are often in an insecure state with no security patching. This poses threats to users as well as others on the internet. Botnets are springing up in many systems posing unique security challenges for all of us.

What Cyber Threats Are Out There Looking for You?

There are five general categories of Cyber Threats:

Confidentiality: Many cyberattacks begin with a target’s personal data. Identity theft, credit card fraud, bitcoin wallets – these are all prime targets of hackers. Other nations – our adversaries or enemies – are on the lookout for confidential info for political, military, or economic leverage.

Integrity: Another name for simple sabotage. Integrity attacks attempt to corrupt, damage or destroy information or systems, as well as the people who need them. They can be subtle or overtly seeking to do real damage. Everyone from script kiddies to nation-state attackers can and do employ this tactic.

Availability: The number one method attackers use to breach almost any business system is through the use of ransomware. Ransomware encrypts a target’s data then demands you meet their demands before they will decrypt it. Ransomware and denial-of-service attacks can be lethal and flood a network resource with requests, often crashing it and making it unavailable. This type of breach is usually handled through social engineering. In this method, attackers trick you into running a Trojan Horse program, usually from a website the user trusts and visits. Phishing is another method used. This works for hackers because it tricks you into revealing your password. Even well-trained users can be roped in. The best defense for this is the two-factor authentication method where a secondary password is sent to the user’s device.

Unpatched software: Really, this is the worst type of hacking for businesses because it is caused by cyber security oversight. It is a failure of due diligence. It happens simply because your team does not make the necessary updates on time. If you know about it and don’t fix it, the burden is on you.

Social media threats: These happen all the time and can get in as easily as attaching a phishing or malware program to your LinkedIn or FaceBook account. This is one that you need to expect to happen and be prepared for it when it does.

Advanced Threats May Already Be There

Don’t be surprised if multiple breach hackers are already messing around in your corporate network. If you’re working on something other competitors might like to get their hands on, they will find a way to take it from you unless you are prepared to stop them. This is especially true with intellectual property.

Bottom Line

These are only a few ways in which your system can be and will be breached someday. This article is not meant to scare you, but to help you realize that cyber security breaches are not a joke and happen to businesses of every size. This is why it is important to take necessary data breach security measures and protect your data.

If you would like more information, contact LP3. We will be glad to help you make an informed decision on cyber security for your business or organization.

Scott Lawler is CEO of LP3 and provides enterprise cyber security architecture advice to government and commercial clients.

Keeping Your Healthcare Security Safe from the Top Cyber Threats

Cry.

It is what we should all be doing when we consider all of these cyber attacks.

In fact, a recent cyber attack, called Wannacry has made the healthcare industry want to do just that. Cry. So far, this cyber breach rained havoc down on 16 healthcare industry businesses, affecting different medical practices to differing degrees.

The cost incurred by cyber crimes is rising quickly as more and more hackers focus on the cyber world – a place where so many healthcare providers store information.

A joint study made by Ponemon and IBM demonstrates that businesses in the healthcare industry are still being affected by cybercriminals, and the number of breaches is on the rise. In fact, the study called “Data Breach Report,” indicates that there is a per-capita cost of about $380 for each file breach. So, if you’re in the healthcare industry, beware, take a deep breath, steady your nerves and read on.

Ransomware and other Malware

Malware is a new, raging and serious threat to all industries, but perhaps it creates the most damage in the healthcare industry. It is especially concerning because issues of life and death may be involved. Healthcare depends on an intricate set of reporting and services that are interlocking and which communicate critical information to the healthcare providers. That makes the data vulnerable to ransomware and other malware attacks.

After the WannaCry attack, hospitals were forced to deny admission of new patients and had treatment of existing patients interrupted because their records could not be accessed. Due to the increasing level of attacks a ‘Wall of Shame’, listing healthcare data breaches in the U.S., shows 288 data breaches affected nearly 4.7 million individuals – four times as many as in the previous year.

Phishing

Phishing usually begins as an email assault on a specific website, causing unusual spikes in traffic which can cause the site to crash.  Verizon reported that 66% of malware is initiated as an email attachment.  Shockingly, a whopping 98% of the healthcare industry providers are not taking steps to prevent this from happening by activating the Domain-based Message Authentication, Reporting & Conformance (DMARC).

Insider Threats

Threats from the inside, by patients and or staff is also of serious a concern, whether accidental or intended.  75% of respondents in the 2017 HIMSS Cybersecurity Survey reported that Insider threats seemed troubling enough and has caused some providers to improve their cybersecurity processes and set up protection programs.

Cloud Computing and Online Security

As more and more organizations migrate to the cloud, security threats will migrate with them. Healthcare’s use of cloud computing is projected to rise to 20.5% by 2020. Protecting data at rest and in transit requires robust encryption as well as other measures like second-factor authentication and complex passwords.

Attacks from The Internet

Internet-connect devices are growing in popularity, and usage in the healthcare industry is important and shown to improve patient outcomes. A recent App called OpenAPS has optimized a data-driven insulin delivery system and other Internet-enabled activity trackers are now improving cancer treatment, but they come with risks such as DDoS attacks that could disrupt treatment. Redundancy issues and protection of personal data are also vulnerable as more hospitals become dependent on Internet systems.

The Healthcare Supply Chain, The Easiest Way In

A negligent supplier can let cybercriminals in the front door. The TRICARE breach, that exposed 4.6 million military patient records happened that way.  Regulatory frameworks such as the HIPAA Omnibus Rule in the U.S., are being enacted to strengthen protections.

Authentication Issues

Secure authentication is the name of the game to minimize the problems of human-computer interaction. Passwords must be strengthened, changed often and require a two-stage process.

Legacy apps holding you back

90% of hospitals run legacy applications to preserve patient data. This can open the door to the cybercriminal. The WannaCry attack infected machines that were running unpatched older versions of Windows such as XP and 7 by exploiting a vulnerability in the operating system. Penetration testing should be a first step to finding your vulnerabilities.

Security is everyone’s problem

In healthcare security, issues extend to all disciplines, suppliers, and even patients. The increased use of IoT devices make this a cause for concern everywhere. A recent paper, for the National Data Guardian, “Your Data: Better Security, Better Choice, Better Care,” recommends improving security across healthcare organizations. Citing the issue of “people and processes” as much of a problem as technology.

Security is an is an issue of poor healthcare funding

Poor funding is a massive threat to security. Security and improvements in technology cost money for training and implementation, but they are as vital to everyone’s health as treatment is. If allowed cybercriminals will disrupt services to everyone within a society.

Bottom Line

Understandably, budgeting is an issue in the healthcare industry. However, cutting out or reducing expenses in cyber security is not the best answer. A cyber security attack is not a matter of “IF” but instead of “WHEN”. And if the organization is not prepared with a cyber secure environment the costs will be enormous. In this respect cyber security is much like insurance, something that you must have.

If you would like more information, contact LP3. We will be glad to help you make an informed decision on cyber security for your business or organization.

Scott Lawler is CEO of LP3 and provides enterprise cyber security architecture advice to government and commercial clients.