As an IT professional, you know that threat actors work overtime to get your end-users’ credentials. Whether it’s 3 PM on a Tuesday or 3 AM on a Sunday, they’re constantly dreaming up new ways to trick end-users into providing sensitive information.
And their round-the-clock efforts seem to be paying off. Login credential theft presents one of the biggest and most enduring cybersecurity problems, with the Ponemon Institute reporting that 54% of security incidents are due to credential theft.
So how do you keep your end-users’ credentials safe?
Here, we’ll look at the motivations driving credential theft and the social engineering tactic bad actors are likely to use. Then, we’ll explore why password reuse is such a huge problem and discuss the best way to mitigate the risks associated with compromised passwords.
Motives for Credential Theft
The dark web is filled with cybercriminals interested in selling stolen data to the highest bidder — things like social security numbers, sensitive corporate data, passwords, or credit card information.
Whether their goal is gaining money through fraud or simply wreaking havoc on a system as a form of social “hacktivism,” cybercriminals constantly refine their targets and methods.
But why are cybercriminals so focused on grabbing credentials? Because they realize that humans are creatures of habit.
Most people — 51% admit to reusing the same login credentials across multiple sites, so if bad actors can successfully access one set of credentials, they can likely access multiple bank accounts, credit cards, emails, and more.
In other words, stolen credentials give cybercriminals the key to walk right in the front door of the organization they want to attack.
Social Engineering Tactics Used to Steal Credentials
Forbes reports that in the last year alone, 39% of people had their passwords compromised.
But what methods do cybercriminals use to get their hands on this information? Common social engineering attacks include:
- Tailgating: “Hi, I’m delivering the catered lunch for your executive team meeting.”
Unlike other types of attacks that happen entirely online, tailgating includes a physical, real-world element. Here, an unauthorized person gains physical access to computers in a secure area, then uses those computers to steal information, installs malware to capture additional information, or simply causes damage to the equipment.
- Spear phishing: “John, we’ve updated our banking information due to a data breach. Can you please send today’s payment to this account? —Thank you, Joe Smith, Trusted Vendor”
Spear phishing is a more refined version of phishing. In spear phishing, the cybercriminal sends an email that appears to be from a sender who is known or trusted by the recipient, hoping to trick them into providing confidential information or sending money to a specified account.
- Whaling: “John, this invoice slipped through the cracks and needs to be paid ASAP. Thanks, Maria Smith, CEO”
Another form of phishing, a whaling attack targets recipients by sending emails that appear to be from a senior player at an organization — often the CEO, President, or even board chairperson. These attacks can be successful because employees feel a strong sense of urgency to respond to a high-level employee’s request — and may be more easily tricked into transferring money or revealing sensitive information.
- Baiting: “Check out this picture I took of you at the office!”
A baiting attack uses a human’s natural curiosity against them by offering something that a user finds hard to resist — anything from insinuating they’ve photographed the user in a compromising position to promising a prize. Users are baited into clicking the link or downloading the file, allowing cybercriminals to gain access.
The Password Reuse Problem and How to Mitigate It
The problem of reusing passwords is massive and one of the biggest ways cybercriminals can hack into multiple accounts associated with a single user. Reusing a known breached password in an attack grew 5.8 billion per month in 2002.
Despite the known risks and persistent threat of passwords reuse, end-users keep doing it.
Exploding Topics reports that:
- 13% of Americans use the same password across all accounts
- 52% use the same password for some of their accounts
But it isn’t just non-technical end-users who fall victim to the temptation to reuse passwords — the HIPPA Journal reports that 92% of IT leaders have admitted to reusing passwords across multiple accounts!
What happens if a reused password becomes compromised? All of your other security measures are completely negated. Any site or network on which the user is using a compromised password is also jeopardized.
So, for example, if your end-user decides to use their ultra-secure 20-character Hulu password as their password to log into corporate email account, your security is at risk.
The risk of passwords being compromised is real and has real-world consequences. So how can your organization effectively combat password reuse and associated risks?
One of the best places to start is with a comprehensive password tool like Specops Password Policy with Breached Password Protect, which prevents end-users from using over four billion (and growing) unique known compromised passwords.
Specops Password Policy continually checks for compromised passwords, alerting users if a password becomes compromised and forces them to change their password the next time, they log in.
The solution also includes features like custom password dictionaries so you can block the use of other common and high-probably passwords specific to your company name, products, location.
Proactive Security is a Smart Investment
In the ever-evolving world of cyber threats, threat actors are working around the clock to steal your users’ information — but even the most vigilant IT teams can’t be expected to work 24/7/365 to keep threats at bay.
To reduce your risk, invest in continuous security tools that augment your IT team with round-the-clock protection. For the greatest level of protection, insist on a tool capable of proactively checking end-user passwords to ensure they can’t be used in an attack.
Adding a tool like Specops Password Policy with Breached Password Protection to your security offense will help strengthen your frontline defense.
Sponsored and written by Specops Software.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.