Skip to main content

Recovering From a Credential Breach, Part 2

August 10, 2017

In part 1 of this blog series, I discussed the impact of credential theft on consumers and what they can do to protect themselves. In part 2, I discuss steps that an organization needs to take if any of its users’ credentials are stolen.

Credential Breach Part 2

Probably the most important step to take when a user suspects that his or her user account has been compromised is to notify the organization’s IT service desk. End users should notify the IT service desk right away in the event of the loss or theft of a laptop computer, tablet or smartphone. In turn, the service desk should take the following steps:

  1. Immediately lock the user’s account.
  2. Change the user’s password to a new value, which should be considered temporary.
  3. Transmit the user’s new password in a safe manner (e-mail is not considered safe – and besides, if the user’s e-mail credentials have been compromised, he or she may not be able to read it).
  4. For sensitive applications, company personnel should check application activity logs to see whether any logins have taken place after the time that the user reported his or her credentials to be compromised. Hopefully those logs contain IP address information to further corroborate whether recent logins were performed by the user or someone else.
    1. If there is evidence of unauthorized logins, the IT service desk should declare a security incident and notify appropriate personnel, according to the organization’s security incident reporting policy and procedures.
    2. If there is no evidence of unauthorized logins, the organization can breathe a collective sigh of relief.
  5. Depending upon the nature of the organization’s identity and access management architecture, other accounts used by the same person may be subject to the same steps as listed above.

If the organization experiences a compromise of one or more privileged accounts, the company needs to take the same steps as listed above as well as closely monitor activity on privileged accounts to ensure that all activities are authorized.

In relationships with third parties, this can become much more complicated. There are several considerations for organizations with third-party personnel who have privileged access to one or more of the organization’s critical systems:

  • Organizations may want to contractually require critical third parties to issue alerts when privileged credentials on affected systems are compromised.
  • Organizations may want to contractually require that critical third parties implement security controls such as advanced malware prevention, intrusion prevention systems (IPS) and user behavior analytics (UBA) to protect third-party organization endpoints, particularly for any personnel who have privileged access into critical systems.
  • Organizations that issue privileged credentials in its critical systems to any third-party personnel may need additional controls to ensure that credentials are safe at all times. Multi-factor authentication for privileged users is a potential remedy here.

End users whose credentials have been compromised should be advised to select quality passwords and use a password vault as described in part 1 of this blog series. Further, the organization might consider making password vaulting tools such as Password Safe or KeePass available for all users and, perhaps, even included on standard machine images.

The potential loss of user credentials should compel an organization to consider implementing multi-factor authentication, which would blunt the impact of a breach of login credentials. While more expensive hardware token solutions are still available, many organizations are opting for less expensive and onerous solutions that utilize software tokens in smartphones or SMS messages. The latter is now considered deprecated by NIST so proceed with caution; more information available here: https://pages.nist.gov/800-63-3/sp800-63b.html

Organizations using tools to manage privileged accounts may have an easier time responding to credential theft. Capabilities may include the instant invalidation of credentials, the ability to detect unauthorized access and the creation of new credentials. The capabilities of any such tools in use need to be understood and incorporated into security incident playbooks for account compromise scenarios.


    Peter Gregory

By: Peter Gregory

Director, Information Security

See More

Related Blogs

April 18, 2018

Testing Password Reset Token Predictability with the Reset-A-Tron Burp Extension

Most web applications provide a 'forgot my password' feature where a recovery or reset token is delivered to the associated account email address. Usu...

See Details

June 08, 2018

The Business Trusts the Third Party – Should You?

In this day and age we are faced with some hard facts within information security. One of those facts is that breaches are imminent and we must be pre...

See Details

August 16, 2016

Five Ways to Minimize Risk Exposure

Risk management is something to be taken very seriously. Few things are more harmful to a company's reputation and bottom line, than a breach of clien...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.


Privacy Policy

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.

Subscribe

Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.