Recovering From a Credential Breach, Part 2

In part 1 of this blog series, I discussed the impact of credential theft on consumers and what they can do to protect themselves. In part 2, I discuss steps that an organization needs to take if any of its users’ credentials are stolen.

Probably the most important step to take when a user suspects that his or her user account has been compromised is to notify the organization’s IT service desk. End users should notify the IT service desk right away in the event of the loss or theft of a laptop computer, tablet or smartphone. In turn, the service desk should take the following steps:

1. Immediately lock the user’s account.
2. Change the user’s password to a new value, which should be considered temporary.
3. Transmit the user’s new password in a safe manner (e-mail is not considered safe – and besides, if the user’s e-mail credentials have been compromised, he or she may not be able to read it).
4. For sensitive applications, company personnel should check application activity logs to see whether any logins have taken place after the time that the user reported his or her credentials to be compromised. Hopefully those logs contain IP address information to further corroborate whether recent logins were performed by the user or someone else.
   
   1. If there is evidence of unauthorized logins, the IT service desk should declare a security incident and notify appropriate personnel, according to the organization’s security incident reporting policy and procedures.
   2. If there is no evidence of unauthorized logins, the organization can breathe a collective sigh of relief.
5. Depending upon the nature of the organization’s identity and access management architecture, other accounts used by the same person may be subject to the same steps as listed above.

If the organization experiences a compromise of one or more privileged accounts, the company needs to take the same steps as listed above as well as closely monitor activity on privileged accounts to ensure that all activities are authorized.

In relationships with third parties, this can become much more complicated. There are several considerations for organizations with third-party personnel who have privileged access to one or more of the organization’s critical systems:

• Organizations may want to contractually require critical third parties to issue alerts when privileged credentials on affected systems are compromised.
• Organizations may want to contractually require that critical third parties implement security controls such as advanced malware prevention, intrusion prevention systems (IPS) and user behavior analytics (UBA) to protect third-party organization endpoints, particularly for any personnel who have privileged access into critical systems.
• Organizations that issue privileged credentials in its critical systems to any third-party personnel may need additional controls to ensure that credentials are safe at all times. Multi-factor authentication for privileged users is a potential remedy here.

End users whose credentials have been compromised should be advised to select quality passwords and use a password vault as described in part 1 of this blog series. Further, the organization might consider making password vaulting tools such as Password Safe or KeePass available for all users and, perhaps, even included on standard machine images.

The potential loss of user credentials should compel an organization to consider implementing multi-factor authentication, which would blunt the impact of a breach of login credentials. While more expensive hardware token solutions are still available, many organizations are opting for less expensive and onerous solutions that utilize software tokens in smartphones or SMS messages. The latter is now considered deprecated by NIST so proceed with caution; more information available here: https://pages.nist.gov/800-63-3/sp800-63b.html. 

Organizations using tools to manage privileged accounts may have an easier time responding to credential theft. Capabilities may include the instant invalidation of credentials, the ability to detect unauthorized access and the creation of new credentials. The capabilities of any such tools in use need to be understood and incorporated into security incident playbooks for account compromise scenarios.