Credential theft is the most common security breach. This can be surprising since much of security and attack prevention is about preventing technical vulnerabilities in other dozens of other areas. The CBS News program 60 Minutes reported that forensic evidence revealed that 80% of security breaches were caused by weak or stolen passwords.
Using valid credentials is preferable for an attacker. Why go over the high walls when they can walk through the front door? There is less chance of discovery at the time because valid credentials will not set off any intruder alerts. There is less chance of discovery after the fact because valid credentials will leave less evidence of the intrusion behind. Attackers also like that credentials are frequently re-used so that one password unlocks multiple locks. This allows an attacker to move between devices throughout a network.
There are three primary techniques used for credential theft.
Phishing
The attacker sends a spear-phishing email with a link to a fake login page. When the target tries to log in, the credentials are captured by the attacker.
Key-logging
The attacker installs malware on a target's computer which will capture the target's keystrokes during log in and forward them to the attacker.
Database theft
The attacker obtains a large set of credentials, usually using SQL Injection or other attack, which include the target's credentials. This could be a local vulnerable database, but more often it is a third-party database which has been breached and decrypted.
Password re-use is a major security issue because a third-party data breach requires many steps for the user to regain their security. First, a user has to hear or be notified about a breach. If they do not know it has occurred then they will remain an unsuspecting victim. Then the user has to remember which credentials were used for the third-party site and know all of the other places where they used those credentials. After developing a list, the user has to invest considerable time to reset each and everyone of those passwords. It is only then that the breached credentials are no longer a threat.
The first defense against credential theft is educating users. Users need to understand the best practices for keeping credentials secure and on the various techniques which are used to obtain credentials such as phishing attacks.
As an organization, the best defense is to require strong passwords for all users and to offer [Multi-Factor Authentication] as an option or, ideally, as a requirement. Biometric Authentication should be used whenever possible, especially for the most secure resources. It is easy to steal a password or a phone, it is harder to steal both at once, but it is extremely difficult to steal a biometric identifier.
Use SSH keys whenever possible. SSH keys provide authentication using Public-Key Cryptography to identify trusted computers without needing passwords.
Forbid the re-use of credentials, both for internal systems and for external logins. This can be a policy, or in some cases it can be enforced using authentication software.
Recommend or require password managers to users. Provide support to make the software easy for them to use. Demonstrate how password managers allow stronger passwords, discourage password re-use, and make it harder to trick users with fake login forms.
Some of the largest and most high-profile security breaches have been due to credential theft.
2011-2014: Iranian hackers used social-engineering to steal credentials from US officials for three years.
2013: Hackers seized credit card data from Target using credentials of Target's HVAC contractor. Target's losses have been estimated at $500 million.
2013: 2 million account credentials for Facebook, Google, Twitter, Yahoo and others were stolen by key-logging malware.
2015: Chinese hackers breached Office of Personnel Management using credentials of a contractor conducting security-clearance investigations. Then they planted a malware backdoor into the network and kept access for over a year.
2015: IRS tax records were stolen on over 300,000 U.S. taxpayers using stolen credentials and knowledge-based authentication information. They gamed the IRS filing and refund systems to collect millions of dollars in fraudulent refunds.
