data breach and leaked credentials header

50% of Data Breaches can be Attributed to Leaked Credentials

Hacking an IT-system is often like a puzzle and the hacker needs all the pieces to be successful. In 50% of data breaches, a password is required says Verizon DBIR 2022.

Cyber-Attack-comicIf we can prevent the hackers from obtaining important passwords, we will potentially have reduced data breaches by 50%, so we need to understand how hackers obtain passwords. This blog focuses on the corporate IT-systems.

In a corporate environment, passwords must at least comply with company password policies, the most common one is the Active Directory Password Policy. This makes guessing extremely hard for a hacker, and after a number of failed attempts, the account locks down and a service desk operator is required to reopen it. This method does not generate enough success for the hacker. In AD, the passwords are encrypted and hashed, so the hackers cannot even use a stolen copy.

Instead, hackers can sometimes get passwords from users through e-mail phishing. Most organizations are aware of this problem and would have implemented a solution to prevent this occurring.

But if you are a hacker and need a password from a specific user (or small user group), how can you get it? Just use your phone and ask for a password!! Key people are not an easy target and will not give out a password through a spear-phishing attack.

Alternatively, the hacker will call the service desk and pretend to be a real user with a user-id. If the hacker is well prepared, he can impersonate the user and give relevant details in the conversation. The service desk is there to help, so odds are good for the hacker. Research done by Group-IB, highlighted a 75% success rate for gaining information when combining e-mails and phone-based calls (Vishing).

For organizations that have a large service desk or an outsourced service desk, the service desk staff might not be familiar with most users by voice or their habits. The hackers can use this as an advantage to get details about the key IT-staff, and even get a new password for an IT-user. This is a black hole security wise for the most critical It-infrastructures and might explain where the hackers get the passwords for the data breaches!

Phishing and vishing are social engineering methods and rely on human interaction. Up to now, the best mitigation has been awareness training, but research shows that good social engineers can still fool some of us.

A robust and secure mitigation is an intelligent IT-workflow to verify the identity of people calling in. This removes the social engineer’s most powerful weapon, human interaction, and emotions! We cannot do this for all employees, but we can do it where we have important data and assets serviced by central service centers such as the IT-service desk, the HR-department, and the Finance department. In the verification process, dynamic and contextual information would make it exceedingly difficult for a hacker to impersonate a user. Combine an intelligent workflow with modern tokens like OKTA, DUO, and authenticators such as Google’s and Microsoft’s and this makes the process easy for users and extremely secure.

If you want to see more facts and statistics on this as well as real life examples of vishing attacks against large It-companies, go to this blog: https://www.fastpasscorp.com/blog/it-departments-targeted-vishing-attacks/

Finn JensenYou can reach out to Finn Jensen for a personal comment or interview regarding the security issues of vishing against the central IT-department.

Finn Jensen, CEO

Related Posts

Scroll to Top