You know how critical it is to maintain strong passwords and multi-factor authentication – at least for your most critical accounts. However, you know some of your employees will still fall for phishing attacks.
As long as you continue to use passwords, attackers will seek new ways to steal your credentials.
Fortunately, you can protect your cloud credentials from theft without heavy investments.
Here’s how to go about it effectively.
24 Billion Stolen Credentials
Researchers report 24 billion stolen user credentials for sale on dark web forums. Although that’s an eye-popping number, keep in mind some of these overlap for the same users, as a result of multiple breaches, such as Facebook and LinkedIn.
While mostly individual accounts lie within these billions, plenty of corporate and government credentials also reside in the data. For example, attackers stole 100,000 GitHub credentials in a 0Auth breach.
Whether personal, business, or government, you can see why it’s so important to protect your cloud credentials.
Attackers are Constantly Stealing Credentials
And, it’s amazing how low criminals will stoop to get what they’re after.
The Russian group ‘Fancy Bear’ actually used concerns of nuclear war to trick users into triggering malware. This malware would then steal browser credentials from Chrome, Firefox, and Edge.
Outside of phishing attacks, some credentials can be stolen by abusing vulnerabilities, such as in the Zimbra software associated with IMAP email services.
While patches are available, companies slow to patch remain at risk. That’s why you always want to double check you’re running the latest versions of software. It’s a low-cost, low-risk way to keep your cybersecurity strong.
How to Protect Against Stolen Cloud Credentials
Three key strategies can protect any organization from stolen cloud credentials:
- Change credentials
- Don’t give users passwords
- Make passwords context dependent
Option one should always be executed if a breach is suspected – especially for high-value or high-access credentials, such as IT administrators and executives.
Of course, few businesses have the luxury of knowing about a breach, and must resort to other strategies for protection.
To allow access without knowing the password, many companies use password managers or single-sign-(SSO) on credentials. Users may not know the name SSO, but many will be familiar with buttons saying “Log-in using Google” (or Facebook, LinkedIn, etc).
While these options might sound like passwords stored in a browser, that’s not the case. The technical mechanism remains quite different and much more difficult to breach.
An attacker would need to also breach the third-party password manager or SSO provider in addition to the local user’s system to obtain credentials, because the users don’t have the passwords to lose.
The final method involves using the device or the specific network address as an option in a multi-factor authentication (MFA) security scheme. For example, security certificates can be issued to specific devices, or the device MAC addresses can be registered with the resource.
The credentials must be paired with this specific device in order to access resources. Because of this, even stolen credentials can’t be used independently from the device. This method works equally well with personal and corporate-issued devices – as long as users don’t lose their device, of course.
VPN Alternatives to Protect Credential Security
Network addresses can be used to grant access to resources – even cloud servers and SaaS products.
Traditionally, VPNs were used to route computers to an internal network, so the devices maintain the correct originating IP address. However, many VPN solutions have struggled with security, and cause local network bandwidth problems.
Cloud-based secure gateways and thin client solutions (aka: virtual desktops or Windows remote desktops) that use the internet to avoid burdening local networks can provide an alternative to these VPNs.
Cloud security gateways provide a central enforcement point and becomes the source IP address. This address can then be added to the whitelists for SaaS apps and file servers.
Instead of a centralized login for both BYOD and corporate devices, thin client solutions provide individual corporate connections to a remote network infrastructure. In turn, these solutions then supply the SaaS and shared server resources through that controlled and cloud-based network.
Extra Security Setup
The good news is that more than one of these methods can be implemented. And, of course, each additional measure adds another layer of security to credentials. However, they can also add costs, user inconvenience, or other complications.
As scams, malware, and ransomware attacks continue to rise, protecting your cloud credentials also rises in importance.
Remember: you’re only as secure as your weakest link.
But, sometimes it can be hard to narrow down exactly where you need the most help, or where you’ll get the most bang for your buck.
Simply contact us at 412-349-6680, or fill out the form below, and our security experts will provide a no-obligation assessment of your use case, and which options are best for you and your team.
Many of these options can be low cost and very quick to implement, so don’t wait – secure your operations today!