A secure Windows network environment requires all domain users to use strong passwords. To help with this, a system administrator can implement password policies that encourage all users to create reliable and secure passwords. Three password policies — maximum password age, password length, and password complexity — are among the first policies encountered by administrators and users alike in an Active Directory domain.
But despite the ability to enforce more restrictive password requirements, any best practice for AD password policy alone is not going to be enough to protect an organization from compromised credentials.
Credential Misuse is Key to Avoid Detection
The Verizon’s Data Breach Investigations Report (DBIR) reported that 81% of data breaches involve the misuse of passwords to access sensitive and valuable data. By using an employee’s legitimate login and password, your anti-virus, anti-intrusion, firewall and other technologies are not going to flag anything unusual. Those tools believe that the person accessing your network is exactly who they say they are - an authenticated user with authorized access!
How Login Credentials are Effortlessly Compromised
Most credential misuse are caused (at least in part) by your end-users, whether that’s by careless errors, malicious actions or from being exploited by external attacks.
Your organization might have the most robust password policy in place and provide effective security awareness training but passwords are still effortlessly compromised by the weakest security link of any organization – your own employees.
The common causes of compromised credentials
Phishing (user clicks on link and enters credentials)
Password sharing with colleagues
Social engineering (unknowing handing over to malicious party, other than phishing)
Duplication (i.e. reuse of corporate credentials on third-party sites for ease)
Hacked database including user credentials
Data from IS Decisions research with 500 IT Managers
But Don’t Blame your Users for Being Human
People are, by their very nature, human and are therefore prone to making mistakes – especially when IT is often an afterthought. Careless behavior takes many forms — writing passwords down on a bit of paper, sharing passwords with colleagues, leaving workstations logged in when absent, and logging in from two separate devices and locations at once.
From our research with IT Managers, there seems to be an explosion of cuddly toys in the UK, as a quarter of administrators have seen employees hide a password behind one on their desk.
But it isn’t always an incompetent or ill-prepared member of staff who opens up a company’s data to hackers.
Malicious users are your insiders that have shifted their loyalty from the organization where they work to themselves, and are engaged in some kind of inappropriate activity (such as hacking, data theft, etc.) that benefits themselves over the organization. Insiders leverage their own granted access or other compromised accounts to leverage data and applications for malicious purposes.
The external attack is likely more a member of an organization than a loner. These individuals leverage hacking, social, malware, and many other toolsets to create a way into your network. Once inside, they work to take on one or more sets of elevated credentials to provide them with greater access and an ability to move about the network in an attempt to identify valuable data. External attacks leverage user accounts to gain control over endpoints, to move laterally within the network and, ultimately, to acquire targeted access to valuable data.
But rather than blaming your users and insisting on even tighter password policies, organizations need to start better protecting users’ access to the network, even when credentials are compromised.
Verify All Network Access
When the adversary has valid, authorized passwords, all access attempts need to be verified. The secret to do this without impeding users is context-aware security, such as UserLock.
It helps you to go far beyond Active Directory password policies with specific, granular and configurable logon access rules and monitoring.
Furthermore it protects everyone within a company — not just the privileged users/administrators, because any account with access to data that is sensitive, privileged, protected, or otherwise valuable is at risk.
Administrators can set the rules as to what constitutes ‘normal’ logon behavior, for example logins from particular workstations, employee-owned devices, locations, time of day, simultaneous connections or number of unique access points.
- If an attacker gets their hands on an Active Directory password — whether it’s a simple one like 123456, or a complex one including a mixture of uppercase, numbers and special characters — that attacker won’t be able to use it, if the login attempt falls outside of these rules. The system will automatically deny access before damage is done – not only when IT intervenes.
- Likewise it can automatically log out an already active session when a user initiates a new session or after a set period of inactivity. Careless user behavior such as password sharing, shared workstations left unlocked or logging into multiple computers simultaneously is now eradicated, as well as narrowing the window of opportunity for attackers.
Choose to Alert on Suspicious Access
There are also warning signs that someone uninvited has breached your network with compromised credentials. These behaviors should ring alarm bells that something’s not right.
- Impossible journeys: Simultaneous logins from locations too far apart to make any sense or sequential logins with different credentials being used from one machine.
- Sudden change in working/office hours: Login attempts from outside normal business hours.
- Password resets: A repetition of failed login attempts or password resets.
- Implausible remote access: Login attempts from an unlikely session type, location or device.
UserLock can alert the administrator to suspicious access events, offering the chance to instantly react by remotely locking, logging off or resetting the appropriate settings.
End-users themselves can also be notified with tailor-made message and alerts – including alerts on their own trusted access. Informed employees are another line of defense.
Furthermore with UserLock, access to any data/resource is now always identifiable and attributed to one individual user. This accountability discourages an insider from acting maliciously and makes all users more careful with their actions.
Protecting Active Directory Passwords
Knowing how prevalent misused credentials are in data breaches, organizations need to offer more security than just a strong Active Directory password policy. No technology can completely eliminate the chance of an attack, but UserLock will help you minimize the threat of compromised AD credentials.
Download this White Paper in PDF