We Still Suck at Protecting Logon Credentials

Protecting login credentials, which often take the form of username and password pairs, isn’t glamorous. The designers and administrators of systems and applications have been trying to do this for a very long time. Unfortunately, we still do a poor job safeguarding access and maintaining logon credentials, as is evidenced by the successes attackers have demonstrated in the recent months.

The Role of Logon Credentials in Data Breaches

Consider this brief sampling of security incidents, where compromising logon credentials provided attackers with keys to the victim’s digital kingdom:

In targeted attacks, compromising logon credentials is often part of the “lateral movement” phase. In this case, the attacker that obtained initial access attempts to obtain and crack password hashes or to exploit a trust relationship to gain access to other systems. While attackers might rely on exploits and malware to gain initial foothold into the environment, subsequent actions involve going after and making use of logon credentials.

Gaining Access to Logon Credentials

Attackers might compromise logon credentials by remotely guessing user passwords. This is effective for getting into web applications through the login or password reset screens. Remote password-guessing has also been responsible for numerous attacks at the system level through SSH brute-forcing.

Web application breaches often involve SQL injection, which allows the attacker to bypass the application’s security restrictions to obtain access to the underlying database. This can allow the intruder to retrieve usernames and passwords (or password hashes) that are stored in the database.

Intruders who have gained local access to the environment can often retrieve password hashes, which they can crack offline to obtain the underlying passwords, some of which belong to administrative accounts. In some cases, such as in a pass-the-hash attack, the hashes themselves are sufficient. Interestingly, incident responders may leave hashes and access tokens behind (PDF) for attackers to harvest.

Attackers might also obtain logon credentials from compromised email accounts and from data breaches of the targeted company’s partners or service providers.

Will Protecting Logon Credentials Become a Hot Topic?

The industry is remembering the need for and challenges of protecting logon credentials. The mechanics of the recent breaches might breathe new life into identity and access management projects that have stagnated over the years, and might also cause companies to revisit the tactical measures they have implemented to restrict user account access. Moreover, this might reignite the discussion regarding detecting malicious misuse of user accounts and minimizing the effect that such activities have on security of the environment.

Related:

Updated

About the Author

Lenny Zeltser is a seasoned business and technology leader with extensive information security experience. He presently oversees the financial success and expansion of infosec services and SaaS products at NCR. He also trains incident response and digital forensics professionals at SANS Institute. Lenny frequently speaks at industry events, writes articles and has co-authored books. He has earned the prestigious GIAC Security Expert designation, has an MBA from MIT Sloan and a Computer Science degree from the University of Pennsylvania.

Learn more