Cyber-attacks occur globally, targeting every industry, and business size. As users, authentication, and data move outside of the network, thanks to widespread SaaS adoption, they create a larger attack surface for businesses.
The average company uses 254 applications, and more than half are not owned or managed by the IT department. This diminishes the ability to enforce basic security practices, such as multi-factor authentication and password policies. As a result, vulnerabilities are more difficult to detect, remediation is delayed, and data breaches are more likely.
Password-based authentication is both the first line of defense and the weakest link when it comes to securing your SaaS applications. We know that end-users default to poor password practices—recent reports find all the way up to 99% of users reuse passwords either across work accounts or between work and personal accounts. This means that the same user credentials, if stolen or compromised, can target multiple accounts, even accounts that provide access to business-critical resources.
Most companies on a Windows-based network use Active Directory to manage users and authentications. Stolen Active Directory credentials make it easy for attackers to take over the infrastructure. Even with a secure Active Directory password policy, your business could be at risk if users are reusing the Active Directory password on external web applications.
Compromised credentials are like candy for hackers
Compromised credentials allow hackers to operate undetected and move to other systems to further escalate attacks. Targeted attacks can even start with a compromise of an employee’s personal account before moving on to business accounts and data.
Social engineering is a popular way to compromise credentials. In a recent attack targeting email marketing service Mailchimp, access to employee credentials was obtained and used to target cryptocurrency customers like DigitalOcean and 214 others. As a result of the breach, customer email addresses were exposed, and a very small number of customers experienced an attempted hack of their accounts via fraudulent password resets.
Data dumps of breached passwords provide the path of least resistance for hackers looking to get their hands on breached credentials. Earlier this year, 71,000 employee credentials were leaked following a breach suffered by Nvidia. These passwords can now be purchased and tested against additional accounts. If the password has been reused, the attack will likely be successful. A company several times from the attack can now be vulnerable.
End-user cybersecurity training isn’t enough
Data breaches are a global problem. An attack on one company can reach across borders to impact another. The first preventative measure is to educate employees about password hygiene and reuse.
Unfortunately, recent reports indicate that cyber security training is failing where password reuse is concerned. According to a recent survey of 1,000 business leaders and 1,000 employees, 78% of employees who had received ‘a lot’ of cyber security training still reused their passwords.
Find and block breached passwords in your Active Directory
With that in mind, it is possible that a percentage of your employees are already using a breached or vulnerable password—to audit employee passwords and ensure no known breached passwords are in the network, consider adding a tool like Specops Password Auditor to your arsenal. The read-only Specops Password Auditor allows system administrators to scan Active Directory passwords against over 900 million known breached passwords. The free tool provides valuable information that indicates the severity of your organization’s password vulnerabilities in over 15 different areas.
Once you have identified users with vulnerable passwords, you can set the User must change password at next logon flag on those accounts. However, that doesn’t stop the user from selecting a different vulnerable password. If you want to actively block users from selecting breached passwords, you need a tool like Specops Password Policy with the Breached Password Protection service. In addition to blocking over 3 billion compromised passwords, the service is updated daily to protect your business from real-world password attacks.