There is a saying among security professionals: “Cyberattackers don’t break in, they log in.” It is much easier for hackers to steal a username and password than to break through perimeter security. Many of the tactics that malicious actors use to acquire login information can be stopped with good security hygiene practices. Others require robust Identity and Access Management (IAM) and Identity Governance and Administration (IGA) tools to stop. In this post, we will go over the typical techniques that hackers use to acquire the login credentials they need to exfiltrate or corrupt your organization’s sensitive data and how implementing modern IGA can make your organization a harder target or stop it completely.
Phishing
With phishing, a hacker tricks users into divulging their login information. Hackers use emails, messages, or websites that mimic legitimate entities and lure victims into entering their credentials. Phishing is often targeted at specific individuals or organizations through email, SMS text messages, and even voice messages.
The best defense against phishing is security hygiene practices. The good news is most organizations using modern IGA believe they use good security hygiene practices, according to The State of Identity Governance 2024. Among IT professionals and business leaders in 567 enterprises with more than 1,000 employees, 95 percent report that their organization uses strong identity verification and 93 percent say they can quickly identify anomalous behavior and shut down suspect accounts. Still, phishing is a significant threat and succeeds more than it should. In case of detected suspicious activity, modern IGA can trigger automated incident response actions like temporarily locking accounts, forcing password resets, or alerting administrators, thereby mitigating the impact of a credential-stuffing attack.
Keylogging
Keyloggers are malicious programs or hardware devices that record keystrokes. They capture everything a user types, including usernames and passwords. One of the best defenses against keylogging is multi-factor authentication (MFA). MFA requires users to provide more authentication than usernames and passwords. This supplemental authentication typically includes something they know (password), something they have (a mobile device or security token), or something they are (biometric verification). Even if a keylogger captures the password, it will not capture or easily be able to produce the second factor. While keyloggers can capture the initial login credentials, MFA’s additional layer of verification ensures that these credentials alone are insufficient for gaining access. This makes it much harder for attackers to use stolen login data effectively.
Credential stuffing
This technique exploits users’ tendency to reuse passwords across multiple sites. Hackers use lists of stolen credentials from one breach incident to attempt logins on other sites, hoping for a match. In addition to MFA, modern IGA helps stop credential stuffing by enforcing strong password policies across the organization. Modern IGA provides centralized management of identities across all systems and monitors user behavior across your IT infrastructure to detect anomalies like multiple failed login attempts across various accounts. In case of detected suspicious activity, similar to phishing, modern IGA can trigger automated incident response actions to mitigate the impact of a credential-stuffing attack.
Regular access reviews reduce the attack surface and ensure that users have appropriate access rights. Even among modern IGA users, this is an area where many organizations need to improve. The State of Identity Governance 2024 reports 72 percent of IT professionals and business leaders to believe users in their organizations have unnecessary access and overly permissive accounts. Further, organizations using legacy IGA are up to 20 percent more concerned about identity-related threats than organizations using modern IGA. Role-Based Access Control (RBAC) through modern IGA helps in this area by ensuring that users have access only to the resources they need to do their jobs.
Man-in-the-middle (MitM)
In MitM attacks, hackers intercept communication between the user and the login system. This can happen through compromised networks, like unsecured public Wi-Fi, where the attacker can capture login credentials being transmitted.
While this method can be slow, it can be effective. A modern IGA system requiring strong password policies and end-to-end secure channel communications using IPSec-based VPNs provides highly effective defense strategies.
Malware
Malware enables hackers to steal login credentials directly from a device. This includes:
- Trojan Horses: Malicious programs disguised as legitimate software.
- Spyware: Software that secretly monitors user activity.
- Adware: Malicious software that may include spyware functionalities.
Malware is an attack vector about which there are significant worries. The State of Identity Governance 2024 reports more than 50 percent of IT professionals and business leaders using modern IGA systems have significant concerns about malware designed to steal credentials. More than 63 percent of respondents using legacy IGA systems have significant concerns about malware.
While IGA itself may not directly stop malware from infecting a system, it helps secure the environment in ways that limit the effectiveness and spread of such malware through strong password policies MFA, RBAC, access reviews, centralized monitoring of user behavior to detect anomalies, and automated responses to threats.
Exploiting software vulnerabilities
Hackers exploit vulnerabilities in software to gain access to systems and databases where credentials are stored. This can include SQL injection, cross-site scripting (XSS), and other forms of cyberattacks. Along with malware designed to steal credentials, exploiting a vulnerability to compromise a user or service account is the most worrisome among individual identity-related security threats according to The State of Identity Governance 2024.
How modern IGA helps
While modern IGA itself does not directly patch software vulnerabilities or stop these attack vectors, it significantly strengthens your organization’s overall security posture and reduces the potential for exploitation of vulnerabilities and attacks against these vulnerabilities. In addition to the ways modern IGA mitigates the threat of malware, it also enforces the principle of least privilege and ensures users have only the minimal level of access necessary to perform their roles. By limiting user permissions, the impact of any compromised account is minimized, reducing the damage an attacker can cause if they exploit a software vulnerability.
Through Governance for Identity Fabric, modern IGA can integrate with Privileged Access Management (PAM) solutions to secure accounts with elevated privileges. PAM tools monitor and control privileged access, enforce additional authentication requirements, and provide session monitoring and logging. These controls help prevent hackers from exploiting privileged accounts to escalate attacks through software vulnerabilities. Modern IGA integrates also with other security tools, such as Security Information and Event Management (SIEM) systems, vulnerability scanners, and endpoint protection. This integration allows for a coordinated response to threats and the ability to quickly identify and mitigate vulnerabilities.
In addition, modern IGA automates the provisioning and de-provisioning of access rights. When employees join, move within, or leave the organization, their access rights are promptly adjusted. Automated de-provisioning ensures that former employees or those who no longer require certain access cannot be exploited through dormant accounts.
Further, modern IGA can detect permission drift – the notion that identities have more access than what they are supposed to have – and remediate in real time when this occurs. The result is that in the case when an attacker elevates permissions, a modern IGA can be the tip of the spear to help to minimize damage and remediate this permission drift.
Modern IGA tools also provide detailed audit trails and compliance reports. Regular auditing helps ensure that access controls are being followed and that there are no unauthorized changes or access patterns. This visibility helps in identifying potential security gaps that hackers could exploit.
Understanding these methods and taking appropriate preventive measures can significantly reduce the risk of credential theft. Deploying a modern IGA system can help you reduce the threats of these methods. Contact Omada to learn more about how we can help you to reduce and mitigate cyber risks with a modern, cloud-native Identity Governance solution.