Many pentest and breach reports point to unsecured credentials stored on user systems, network shares, or even in SaaS cloud provider services as enablers for threat actors to complete their objectives and access critical systems or information.
At Blumira, we provide insight to customers when users are engaging in this risky behavior, allowing the organization to take preemptive action and remediate before the credentials can be leaked or used in an intrusion.
Here, we’ll walk through how Blumira alerts on this behavior and how easily a threat actor can take advantage of the opportunity if not remediated.
How Blumira Catches Credential Lists
Here we have a user who needs to use a saved password list to perform their job tasks, so they save the list to their Documents folder. The user thinks this has to be safe — they’ve taken their security training, they know how to avoid phishing emails and they don’t visit sketchy websites.
Blumira picks up the activity and alerts the security administrator.
The security administrator informs the user that their activity is hazardous and directs them to an enterprise password management solution. This closes a potential configuration vulnerability, making the environment more secure.
The Effects of Poor Password Management
Let’s say the user never cleans up the password file and the security administrator is unaware of its existence. Our user practices all practical security measures available to them, but their coworker sitting across the hall does not and falls for a phishing email — allowing a threat actor to access the corporate network.
The threat actor scans across the local network, and finds our unsuspecting user’s machine.
Then, they look for users who happen to be storing credentials in an unsafe manner.
Bingo — they now have a target to collect, and the content may allow them further access to sensitive information or systems.
Password Management Best Practices
So what can we do to close the loop on preventing this? The following recommendations can help limit this attack vector:
- Use a password manager or vault solution to store business-critical credentials.
- Disallow communication between workstations, namely SMB traffic from workstation to workstation. Your firewall policy should restrict most communication between workstations by default.
- Use a SIEM like Blumira’s to monitor and alert when users may fall out of compliance and encourage them to use a more secure solution.
Blumira can help find instances of poor security behavior from your users. To get insight on risky behavior occurring within your company, try our free trial.