The digitization of business operations has brought countless advantages, but it also comes with a steep cost – an increased vulnerability to cyber threats. In this escalating landscape of risks, compromised credentials have emerged as the leading cause of data breaches as revealed in Verizon’s 2023 DBIR Report and IBM’s 2022 Cost of a Data Breach Report. This threat landscape underscores the vital need for businesses to establish a robust system to track and manage compromised credentials, incorporating authentication policies, baseline standards, biometrics, risk assessment, and more. Recommendations for addressing this area of risk are outlined in many of NIST’s publications, with Control IA-5 in SP 800-53 providing comprehensive guidance for password-based authentication and emphasizing the need for a secure account management system.
NIST Special Publication 800-53, revision 5, titled “Security and Privacy Controls for Information Systems and Organizations,” presents an extensive framework for managing information security risks encompassing device identification, configuration management, and baseline standards. This proactive approach helps prevent unauthorized access, aligning with key security controls such as risk management, contingency planning, and access control. One essential aspect is the Control Enhancement IA-5 for password-based authentication:
For password-based authentication:
(a) Maintain a list of commonly used, expected, or compromised passwords and update the list [Assignment: organization-defined frequency] and when organizational passwords are suspected to have been compromised directly or indirectly;
(b) Verify when users create or update passwords, that the passwords are not found on the list of commonly used, expected, or compromised passwords in IA-5(1)(a)
Compromised credentials can serve as the gateway for cybercriminals to infiltrate an organization’s systems, paving the way for costly and damaging data breaches. Recognizing the gravity of this threat, NIST SP 800-53 advises the detection and management of compromised passwords. Preventing users from setting their passwords to previously exposed values; closes off attackers from simply finding login information on the Dark Web to gain access to accounts. This dramatically reduces an organizations risk of account takeover by stopping threats such as credential stuffing and password spraying attacks.
Real-time monitoring the Dark Web can be a helpful measure in addressing the criteria set by NIST. The clandestine nature of the Dark Web makes it a prime marketplace for cybercriminals to trade stolen credentials, including passwords. To maintain an updated list of commonly-used, expected, or compromised passwords, organizations must actively monitor these hidden sectors of the internet for potential leaks or trades involving their data. The sheer volume of information and rapid rate of change on the Dark Web means that in-house monitoring requires dedicated personnel with specialized skills. This is where solutions that offer Dark Web monitoring become invaluable. These specialized tools not only automate the monitoring process but also utilize advanced algorithms and vast databases to detect and alert organizations to potential threats as quickly as possible.
An important clarification from NIST underlines the universality of their control recommendations and authenticator management:
Password-based authentication applies to passwords regardless of whether they are used in single-factor or multi-factor authentication.
This indicates that even if organizations have implemented multi-factor authentication, NIST’s guidelines on compromised password monitoring remain as crucial as ever. MFA adds a layer of security, but the foundational principle of ensuring password integrity stands firm. The inherent risks associated with compromised credentials persist, making it imperative to track and manage them diligently. NIST’s emphasis, thus, ensures that organizations remain vigilant against the vulnerabilities of password-based breaches, irrespective of other security measure in place.
In the ever-changing realm of cyber threats, the importance of protecting resources shielded by passwords cannot be overstated. The guidelines outlined in NIST’s IA-5 within SP 800-53 serve as a robust blueprint to protect organizations from the peril of account changes or account takeover. By rigorously following these directives and keeping a keen eye on potentially compromised passwords, organizations can not only defend their invaluable information assets but also markedly diminish the chances of expensive data breaches. NIST’s guidelines act as an evolving guide for securing organizations amidst the fluctuating landscape of cyber threats.
While SP 800-53 provides a comprehensive set of guidelines for managing information security and addressing various system components, other NIST publications can offer additional insight. For example, NIST SP 800-63b provides detailed guidelines for protecting digital identities, including credentials. By referencing multiple NIST publications and adopting the standards mandated or relevant to their organization, security teams can ensure they employ a comprehensive and robust approach to information security.
Additionally, organizations must focus on the protection of authenticators, identifier management, and the use of system authenticators to enhance control. Implementing strong safeguards is essential to prohibit unauthorized access and enforce the principle of least privilege. Adequate change control and incident response measures should be in place to address any potential security breaches promptly. Furthermore, public key infrastructure (PKI) and cryptographic module authentication are crucial components for ensuring the non-repudiation of transactions and maintaining the integrity of information.
Non-privileged accounts and the secure management of system accounts are fundamental to minimizing the risk of malicious code execution. Organizations should adopt stringent configuration settings for their information technology systems, including those on mobile devices. Regular audit records retention is essential for tracking system activity and ensuring compliance with established security policies.
In-person and remote access should be carefully managed, considering factors such as time period restrictions and the use of secure authenticator types. Additionally, organizations should pay special attention to the security of authenticator types used for physical access, especially in critical environments. This comprehensive approach, in line with NIST guidelines, helps organizations build robust defenses against cyber threats, encompassing various aspects from program management to the protection of sensitive data in the supply chain.
Adhering to standards such as FIPS is essential, especially for organizations dealing with sensitive data and information. Besides, collaboration with relevant federal agencies can provide valuable insights and updates on emerging threats, contributing to a more resilient cybersecurity strategy.
In conclusion, adherence to NIST guidelines is paramount in fortifying organizations against cyber threats. From robust identifier management to stringent configuration settings, prioritizing authenticator protection and proactive monitoring are essential. NIST’s principles, including the management of compromised passwords, emphasize the critical aspects of data integrity, access controls, and effective incident response. By embracing these guidelines, organizations can establish a resilient cybersecurity foundation, meet compliance requirements, and adapt to the dynamic nature of today’s threat landscape.
AUTHOR
Josh Parsons
Josh is the Product Marketing Manager at Enzoic, where he leads the development and execution of strategies to bring innovative threat intelligence solutions to market. Outside of work, he can be found at the nearest bookstore or exploring the city’s local coffee scene.
Start for free. Enzoic provides a clean user interface to screen for compromised passwords.
Experience Enzoic