Wave Systems Corp. (fka WAVXQ)

[Genz2]

Compromised Credentials Show That Abuse Happens in Multiple Phases

https://www.darkreading.com/attacks-breaches/compromised-credentials-show-that-abuse-happens-in-multiple-phases/d/d-id/1340179

The third stage, when threat actors rush to use stolen usernames and password pairs in credential-stuffing attacks, is the most damaging for organizations, F5 says.

Long before a credential breach becomes public, threat actors in many cases already have been using the stolen username and passwords in different ways, a new study has revealed.

F5 Networks recently analyzed open source information on credential-spill incidents in recent years and discovered that stolen credentials go through five separate phases of abuse from the moment a threat actor first acquires the credentials to when they are subsequently disseminated among other threat actors. The company's analysis showed that half of all organizations take about 120 days — or four months — to discover a credential breach. And even then, it is only after a third party has informed them about their data being discovered on the Dark Web.

F5 researchers discovered that a lot typically goes on with the credentials in the interim. During the first stage, in the immediate days and weeks following a credential breach, the criminals responsible for the data theft tend to use the stolen information in a stealthy and purposeful manner, says Sander Vinberg, threat research evangelist at F5.

The focus often is on using the credentials to try and establish persistence on a network, or to try and take over key accounts, conduct reconnaissance, and harvest whatever additional information they can. "They are monetizing the data, but they are monetizing it very carefully and with clear objectives in mind." This is when the potential for long-term damage is the greatest, Vinberg says.

The second stage kicks when the original attackers begin sharing the stolen credentials with others in the community. As the data becomes more widely available on the Dark Web, credential-stuffing attacks begin ramping up sharply. The increased activity usually lasts only about one month because it usually results in the credential theft being discovered.

As word of the breach starts spreading and users start changing passwords in the third stage, script kiddies and other amateur threat actors rush to use the stolen username and password pairs in credential-stuffing attacks on large Web properties. "This is the stage when the most economic damage is done," Vinberg says. "The greatest risk to organizations is regulatory and financial penalties."

By the fourth phase, the stolen credentials no longer have premium value but are still being used in attacks at a higher rate than during the first phase. The fifth stage is when attackers repackage spilled credentials and try to continue to use them.

As part of its research, F5 conducted a historical analysis using data from a large set of spilled credentials that become available for sale on a Dark Web forum in early 2019. Researchers from F5 compared credentials in that dataset against usernames used in credential-stuffing attacks against four of its Fortune 500 customers, two of which were banks, one a retailer, and the other a food and beverage company.

F5's analysis showed that when attackers first had access to spilled credentials, they used it on average between 15 and 20 times per day in attacks against the four organizations. By stage three, the credentials were being used up to 130 times a day, and by the fourth stage it had dropped back again to around 28 times per day. "The overarching conclusion is that credential stuffing is a very large problem," Vinberg says. "It manifests in different ways, but at this stage, no one can afford to downplay the risk it represents."

A Widely Acknowledged Problem
Several others have documented the growing danger of credential-stuffing attacks as well — especially in the months since the global COVID-19 pandemic began. In one study, released last November, researchers from Arkose Labs found that of the 1.3 billion attempted fraud attacks it observed in the third quarter of 2020, some 770 million involved credential-stuffing techniques. Another study, by Digital Shadows, found more than 15 billion stolen or otherwise exposed credentials available for sale in Dark Web markets. The company found credentials for everything from domain administrator accounts to bank accounts, adult-site logins, and video game and video streaming accounts readily available at prices ranging from a few thousand dollars to around $2 for access to file-sharing sites.

One silver lining that F5's study uncovered was a steady decrease in the average and median number of credentials exposed per incident compared with 2016. Though the overall number of credential compromise incidents itself more than doubled — from 51 in 2016 to 117 last year — the average number of records per incident dropped from over 63.4 million to around 17 million. When mega-breaches were excluded from the calculation, typical credential compromise incidents involved around 2 million records in 2020 compared with 2.7 million in 2016.

Vinberg says the data suggests that the largest organizations — those with the largest number of credentials — have gotten better at protecting the data. "Enormous breaches are becoming less common but midsize organizations are continuing to get breached," he notes.

F5's data shows that poor password protection practices continue to be a big contributor to the problem. Some 13.3% of credential compromise incidents and more than 42% of exposed credentials between 2018 and 2020 involved passwords stored in plaintext. When organizations did make an attempt to protect passwords, they often used MD5 hashes, a method that F5 describes as being widely discredited.
=================================================================
http://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management

Secure device & user authentication

Sometimes it feels like security is more effective at deterring your users than hackers. But you still have to protect your enterprise resources, and we’re here to help. We take pride in securing your network, data, and resources to an unprecedented level, without causing a revolt from either IT or your users. In fact, your users probably won’t even know we’re there.

Here’s how it works:

Trusted Platform Module (TPM) + Wave’s ERAS for TPM Management = hardware-secured, fully-managed authentication

Most of your devices already come with TPMs (check out our “What is a TPM?” brochure if you’re not sure why this is exciting). This security chip comes attached to the motherboard of most enterprise-class PCs. There’s nothing “add-on” about it. The TPM provides a verifiable, unique identity for each machine.

Wave’s ERAS for TPM Management gives IT remote, centralized management of all TPMs on enterprise computers and tablets.

With this control, IT can set policies and dictate which machines and users have authority to access which resources. IT can ensure that only known and approved devices are accessing your network. And what’s more, IT can prove it with detailed activity logs.

Token-free, password-free user authentication

We know you’ve dreamt about shredding your list of passwords. Go on and do it.

Because you are starting the authentication process in the device’s hardware, the user doesn’t have to interact with it. All users see is their usual Windows log-in screen – no more additional passwords to access the VPN or other resources. They just sign in once, and the secure credentials in their TPMs securely and quickly connect them to everything they need. Say goodbye to user frustration and slow OS performance.

Decrease expenses with virtual smart cards

You know what else happens when you take passwords out of the equation? A lot fewer calls to IT. Imagine if you took password resets out of the picture – that frees up a chunk of IT time, lowering your operating expenses significantly.

If your organization currently uses traditional tokens or smart cards, switching to virtual smart cards takes an even bigger burden off of IT – we use the hardware-protected credentials in the TPM to create a virtual smart card, which performs the same functionality as traditional smart cards. That means no need to purchase, deploy, replace or maintain external tokens, smart cards or smart card readers. Because virtual smart cards are already on your machines and can’t be forgotten, lost or stolen, you have lower capital expenses and lower operating expenses.

Wave's is the only management to support virtual smart cards on Windows 7, as well as Windows 8 and 8.1.
==================================================================
http://www.wavesys.com/
***- BETTER SECURITY AT LESS THAN HALF THE COST!

http://www.wavesys.com/contact-information

Contact Wave

Wave Systems
401 Congress Avenue
Suite 2650
Austin, TX 78701
sales@wavesys.com

Gold Customer Support:

goldsupport@wavesys.com

1-800-928-3638

Support:

support@wavesys.com

1-844-250-7077

Sales:

1-877-228-WAVE

***-BETTER SECURITY AT LESS THAN HALF THE COST!