Even if you aren’t worried quite yet about the increasing ease of writing malware, you should probably be deeply, deeply concerned about the major credential and personally identifiable information (PII) thefts that have happened over the past year or so. Here are just a few:
- First LastPass, Now Slack and CircleCI. The Hacks Go on (and Will Likely Worsen)
- LastPass Admits Attackers Have a Copy of Customers’ Password Vaults
- Twitter Data Dump: 200m+ Account Database Now Free to Download. (This was not a case of password theft, but the attackers did get a trove of personal information about Twitter users, which can be used for social engineering.)
Getting access to networks is especially easy right now. There have been several successful attacks on services that were big repositories of credentials (LastPass, CircleCI, and so on), and this looks to be a tactic that criminals will keep using, since it’s paying off nicely.
To be clear about this, the problem isn’t that the bad guys have some username/password combination that you’ve probably already changed. The problem is that the bad guys now have enough of these password dumps containing enough credential data over time that they can see how you generate your passwords.
For individuals this is concerning: Most of us have at least a few passwords that we need to memorize because password generators either don’t work for those use cases, or are terribly inconvenient. If cybercriminals know how we iterate our memorizable passwords, that’s a bad day for us. But organizations also use password generation for everything from logon credentials for new employees to connecting our applications to one another. This, then, is a concern: CircleCI, LastPass, Okta, and Slack: Cyberattackers Pivot to Target Core Enterprise Tools.
So it’s time to have a talk about zero trust. Where is your sensitive data stored? Can it be encrypted, or masked? Who has access? Can the list of people with that access be made shorter? In the era of data exfiltration, the principle of least privilege is your friend.
For how long do you store data? Can it be purged when no longer needed, or at least moved into cold storage that’s separate from the main network?
Cybercriminals will get into your network. This is reality. Center your defensive thinking on what you can do to make it harder for them to hurt you. Above all, we must all change how we think about the data on our networks. Data isn’t some limitless resource to be exploited. Data is more like the toxic leftovers from a dirty mining operation: There might be useful bits in there to be extracted, but data must both be handled with extreme care, and disposed of safely.