Growing threat from stolen credentials: Attackers actively target user credentials because they offer the most direct route or foothold into a targeted organization’s network. Once inside, attackers can move laterally across systems, searching for other user accounts to compromise, or they attempt to escalate their privileges and gain administrative control.This hunt for credentials extends beyond user accounts to include code repositories, where developers may have hard-coded access keys and other secrets into application source code.Attacks using valid credentials were successful 98% of the time, according to Picus Security.Picus Security’s Blue Report also found that data exfiltration attempts were stopped only 3% of the time, down from 9% in 2024. That statistic is particularly bad news at a time when ransomware operators are ramping up double-extortion attacks based on threats to leak compromised information alongside demands for compromised companies to pay in order to regain access to hacked systems.”This suggests that even when attackers are detected, response mechanisms are either too slow, poorly integrated or simply ineffective at stopping the damage,” says Cyber Protection Group’s Bell.Qualys’ Milenkovic argues that organizations should be deploying a range of defensive strategies to protect digital identities.”Multi-factor authentication (MFA) is now considered a baseline control, adding a crucial verification layer beyond a simple password,” Milenkovic tells CSO. “This is often supplemented by user behavior analytics, which can flag anomalous activity indicative of a compromised account.”Darren Guccione, CEO and co-founder of zero-trust password management and encryption vendor Keeper Security, says that legacy complexity rules, such as forcing periodic password changes or minor character substitutions offer “little resistance” against modern brute-force and dictionary attacks.”Defenses must evolve to include comprehensive credential lifecycle management, privileged access controls and real-time anomaly detection,” Guccione says. “The adoption of phishing-resistant authentication methods, such as passkeys, can also significantly reduce the risk of compromised credentials being exploited and prevent lateral movement in the event of a breach.”Kevin Curran, IEEE senior member and professor of cybersecurity at Ulster University, notes that too many organizations still rely on legacy systems, inconsistent password policies, and incomplete MFA enforcement.”CISOs and security teams should focus on enforcing strong, unique passwords, using MFA everywhere, managing privileged accounts rigorously and testing identity controls regularly,” Curran says. “Combined with well-tuned DLP [data loss prevention] and continuous monitoring that can detect abnormal patterns quickly, these measures can help limit the impact of stolen or cracked credentials.”Picus Security’s latest findings reveal a concerning gap between the perceived protection of security tools and their actual performance. An overall protection effectiveness score of 62% contrasts with a shockingly low 3% prevention rate for data exfiltration.”Failures in detection rule configuration, logging gaps and system integration continue to undermine visibility across security operations,” according to Picus Security.
Effective countermeasures require continuous validation: Rather than pointing towards inherent limitations of security countermeasures, Qualys’ Milenkovic argues that these findings show that the effectiveness of these tools are often severely undermined by a lack of continuous validation and management.”The primary culprit is a ‘set-and-forget’ mentality,” Milenkovic says. “Security controls are potent when deployed, but their effectiveness degrades over time due to configuration drift, environmental changes, and evolving attacker techniques.”Milenkovic adds: “For the modern CISO, the key takeaway is the critical need to shift towards a threat-informed defense. This involves moving beyond compliance-based box-ticking and embracing a proactive strategy of continuous security control validation.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4042464/enterprise-passwords-becoming-even-easier-to-steal-and-abuse.html
