Skip to main content
close search
site logo
Deep Dive

How cybercriminals get in, and what to do to stop them

Published April 23, 2018
By
Associate Editor
Wikimedia Commons

There's no perfect password, and there never will be. Couple that with the lax security practices of online users and hackers have a childrens' Easter egg hunt in front of them with far better rewards than a chocolate bunny.

And the cyberthreat environment is only getting worse. Unlike IT departments, organized crime doesn't get funding reductions or layoffs, and it is well equipped and smart, according to Russell Schrader, executive director at the National Cyber Security Alliance.

Increasingly sophisticated hackers continue to get through security systems using lists of credentials that are often obtained illegally. There are some basic measures individuals and businesses can put in place to protect themselves, though nothing can stave off an attack forever.

How are they doing it?

Crimeware groups carrying out illegal activity online, especially in foreign countries, have low entry and organization costs. Not to mention, a simple internet search can tell a malicious user everything they need to know about proxy servers, botnets and breaking in with stolen credentials.

But password management and security best practices can at least mitigate security issues surround access, which are only getting thornier on platforms and networks with increasingly blurred boundaries.

Today, there are three main ways hackers can bypass logins or passwords, according to Jobert Abma, co-founder of HackerOne:

  • Extracting vulnerable credentials stored in plain text or masked with an easily defeated encryption scheme

  • Obtaining a list of credentials that people use on other systems

  • Exploiting other vulnerabilities to change an email or password tied to a site

To protect credentials on a business network, credential information should never be unencrypted. Users often carry credentials between businesses and personal accounts, and once a password is exposed hackers can use it to infiltrate a host of other sites.

In general, there is no hacking involved with credentialed breaches, according to Andrew Jones, lead solutions engineer at Shape Security. More often than not, hackers are working with lists of thousands of credentials and use those to try logging into sites using proxy or botnet services.

With data breaches such as Equifax, LinkedIn and Under Armour, there are plenty of credentials available on the web for hackers to use. These lists are sometimes validated, which can be an easy method for hackers to monetize stolen credentials instead of using them themselves, said Jones. Even in systems with multi-factor authentication, hackers can sell credentials that are valid for just the first tier of security.

A simple search in Troy Hunt's "Have I Been Pwned" can tell users if their emails are tied to known breaches and credential dumps. But by the time this data is posted online, it's usually too late. With especially sophisticated and nefarious actors, that information is probably never even being posted online, said Jones.

How to best protect

For now, security experts generally agree that password management tools are individuals' best option. Even with the risk of those tools getting hacked — which is more likely to happen than not — the additional security obtained in the tradeoff is worth the risk.

In the starkest case of the tradeoff between security and usability, the safest computer in the world is one unplugged, locked in a box and tossed into the sea.

For businesses, offsetting risks with more comprehensive security protocols can be a double-edged sword. Some restrictions hurt more than they help, such as requirements to change passwords frequently, said Adam Bacchus, director of program operations at HackerOne.

In the starkest case of the tradeoff between security and usability, the safest computer in the world is one unplugged, locked in a box and tossed into the sea.

But businesses don't have the luxury of perfect security and have to walk the tightrope. A few security buffers for the enterprise include:

  • Two-factor authentication: Users may put up resistance to it at first, but getting past the initial hump can dramatically improve security controls.

  • CAPTCHA and reCAPTCHA: These tests can find out if it's a human user at the other end, but what works today probably won't work a year from now as AI gets better. These tests will have to constantly evolve, said Schrader.

  • JavaScript challenges: These force the incoming browser to run a piece of code; if it can't run the script, it's indicative of a simple script on a botnet, said Jones. It's easy and low-cost to implement, and could dramatically improve security for many sites.

But no matter how sophisticated security checks may be, nothing is undefeatable. Businesses need a clear plan in case of data breaches and they also need a plan for stolen credentials.

Filed Under: Security

Editors' picks

Company Announcements

View all | Post a press release
Unanet Acquires GovPro AI to Enable Customers to Win More Business
From Unanet
November 22, 2024
Newgen and Fadata Join Forces to Optimize Insurance Content Management
From Newgen Software
November 13, 2024
PointFive is Apparently the Hottest Cloud Startup, Here is Why
From Jordan Mitchell
November 21, 2024
NeuBird Named a Cool Vendor in the 2024 Gartner® Cool Vendors™ in IT Operations Leveraging Gen…
From NeuBird
November 11, 2024
Editors' picks
Latest in Security
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell