Build a strong defense against credential stuffing

The Securities and Exchange Commission earlier this fall warned SEC registrants, including broker-dealers, investment advisers and investment companies of a rise in credential stuffing attacks. Today’s columnist, Jen Lau of Auth0, offers five tips for developing a strong defense against credential stuffing.

When it comes to cyberattacks, where there’s a will there’s a way. What started out as hackers guessing account usernames and passwords — a tedious and ineffective approach — has morphed into a widespread, low-cost, and highly-sophisticated attack process that can cause serious damage.

While certain security practices and products have evolved to proactively prevent and mitigate malicious attacks, many organizations still struggle to protect themselves against cyber threats, particularly against automated attacks such as credential stuffing. Our research found that more than 80 percent of companies find credential stuffing difficult to detect, fix, or remediate, which results in an average of more than $6 million a year in costs per company, and can cause a significant impact on IT resources, account takeovers, and lost brand reputation.

As cyberattacks become more sophisticated, our tactics for prevention and mitigation also need to improve. By building on what we know has been successful in the past, we can work to find new ways to keep up with today’s threats and stay nimble to new approaches.

With the complexity of today’s attacks, there’s no one tactic that can fix these challenges. A combination of the following five tips can serve as a strong defense for fighting the cyber threat battle:

  • Prioritize cybersecurity awareness training.

Organizations can prevent many cyberthreats by creating a security culture within the organization and offering security education and awareness training. Good ways to start are by offering training on how to create workable, healthy password management habits, how to recognize certain attacks like phishing or credential stuffing, and teaching best practices for mitigating these types of attacks. Security pros should make a regular cadence of security education and support a top priority.

  • Use password managers.

Healthy password management habits, such as stressing the importance of using complex, unique passwords for each different account and using password managers are easy next steps. Password managers can protect against potential threats and attacks, as they help mitigate the risk of compromise by addressing the most common way an account gets hacked: weak credential selection (username and password) along with credential reuse. Password managers act as a password generator, providing new and unique passwords for every new login created and securely stores these credentials so the users don’t have to worry.

  • Deploy multi-factor authentication.

By introducing multi-factor authentication (MFA), security teams can make the company’s threat prevention and mitigation techniques sustainable. MFA introduces an extra layer of security (and more friction for suspicious users when it’s most necessary), making security practices smarter and much harder for a hacker to compromise accounts at scale.

Instead of triggering MFA every time a user logs in, trigger it only when it makes sense. If the company operates mostly in the United States and Canada, but the security team sees huge spikes in traffic from Vietnam or Thailand, ask for additional verification.

  • Invest in proactive threat detection.

For any business looking to prevent automated attacks, it’s important to detect discrepancies. Organizations that have not already prioritized identity and threat detection technology should start, and those that have should  make sure they optimize their products for the best results.

Companies need to detect and stop hackers before they get in, so it’s important to have security products and threat intelligence capabilities that monitor various risk signals, such as detecting login anomalies and stopping malicious attempts to access applications. Here’s where a strong identity management platform with the capabilities to correlate numerous data sources and risk signals to identify and mitigate bot-driven attacks before login becomes business-critical.

  • Look for customizable security products.

Organizations are often apprehensive that cybersecurity will take away from the user experience. If security does not get deployed correctly, what makes it more difficult for hackers to access an account can sometimes also make it harder for legitimate users to access their accounts. Organizations should invest in products that allow for a more balanced, extensible approach to security and user experience. Adaptive authentication (such as CAPTCHA implementation for suspicious login behavior) lets organizations create friction only when needed, resulting in a positive user experience without compromising on security.

Cyberattacks will continue to evolve, and preventing and mitigating attacks will only become harder, requiring security tactics to transform. Through education and the use of a layered security approach, security teams can better prepare their organizations for when the threat landscape changes.

Jen Lau, director, business operations and strategy, security and compliance, Auth0

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.