Compromised credentials are at the root of most cyber incidents in Australia, yet you could be forgiven for thinking ransomware is still the greatest single threat.
In the first half of 2023, based on OAIC statistics, ransomware was the top source of cyber incidents in Australia - accounting for some 31% of all received reports. About 206,861 individuals were impacted by an attack, on average.
While these figures are high - and ransomware remains a fairly consistent threat, at around one-third of all reported incidents, it belies a security issue that, collectively, causes far more cyber incidents in Australia, with multiple times the number of victims.
That issue is compromised credentials.
However, the effect of compromised credentials as the leading cause of cyber incidents in Australia is masked by the disaggregated manner in which figures about them are reported.
Cyber incident data collection has long been problematic. As it stands today, there is still no single place for Australian victims to report incidents due to the involvement of a variety of agencies and authorities and the interaction of various laws and regulations. This leads to variances in the way that numbers are collated and presented publicly. The move to a single reporting portal is one that’s been contemplated as part of the next federal cyber security strategy, which is anticipated to appear sometime before the end of the year. Aggregating numbers would be greatly assistive in understanding the true extent of cybersecurity-related challenges in Australia and in cross-checking whether existing reporting paints a full and accurate picture.
This is illustrated by taking just one set of numbers: the twice-yearly notifiable data breach reporting by the Office of the Australian Information Commissioner (OAIC).
The way notifiable data breach statistics are presented may give business leaders and executives, in particular, the wrong impression about what is driving the most cyber incidents and, therefore, how cybersecurity budgets or funding should be allocated.
While ransomware seemingly is the most frequent source (Chart 11), in actual fact, three of the top sources of cyber incidents point to a single issue: compromised credentials. The OAIC divides it up into different ways of pulling off that compromise, for reporting purposes.
That granularity of knowing how credentials were compromised is important to security professionals in understanding which specific aspects of credential security to prioritise. But it downplays the criticality and net effect of credential security and privileged access management as a whole.
When the three types of incidents involving compromised credentials are grouped, it is apparent that 52% of all cyber incidents in Australia in the first half of 2023 were due to credential compromise of some sort.
And it could even be higher than that: ransomware attacks are often preceded by a successful phishing attack on one or more individual(s) whose compromised credentials are then leveraged by the threat actor to gain entry and seed the malware. It’s not clear from the reporting whether a ransomware attack that started as a phish would be recorded as a ransomware incident, as a phishing incident, or both. Feasibly, the proportion of cyber incidents in Australia that result from compromised credentials falls between 52% and 83%. Wherever it actually falls in that range, it is clearly a sizable issue that demands more focus and funding.
Another important point to consider is that incidents involving compromised credentials impact far more individuals, on average, than ransomware-related incidents. That is not to say that ransomware is unimportant, but it puts some perspective on what causes incidents that would be classified as being of a higher severity.
The notifiable data breach reporting in Australia shows that, for two of the three types of credential compromise being tracked, the impact can be substantial.
There were only seven “brute force attacks” reported in Australia in the six months to June, but they affected the most individuals on average at 1,667,293. A brute force attack is a method threat actors use to compromise accounts and identities by guessing passwords, credentials, encryption keys, or other relevant information. This attack involves making simple guesses until the correct combination is found.
This was followed by compromised or stolen credentials for which the method was unknown (50 notifications), which affected 658,794 individuals on average.
Clearly, the most impactful cyber incidents - measured by the number of victims - are those involving breached or compromised credentials, which is another reason the area deserves far more attention than it receives.
The need for a PAM strategy
All of this highlights the need to secure user credentials properly, especially for privileged accounts, where internal users are performing remote access or where third parties, such as contractors or suppliers, are involved. For this, organisations can use Privileged Access Management (or PAM), which consists of the cybersecurity strategies and technologies for exerting control over the elevated (“privileged”) access and permissions for users, accounts, processes, and systems across an IT environment.
Privileges serve an important operational purpose by enabling users, applications, and other systems.
The implementation of the principle of least privilege can also help to slow or limit the damage created by attackers that somehow end up with weak or exposed credentials. Least privilege requires that privileges are only granted to complete the task at hand for as long as required and no more.
Further, to mitigate the risks and increase the security around such accounts, multi-factor authentication should be in place.
As we fast approach 2024, organisations should take note that compromised credentials can be overlooked as an avenue for successful cyber attacks. As a result, businesses should look more closely at how they are protecting credentials and reinforce their defences within this part of their overall cybersecurity strategy.