How and Why to Use ChatGPT for Vendor Risk Management

Vendor risk management (VRM) is critical for organizations relying on third-party vendors. As businesses increasingly depend on external partners, ensuring these vendors maintain high security standards is vital. ChatGPT can enhance and streamline various aspects of VRM. Here’s how and why you should integrate ChatGPT into your vendor risk management process:

1. Automating Vendor Communications

ChatGPT can serve as a virtual assistant, automating repetitive communication tasks such as gathering information or following up on security policies.

Sample Prompt: “Draft an email requesting updated security documentation from Vendor A, specifically about their encryption practices.”
 
Example: ChatGPT can draft emails requesting updated security documentation from vendors, saving your team hours of manual labor.

 

2. Standardizing Vendor Questionnaires

ChatGPT can quickly generate standardized, consistent questionnaires tailored to your specific requirements, focusing on areas like cybersecurity, data privacy, and regulatory compliance.

Sample Prompt: “Create a vendor risk assessment questionnaire focusing on cybersecurity, data privacy, and regulatory compliance.”
 
Example: ChatGPT can create questionnaires that ensure all vendors are evaluated on the same criteria, maintaining consistency across your vendor portfolio.

 

3. Analyzing Vendor Responses

ChatGPT can process vendor responses quickly, summarizing risks, identifying gaps, and flagging compliance issues.

Sample Prompt: “Analyze the following vendor response to our cybersecurity questionnaire and summarize any potential risks.”
 
Example: ChatGPT can parse vendor responses and highlight key risks, saving your team from manually sifting through pages of documents.

 

4. Assessing Contract Terms and SLA Risks

ChatGPT can help identify gaps and vulnerabilities in vendor contracts, such as inadequate security terms or unclear penalties for non-compliance.

Sample Prompt: “Analyze the following vendor contract for any risks related to data security or regulatory compliance.”
 
Example: ChatGPT can analyze contracts for risks related to data security or regulatory compliance, ensuring your agreements adequately protect your organization.

5. Vendor Risk Management Reporting

ChatGPT can generate comprehensive risk reports, summarizing the status of key vendors, compliance issues, and potential risks in an easy-to-understand format.

Sample Prompt: “Create a vendor risk management report for Q3, focusing on our top 5 vendors and any recent compliance or security issues.”
 
Example: ChatGPT can create detailed quarterly reports on your top vendors’ risk profiles, providing decision-makers with quick insights.

 

More Info or Assistance?

While ChatGPT can drastically improve your VRM workflow, it’s just one piece of the puzzle. For a tailored, comprehensive VRM strategy, consider seeking expert guidance to build a robust program designed to protect your organization from third-party risks.

Incorporating ChatGPT into your VRM process helps you save time, increase accuracy, and proactively manage vendor risks. However, the right strategy and expert guidance are key to maximizing these benefits.

 

* AI tools were used as a research assistant for this content.

Enhancing Security: Managing Browser and Email Client Plugins with GPO in Active Directory

Controlling and managing plugins across various browsers and email clients is crucial for maintaining a secure enterprise environment. This blog post will explore how to effectively manage these plugins using Group Policy Objects (GPOs) in an Active Directory (AD) setting, aligning with the Center for Internet Security (CIS) Critical Security Controls Version 8.

The Importance of Plugin Management

CIS Control 2: Inventory and Control of Software Assets emphasizes the need to actively manage all software on the network. This includes plugins for browsers like Internet Explorer, Edge, Chrome, Firefox, and email clients such as Outlook, which can be potential vectors for security breaches if left unmanaged.

Implementing Plugin Management with GPO

Here’s a comprehensive guide to manage plugins using Group Policy across different browsers:

  1. Create a New GPO: In the Group Policy Management Console, create a new GPO or edit an existing one.
  2. Configure Internet Explorer Settings:
    • Navigate to User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer
    • Enable “Prevent running of extensions not listed in the Add-on List”
    • Add approved extensions to the “List of Approved Add-ons”
  3. Manage Microsoft Edge Settings:
    • Go to Computer Configuration > Policies > Administrative Templates > Microsoft Edge
    • Enable “Control which extensions cannot be installed”
    • Use “Allow specific extensions to be installed” to whitelist approved extensions
  4. Configure Google Chrome Settings:
    • Navigate to Computer Configuration > Policies > Administrative Templates > Google > Google Chrome > Extensions
    • Enable “Configure extension installation whitelist”
    • Add the extension IDs of approved extensions to the whitelist
  5. Manage Mozilla Firefox (requires additional setup):
    • Firefox requires the Firefox ADMX templates to be added to your Group Policy Central Store
    • Once added, go to Computer Configuration > Policies > Administrative Templates > Mozilla > Firefox
    • Enable “Extensions to Install” and specify allowed extensions
  6. Configure Email Client Plugins (Outlook):
    • Go to User Configuration > Policies > Administrative Templates > Microsoft Outlook > Security
    • Enable “Disable all COM add-ins”
    • Use the “List of Managed Add-ins” to specify allowed add-ins
  7. Apply GPO to Relevant OUs: Link the GPO to the appropriate Organizational Units (OUs) containing user accounts and computer objects.
  8. Test and Monitor: Apply the GPO to a test group before rolling out organization-wide. Monitor for any issues and adjust as necessary.

Aligning with CIS Controls

This comprehensive approach aligns with several CIS Controls Version 8:

  • Control 2: Inventory and Control of Software Assets
  • Control 4: Secure Configuration of Enterprise Assets and Software
  • Control 7: Continuous Vulnerability Management
  • Control 12: Network Infrastructure Management

By implementing these policies across various browsers and email clients, you’re taking significant steps towards a more secure and standardized environment.

Additional Considerations

  1. Browser Diversity: Be aware that different browsers may require different GPO settings. Ensure your policies cover all browsers used in your organization.
  2. Third-party Management Tools: For more granular control, especially in environments with multiple browsers, consider using third-party extension management tools that integrate with GPO.
  3. Regular Updates: Browser vendors frequently update their GPO capabilities. Stay informed about new policy options and adjust your configurations accordingly.
  4. User Education: Implement a policy to educate users about the risks of unapproved plugins and the process for requesting new plugins if needed for work purposes.

Regular Review and Updates

Remember to regularly review and update your plugin management policies. New plugins may need to be added to the approved list, while others may need to be removed due to emerging security concerns or obsolescence.

Conclusion

Managing plugins across various browsers and email clients through GPO is an effective way to enhance your organization’s security posture. It provides centralized control, reduces attack surfaces, and helps maintain compliance with cybersecurity best practices across diverse software environments.

Need assistance implementing this multi-browser approach or other security controls? The experts at MicroSolved are here to help. Contact us today to strengthen your organization’s cybersecurity defenses and ensure compliance with industry standards like the CIS Critical Security Controls.

 

 

* AI tools were used as a research assistant for this content.

How to Checklist for Testing Cloud Backups of Systems

A common question that our clients ask is how to actually test cloud backups. We hope this short methodology will help you meet this control. 

How to Checklist for Testing Cloud Backups of Systems

1. Preparation

  • Identify critical systems and data that require backup.
  • Establish a regular backup schedule and automation process.
  • Ensure access to necessary credentials and permissions for testing.

2. Backup Verification

Automated Verification:

  • Configure automated checks to validate backup integrity immediately after creation.
  • Ensure notifications are set up for any verification failures.

Manual Verification:

  • Periodically perform manual checks to verify the integrity of backups.
  • Compare backup files to original data to ensure consistency.

3. Restore Testing

File-Level Restore:

  • Select a few individual files and restore them to a different location.
  • Verify that the restored files match the original files.

Database Restore:

  • Choose a database to restore and perform the restore operation.
  • Validate the database’s functionality and integrity post-restore.

Full System Restore:

  • Perform a full system restore on a test environment.
  • Verify that the system is fully operational and all data is intact.

4. Checksum Validation

  • Generate checksums for critical files before backup.
  • After backup, generate checksums for the backup files.
  • Compare pre-backup and post-backup checksums to ensure no data corruption.

5. Versioning and Retention

  • Verify that multiple backup versions are being stored.
  • Test restoring from different backup points to ensure versioning works.
  • Check that retention policies are properly managing backup storage.

6. Encryption and Security

  • Confirm that backups are encrypted during transit and at rest.
  • Verify that encryption keys are securely stored and regularly updated.
  • Test decryption processes to ensure data can be accessed when needed.

7. Monitoring and Alerts

  • Ensure monitoring systems are actively tracking backup processes.
  • Test alert notifications by simulating backup failures.
  • Review alert logs regularly to ensure prompt response to issues.

8. Documentation and Training

  • Maintain up-to-date documentation of all backup and restore procedures.
  • Conduct training sessions for relevant personnel on backup processes and protocols.
  • Ensure all team members have access to the latest documentation.

9. Disaster Recovery Testing

  • Integrate backup testing into comprehensive disaster recovery drills.
  • Simulate various disaster scenarios to evaluate the effectiveness of backup and restore processes.
  • Document the results and identify areas for improvement.

10. Review and Improvement

  • Schedule regular reviews of backup strategies and processes.
  • Stay informed about new technologies and best practices in cloud backup.
  • Implement improvements based on review findings and technological advancements.

By following this checklist, you can systematically test and ensure the reliability, security, and functionality of your cloud backups.

 

 

* AI tools were used as a research assistant for this content.

 

 

 

How To Implement a Basic ZTNA Architecture

 

Implementing a Basic Zero Trust Network Access Architecture

Implementing a Zero Trust Network Access (ZTNA) architecture is increasingly essential for organizations aiming to secure their networks against evolving cyber threats. Zero Trust is a security concept centered on the belief that organizations should not automatically trust anything inside or outside its perimeters and instead must verify everything trying to connect to its systems before granting access.

1. Define the Protect Surface

Identify the critical data, applications, assets, and services (DAAS) that need protection. This step is crucial as it allows you to focus your resources and security measures on the most valuable and vulnerable parts of your network.

2. Map the Transaction Flows

Understand how traffic moves across your network. Mapping the traffic will help you identify legitimate access patterns and needs, which is essential for setting up appropriate security policies.

3. Architect a Zero Trust Network

Create a micro-segmented network architecture. Micro-segmentation involves dividing the network into small zones to maintain separate access for different parts of the network. Each segment or zone should have its own security settings, and access should be restricted based on the principle of least privilege.

4. Create a Zero Trust Policy

Develop a policy that specifies how resources in the network are accessed, who can access these resources, and under what conditions. This policy should enforce that only authenticated and authorized users and devices are allowed access to the specified network segments and resources.

5. Monitor and Maintain Network Security

Implement security monitoring tools to inspect and log network traffic constantly. This can help detect and respond to threats in real-time. Regular audits and updates of the zero trust policies and architecture should be performed to adapt to new threats and changes in the organization.

6. Leverage Multi-factor Authentication (MFA)

Enforce MFA to ensure that the chance of unauthorized access is minimized. MFA requires users to provide two or more verification factors to gain access to a resource, adding an extra layer of security.

7. Implement Least Privilege Access

Ensure that users only have access to the resources that they need to perform their job functions. This should be strictly enforced through rigorous access controls and ongoing management of user permissions.

8. Utilize Endpoint Security Solutions

Secure all endpoints that access the network by ensuring they meet the security standards before they are allowed to connect. This often includes anti-malware and anti-virus software, and endpoint detection and response (EDR) solutions.

9. Educate and Train Employees

Provide regular training to all employees about the cybersecurity policies, the importance of security in the workplace, and best practices for maintaining security hygiene. A well-informed workforce can be your first line of defense against cyber threats.

10. Engage Expert Assistance

For organizations looking to develop or enhance their Zero Trust architectures, it is often beneficial to engage with cybersecurity experts who can provide tailored advice and solutions. MicroSolved, Inc. (MSI) has been at the forefront of information security, risk management, and compliance solutions since 1992. MSI offers expert guidance in strategic planning, configuration, policy development, and procedure optimization to ensure your Zero Trust implementation is robust, effective, and tailored to your specific organizational needs. Contact MSI to see how we can help your security team succeed in today’s threat landscape.

 

* AI tools were used as a research assistant for this content.

 

Maximize Your Cybersecurity: Discover How a Virtual CISO Can Transform Your Business Security Strategy

What is a vCISO?

A vCISO, virtual CISO, or virtual Chief Information Security Officer is a highly qualified cybersecurity expert who provides IT security and compliance services on a contractual basis. Unlike a full-time CISO, a vCISO works remotely and collaborates with an organization’s executive team to protect against security threats and ensure compliance with industry regulations.

As a cybersecurity expert, a vCISO brings years of experience and a wide range of skills. They deeply understand security practices, threat landscapes, and industry standards. With this knowledge, they can assess an organization’s security posture, identify potential gaps and risks, and develop a comprehensive cybersecurity strategy.

A vCISO’s role is to provide unbiased advice and guidance to the organization’s leadership team. They work closely with the executive team to align security objectives with business goals. VCISOs can help establish and implement security policies, compliance standards, and best practices by leveraging their technical expertise and industry knowledge.

By hiring a vCISO on a contractual basis, organizations gain access to a team of experts without the commitment of a full-time hire. This flexible and cost-effective approach allows businesses to benefit from the expertise of a seasoned professional while optimizing their security program. Ultimately, a vCISO helps organizations enhance their security posture and proactively mitigate cyber threats.

What does a virtual Chief Information Security Officer do?

A virtual Chief Information Security Officer (vCISO) plays a critical role in assisting organizations in developing and managing their information security program. One of the primary responsibilities of a vCISO is to create and implement a comprehensive security strategy for the organization. This includes identifying and prioritizing security threats, developing security policies and procedures, and establishing security controls to mitigate risks.

In addition to creating the security strategy, a vCISO coordinates and manages security audits conducted within the organization. They work closely with internal and external auditors to ensure the organization’s security practices and controls meet regulatory requirements and industry standards. This involves conducting risk assessments, reviewing security controls, and implementing necessary changes to enhance the organization’s security posture.

Furthermore, a vCISO evaluates third-party vendors and assesses their security capabilities. They ensure that third parties comply with the organization’s security requirements and implement necessary security measures to protect its data and systems from potential risks.

A crucial part of a vCISO’s role is presenting the organization’s security posture to stakeholders, such as the executive team and board members. They regularly update the organization’s security posture, including identified vulnerabilities or emerging threats. This helps stakeholders make informed decisions regarding the organization’s security investments and priorities.

A vCISO plays a vital role in helping organizations build a robust and effective information security program by fulfilling these responsibilities. They bring their expertise to develop a comprehensive security strategy, coordinate audits, evaluate third parties, and present the organization’s security posture to stakeholders.

Learning More

In conclusion, navigating the complex cybersecurity landscape can be daunting for any organization. However, partnering with a seasoned virtual Chief Information Security Officer (vCISO) can significantly enhance your security posture and ensure compliance with the latest industry standards. This is where MicroSolved comes into play. With our extensive experience and deep expertise in cybersecurity, we offer tailored vCISO services designed to meet your unique needs and challenges. Let us help you fortify your defenses, mitigate risks, and secure your digital assets effectively. Don’t wait for a security breach to realize the importance of expert guidance. Contact MicroSolved today and take a proactive step towards a more secure and resilient future.

 

* Just to let you know, we used some AI tools to gather the information for this article, and we polished it up with Grammarly to make sure it reads just right!

ChatGPT: A Valuable Ally for Your Information Security Team

One of the best ways to learn to use ChatGPT and other systems is to simply ask them how they can help you. Here is an example:

Prompt: 

Please write a blog post with some examples of things that ChatGPT could do to help an information security team. For each thing, write one or more sample prompts that they could use to get started. Please output in plain text without any markup or specialized formatting.

Response:

Title: ChatGPT: A Valuable Ally for Your Information Security Team

In a digital age where threats to information security are ever-evolving, having a well-rounded defense strategy is crucial. Among the plethora of tools and resources available, ChatGPT, developed by OpenAI, emerges as a valuable ally for information security teams. Here are some ways ChatGPT could assist in bolstering your organization’s cybersecurity measures, along with sample prompts to kickstart these initiatives:

1. Threat Intelligence Analysis
– Sample Prompt: “Identify recent cyber threats relevant to our industry and summarize their characteristics and potential impact.”

2. Phishing Detection Training
– Sample Prompt: “Generate examples of phishing emails related to our company, and explain how to distinguish them from legitimate communications.”

3. Automated Reporting of Security Incidents
– Sample Prompt: “Develop a script for collecting and formatting data related to security incidents for easier analysis and reporting.”

4. Policy and Compliance Documentation
– Sample Prompt: “Help draft a comprehensive Acceptable Use Policy that aligns with industry standards and regulatory requirements.”

5. Security Awareness Training Material Development
– Sample Prompt: “Create engaging training materials to educate employees about cybersecurity best practices and organizational policies.”

6. Log Analysis and Anomaly Detection
– Sample Prompt: “Analyze these system logs to identify any unusual activities and potentially malicious behavior.”

7. Password Policy Enforcement
– Sample Prompt: “Develop a communication to educate employees about our new password policy and the importance of strong, unique passwords.”

8. Incident Response Plan Development
– Sample Prompt: “Assist in drafting an Incident Response Plan outlining the steps to be taken in the event of a security breach.”

9. Vulnerability Assessment
– Sample Prompt: “Provide a checklist for conducting a vulnerability assessment of our network and systems.”

10. Security Tool Evaluation
– Sample Prompt: “Research and compare different cybersecurity solutions to help us decide which tools would best meet our security needs.”

ChatGPT can be a remarkable asset for information security teams, aiding in a multitude of tasks ranging from threat intelligence analysis to policy documentation. By integrating ChatGPT into your cybersecurity strategy, you stand to not only enhance your defense against cyber threats but also free up valuable time for your security personnel to focus on more complex, critical aspects of your organization’s security posture.

Summary:

Learning to use these AI tools is easy if you ask them for help. Learning to use them properly will go a long way toward increasing your productivity. 

 

* Just to let you know, we used some AI tools to gather the information for this article, and we polished it up with Grammarly to make sure it reads just right!

3 Daily Habits for Information Security Practitioners to Stay Updated

  1. Stay Informed with Industry News:
    • Why? The cybersecurity landscape is ever-evolving. New threats, vulnerabilities, and attack vectors emerge daily.
    • How?
      • Subscribe to cybersecurity news websites and blogs like KrebsOnSecurity, The Hacker News, or Dark Reading.
      • Join forums and online communities like Reddit’s r/netsec or Stack Exchange’s Information Security.
      • Set up Google Alerts for specific cybersecurity keywords to get real-time updates.
  2. Engage in Continuous Learning:
    • Why? Technologies and tools in the cybersecurity domain are constantly advancing. To remain effective, professionals must keep up with the latest techniques and methodologies.
    • How?
      • Dedicate time each day to learn something new, whether it’s a new programming language, a cybersecurity tool, or a security protocol.
      • Enroll in online courses or webinars. Platforms like Coursera, Udemy, and Cybrary offer many courses tailored for cybersecurity professionals.
      • Participate in Capture The Flag (CTF) challenges or cybersecurity simulations to hone your skills in a practical environment.
  3. Network with Peers:
    • Why? Networking helps share knowledge, learn about real-world challenges, and understand best practices from experienced professionals.
    • How?
      • Attend local or virtual cybersecurity meetups, conferences, and seminars.
      • Join professional organizations such as (ISC)², ISACA, or the Information Systems Security Association (ISSA).
      • Engage in discussions on LinkedIn groups or Twitter threads related to cybersecurity.

Remember, the field of information security is vast and dynamic. By integrating these habits into your daily routine, you’ll be better equipped to stay ahead of the curve and safeguard your organization’s digital assets.

 

* Just to let you know, we used some AI tools to gather the information for this article, and we polished it up with Grammarly to make sure it reads just right!

 

How Information Security and Risk Management Teams Can Support FinOps

As organizations continue to move their operations to cloud services, it is becoming increasingly important for information security and risk management teams to understand how they can support financial operations (FinOps). FinOps is a management practice that promotes shared responsibility for an organization’s cloud computing infrastructure and cloud cost management. In this post, we will explore some ways in which the information security and risk management team can support FinOps initiatives.

1. Establishing Governance: Information security and risk management teams can play a vital role in helping FinOps teams establish effective governance. This includes creating a framework for budget management, setting up policies and procedures for cloud resource usage, and ensuring that all cloud infrastructure is secure and meets compliance requirements.

2. Security Awareness Training: Information security and risk management teams can provide security awareness training to ensure that all cloud practitioners are aware of the importance of secure cloud computing practices. This includes data protection, authentication protocols, encryption standards, and other security measures.

3. Cloud Rate Optimization: Information security and risk management teams can help FinOps teams identify areas of cost optimization. This includes analyzing cloud usage data to identify opportunities for cost savings, recommending risk-based ways to optimize server utilization, and helping determine the most appropriate pricing model for specific services or applications.

4. Sharing Incident Response, Disaster Recovery, and Business Continuity Insights: Information security and risk management teams can help FinOps teams respond to cloud environment incidents quickly and effectively by providing technical support in the event of a breach or outage. This includes helping to diagnose the issue, developing mitigations or workarounds, and providing guidance on how to prevent similar incidents in the future. The data from the DR/BC plans are also highly relevant to the FinOps team mission and can be used as a roadmap for asset prioritization, process relationships, and data flows.

5. Compliance Management: Information security and risk management teams can help FinOps teams stay compliant with relevant regulations by managing audits and reporting requirements, ensuring that all relevant security controls are in place, auditing existing procedures, developing policies for data protection, and providing guidance on how to ensure compliance with applicable laws.

The bottom line is this: By leveraging the shared data and experience of the risk management and information security teams, FinOps teams can ensure their operations are secure, efficient, and completely aligned with the organization’s overall risk and security posture. This adds value to the work of all three teams in the triad. By working together, the teams can significantly enhance the maturity around technology business management functions. All-in-all, by working together, the teams can create significantly better business outcomes.

 

New Book Launch: We Need To Talk: 52 Weeks To Better Cyber-Security

I have released a new e-book titled “We Need To Talk: 52 Weeks To Better Cyber-Security.” I self-published through PublishDrive and MSI. It has been quite an interesting project, and I learned a lot in both writing/editing (with an AI), and in the publishing aspects.

The book provides a comprehensive approach to discussing cyber-security, addressing topics such as risk management, configuration management, vulnerability management, policy, threat intelligence, and incident response. The discussions that are sparked will lead to helping your team strengthen and mature your organization’s security posture.

The book is designed for information security professionals and their teams looking for a structured way to improve their organization’s cyber-security posture over one year. It is an ideal resource for those teams who wish to develop a well-rounded understanding of cyber-security and gain insight into the various elements that are needed for a successful program.

The book is 111 pages and sells for $9.99 in most of the ebook stores below:

Amazon

Apple

Barnes & Noble

Check it out, and please leave a review if you don’t mind taking the time. It will be much appreciated.

Print-on-demand options and other stores will be coming shortly. Hopefully, the book helps folks build better infosec programs. As always, thanks for reading, and stay safe out there! 

How To Handle Leaked Credentials

OK, so you used ClawBack™ or some other tool and found leaked credentials linked to one of your employees on the web. Now, what do you do?

First, don’t panic. Leaked credentials happen all of the time. On average, it was discovered that employee email credentials from 10% of all Fortune 500 companies have been leaked in some form of data breach. (blog.finjan.com)  Another report published recently suggests that the web currently hosts leaked credentials of employees for 97% of the top 1,000 global companies – many stemming from third-party data breaches. (blog.finjan.com)

Once you come to terms with your find, it’s time to get down to business researching the issue. The first step is to determine what kind of data you have identified. Usually, leaked credentials come with a user ID like an email, system login name, or the like. Presumably, this is how you found the credentials in the first place. Next, determine if you have a password and/or hash for that user that was contained in the leak. If you found only a list of emails or names, there is not much actionable intelligence there, beyond maybe letting those users know that they are at increased risk for phishing and reminding them to be vigilant.

If, however, you have a password or hash tied to one of your user names in the leak, a few more steps are involved. If you have a password, the first step is to determine if that password meets whatever password policies you have defined across the organization. This is a key leverage point for identifying potential leaks – many, if not most, leaked passwords come from third-party systems and websites that are compromised by attackers but are only used by the firm’s employees. It’s pervasive for industry sites, or shopping sites to be linked to your employee’s identity – it could be as simple as your employee signed up for the site with their work email, and that site got breached. If that is the case, then as long as your employee doesn’t use that password at work (or similar passwords: eg: Summer12 and Summer13, etc.) there is little risk to the firm. If the password would not meet your password policy for your domain, webmail, and other applications, then this is likely the case. If that happens, simply contact the employee, advise them of the leaked credential, and make sure that they understand to change their passwords anywhere they used that password in their online life.

But, what if the password could be one of your domain or webmail accounts? If the password would meet your policies, then immediately force a password change on all systems for that user. If possible, you should also terminate any open sessions and force the user to change their credentials. While a determined attacker may exploit this process to reset the password themselves if they have the ability, it prevents any non-resourced attackers from exploiting the credentials. The worst case is that an employee loses a current session and has to reset their passwords to continue working.

However, don’t stop there – contact the user and advise them of the leaked credential. Ask them if it was used on any work-related systems or applications, and if so, immediately begin an investigation on those systems looking for signs of illicit access. This should be performed using intensive log reviews and should go back to the date of the user’s previous password change whenever possible. Do not depend on the leak date, if shown, as the boundary for the incident. Attackers may have had knowledge and access prior to making the leak public. Often, attackers use compromised accounts for some time, getting what they want from the victim, and then release the stolen credentials to other attackers via a sale, or to the public, in the hopes that the additional attacker traffic will hide the original compromise.

Lastly, if you only have a hash of a potential password, I would still follow the process above. Most hashes can be broken given enough resources. Thus, it is erring on the side of caution to follow the above process, and accept the hash as a credential that could be in use in your environment.

Got other workarounds for leaked credentials? I’d love to hear them. Drop me a line on Twitter, and let me know (@lbhuston). I’ll share any insights in future posts.

If you’d like to learn more about ClawBack – check out our solution for hunting down leaked credentials, source code, and configuration data. Get in touch with us for a discussion, or check out the videos on our website for a walkthrough.