Three seemingly disparate events spread across three years. Can you guess how they are related?

• In 2020, Marriot Hotels is hacked, and attackers steal the data of 5.2 million guests.
• In 2021, after compromising IT management contractor Solar Wind, Russian attackers compromised at least nine federal agencies.
• In 2022, a T-Mobile store owner is convicted of making $25 million through illegally unlocking and unblocking hundreds of thousands of cell phones.

The first is a group of small-time hackers infiltrating a hotel chain to steal guest data. The second is a powerful nation state using Advanced Persistent Threats to infiltrate a government. The third is a single store owner making millions providing an illegal service. All seem very different. Yet, all have one thing in common. Each happened as a result of poor Identity and Access Management.

Marriot Hotels was hacked when the credentials of two Marriot employees were compromised. The Solar Winds attackers compromised federal agencies and hid their presence on the network because of poor identity management. Finally, the T-Mobile store owner was able to illegally access the T-Mobile systems to “unlock” cell phones by compromising and stealing the credentials of over 50 different T-Mobile employees. These breaches of user credentials are only a few of the hundreds of similar stories to fill the cyber security news feeds over the past few years.

The pandemic of poor credential management has led the National Institutes of Standards and Technology (NIST) and the Cybersecurity and Infrastructure Security Agency (CISA) to finalize new identity and access management guidelines. NIST has even announced plans to refresh its entire suite of publications on identity and access management to address the changes. As more than 50% of companies use the NIST framework as a benchmark for security, and many compliance regulations base their foundations upon NIST requirements, the changes to NIST guidelines are likely to expand to various frameworks and industries. Understanding and following these guidelines will be necessary for many security departments and organizations.

Following the guidelines will also be important as credential attacks are not going away. Fresh stories involving stolen and compromised credentials seem to hit the cyber security news channels daily. Last week, Kaspersky announced the discovery of a repository with ten credential-stealing python applications. A week before, security professionals discovered that hackers had embedded numerous credential harvesting links inside the popular collaboration website, Lucidchart. The previous month, Arkose Labs reported that the sale of user credentials makes a thief as much as $24,000 depending upon the type of organization. Credentials compromise is big business, and cyber criminals everyone are seeking to cash in.

Poor Identity and Access Management controls are a significant risk for organizations. The new NIST guidelines will provide critical guidance for organizations to better secure the user credentials within their organization. If you are uncertain whether your organization aligns with the new NIST guidelines or whether the credentials inside your organization are secure, contact Liberty Cyber Solutions. We can help review your policies and processes to ensure your organization is secure.