Skip to main content

The Role of Compromised Password Monitoring

The digitization of business operations has brought countless advantages, but it also comes with a steep cost – an increased vulnerability to cyber threats. In this escalating landscape of risks, compromised credentials have emerged as the leading cause of data breaches as revealed in Verizon’s 2023 DBIR Report and IBM’s 2022 Cost of a Data Breach Report. This threat landscape underscores the vital need for businesses to establish a robust system to track and manage compromised credentials. Recommendations for addressing this area of risk are outlined in many of NIST’s publications, with Control IA-5 in SP 800-53 providing comprehensive guidance for password-based authentication.

Understanding the Role of NIST IA-5 in SP 800-53

NIST’s Special Publication 800-53, revision 5, titled “Security and Privacy Controls for Information Systems and Organizations,” presents an extensive framework for managing information security risks. One essential aspect is the Control Enhancement IA-5 for password-based authentication:

For password-based authentication:

(a) Maintain a list of commonly-used, expected, or compromised passwords and update the list [Assignment: organization-defined frequency] and when organizational passwords are suspected to have been compromised directly or indirectly;

(b) Verify, when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5(1)(a)

Compromised credentials can serve as the gateway for cybercriminals to infiltrate an organization’s systems, paving the way for costly and damaging data breaches. Recognizing the gravity of this threat, NIST SP 800-53 advises the detection and management of compromised passwords. By preventing users from setting their passwords to previously exposed values, this closes off attackers from simply finding login information on the Dark Web to gain access to accounts. This dramatically reduces an organizations risk of account takeover by stopping threats such as credential stuffing and password spraying attacks.

Monitoring the Dark Web can be a helpful measure in addressing the criteria set by NIST. The clandestine nature of the Dark Web makes it a prime marketplace for cybercriminals to trade stolen credentials, including passwords. To maintain an updated list of commonly-used, expected, or compromised passwords, organizations must actively monitor these hidden sectors of the internet for potential leaks or trades involving their data. The sheer volume of information and rapid rate of change on the Dark Web means that in-house monitoring requires dedicated personnel with specialized skills. This is where solutions that offer Dark Web monitoring become invaluable. These specialized tools not only automate the monitoring process but also utilize advanced algorithms and vast databases to detect and alert organizations to potential threats as quickly as possible.

Can MFA be a Compensating Control?

An important clarification from NIST underlines the universality of their control recommendations:

Password-based authentication applies to passwords regardless of whether they are used in single-factor or multi-factor authentication.

This indicates that even if organizations have implemented multi-factor authentication, NIST’s guidelines on compromised password monitoring remain as crucial as ever. MFA adds a layer of security, but the foundational principle of ensuring password integrity stands firm. The inherent risks associated with compromised credentials persist, making it imperative to track and manage them diligently. NIST’s emphasis, thus, ensures that organizations remain vigilant against the vulnerabilities of password-based breaches, irrespective of other security layers in place.

Securing Your Digital Assets with NIST Guidelines

In the ever-changing realm of cyber threats, the importance of protecting resources shielded by passwords cannot be overstated. The guidelines outlined in NIST’s IA-5 within SP 800-53 serve as a robust blueprint to protect organizations from the peril of account takeover. By rigorously following these directives and keeping a keen eye on potentially compromised passwords, organizations can not only defend their invaluable information assets but also markedly diminish the chances of expensive data breaches. NIST’s guidelines act as an evolving guide for securing organizations amidst the fluctuating landscape of cyber threats.

While SP 800-53 provides a comprehensive set of guidelines for managing information security, other NIST publications can offer additional insight. For example, NIST SP 800-63b provides detailed guidelines for protecting digital identities, including credentials. By referencing multiple NIST publications and adopting the standards mandated or relevant to their organization, security teams can ensure they employ a comprehensive and robust approach to information security.