Posted on

Credential Stuffing and NIST SP 800-171

Credential Stuffing & NIST SP 800-171

Businesses face a growing number of vulnerabilities and adversarial tactics aimed at compromising the information they hold dear. The data entrusted to organizations in support of government contracts is of great value to those with malicious intent. While compliance with NIST SP 800-171 may be compulsory for your government contract, it also supports business goals for operational security and risk management.

What is Credential Stuffing?

Credential stuffing is an attack paradigm that capitalizes on the fallibility of people. We all have an ever-increasing collection of online accounts and access credentials. As this number grows, our ability to keep track of them dwindles. What attackers have found is that a majority of users will use the same account name and password on multiple sites to make it easier to log in to them. Another contributing factor are the many compromises of user and password information that have happened in recent years, creating a massive database of username and password combinations. From these resources, attackers attempt to use credentials from one site, perhaps an old Yahoo account, on a business account, like a business email or file sharing service. And then, much too often, an unauthorized entity gains access to information they shouldn’t be allowed to see.

Preventing compromise by following NIST SP 800-171 recommendations

There are certainly a number of operational security policies to help mitigate the threat of credential stuffing attacks. User cybersecurity awareness training and organization-wide use of password management systems are two. Also, multi-factor authentication (MFA) solutions go a long way. Multi-factor authentication adds an additional verification item to the username and password combination. This addition is ‘something you have’ such as a security token or one-time code. MFA features prominently in the National Institute for Standards and Technology Special Publication 800-171 control families for Identification and Authentication, and also Maintenance. While not directly required in the NIST guidelines, implementing MFA as often as possible, for as many services as possible, simply makes your business operations more secure. Most social media services now offer the option for MFA, as well as major file sharing and financial services. The point being, even if an employee neglects those account and password best practices, MFA adds that extra control that may be the difference between compromise and protection.

Assured Bridge and MFA

Assured Bridge’s services utilize multi-factor authentication to ensure protection for customer and client access to provided services and your valuable information. Our own Devops, administration and maintenance teams use MFA as well, to ensure the underlying infrastructure and support services are secured and protected. If your business operations include government requirements for protection of controlled unclassified information (CUI), or protection of other compliance-regulated data, fill out our contact form, send an email or give us a call. We’re available to help ensure your compliance and security objectives are met.

Referenced Information:

NIST SP 800-171: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

Assured Bridge

Certified Information System Security Professional Daniel Bjorklund is the information assurance and cybersecurity subject matter expert for Assured Bridge LLC, a company specializing in cybersecurity compliance solutions. With over 20 years’ experience in U.S. military intelligence and security operations, plus significant involvement in government, commercial and private sector cybersecurity initiatives, Dan has comprehensive knowledge of today’s rapidly-evolving cyber-dependent world. A recently-licensed pilot and amateur radio operator, Dan lives with his wife in South Carolina.
Dan can be found on LinkedIn (https://www.linkedin.com/in/dbjorklundcissp/) and Twitter (https://twitter.com/IASE_at_large)