OM-BP-0025: Reset all credentials and secrets following a breach

Owned by David Doret
Last updated: 22-03-2021
1 min read

ID

OM-BP-0025

Status

Active

Best Practice

Reset all potentially compromised credentials and secrets, including service account passwords, integration keys, especially MFA’s, following a suspected or confirmed data breach or compromise of these credentials or secrets.

Rationale

As shown in , an attacker may steal MFA integration secrets during an attack, in this example on OWA, allowing him to silently bypass the MFA protection after the incident and re-compromise the organization.

Bad Practices

  • Failure to exhaustively reset potentially compromised credentials or secrets following a suspected or confirmed compromise

Implementation Details

  • Make an exhaustive inventory of potentially compromised credentials and secrets.

  • Reset all of them.

  • Set up adequate monitoring use cases, including MFA bypass monitoring.

Quotes

Bibliography

See Also

Follow us on LinkedIn | Discuss on Slack | Support us with Patreon | Sign-up for a free membership.

This wiki is owned by Open Measure, a non-profit association. The original content we publish is licensed under a Creative Commons Attribution 4.0 International License.