OM-BP-0025: Reset all credentials and secrets following a breach

ID

OM-BP-0025

Status

Active

Best Practice

Reset all potentially compromised credentials and secrets, including service account passwords, integration keys, especially MFA’s, following a suspected or confirmed data breach or compromise of these credentials or secrets.

Rationale

As shown in Cash et al., 2020, an attacker may steal MFA integration secrets during an attack, in this example on OWA, allowing him to silently bypass the MFA protection after the incident and re-compromise the organization.

Bad Practices

  • Failure to exhaustively reset potentially compromised credentials or secrets following a suspected or confirmed compromise

Implementation Details

  • Make an exhaustive inventory of potentially compromised credentials and secrets.

  • Reset all of them.

  • Set up adequate monitoring use cases, including MFA bypass monitoring.

Quotes

Bibliography

Related Best Practices

See Also


Follow us on LinkedIn | Discuss on Slack | Support us with Patreon | Sign-up for a free membership.


This wiki is owned by Open Measure, a non-profit association. The original content we publish is licensed under a Creative Commons Attribution 4.0 International License.