OM-BP-0025: Reset all credentials and secrets following a breach
ID
OM-BP-0025
Status
Active
Best Practice
Reset all potentially compromised credentials and secrets, including service account passwords, integration keys, especially MFA’s, following a suspected or confirmed data breach or compromise of these credentials or secrets.
Rationale
As shown in Cash et al., 2020, an attacker may steal MFA integration secrets during an attack, in this example on OWA, allowing him to silently bypass the MFA protection after the incident and re-compromise the organization.
Bad Practices
Failure to exhaustively reset potentially compromised credentials or secrets following a suspected or confirmed compromise
Implementation Details
Make an exhaustive inventory of potentially compromised credentials and secrets.
Reset all of them.
Set up adequate monitoring use cases, including MFA bypass monitoring.
Quotes
Bibliography
Related Best Practices
See Also
Follow us on LinkedIn | Discuss on Slack | Support us with Patreon | Sign-up for a free membership.
This wiki is owned by Open Measure, a non-profit association. The original content we publish is licensed under a Creative Commons Attribution 4.0 International License.