During a penetration test, login credentials are a highly sought-after item. While it is common to harvest that information via email scams (phishing attacks), it is not always the most practical or effective tactic to gain unauthorized access. That access, however, still requires a valid set of credentials. This poses a challenge. How does an attacker find valid accounts without social engineering? There are two main options: breached credentials and password spraying.
In security, it’s often said that you will have little success within an organization if you do not have buy-in from management. However, there’s a larger group that is often-overlooked though critical to a successful security program. And they impact all aspects of your security posture. That group, of course, is the end users.
Not because budding entrepreneurs haven’t heard the horror stories, but it seldom ranks highly among things that directly generate cash or hurry a company to market. Like so many other priorities, cybersecurity often falls to the wayside in the early business stages.