How Poor Identity Hygiene Enables Trivial Attacks

The rise of Software as a Service (SaaS) apps has revolutionized the way businesses operate, offering unparalleled convenience and scalability. With this convenience, however, comes increased susceptibility to identity-based attacks. Issues such as risky credentials, Single-Sign On (SSO) bypass, and the underutilization of multi-factor authentication (MFA) are at the root of most breaches reported today. In fact, the 2024 Verizon Data Breach Investigations Report (DBIR) attributes an astonishing 83% of hacking-related breaches to stolen credentials.

Why is identity hygiene so important? Ask any security professional and they will, in turn, ask you, “why hack in when you can login?” When gaining access through compromised credentials is the easiest path to success, it becomes easy to see why it remains the method of choice for threat actors.

So, the question then becomes, what factors lead to bad identity hygiene and how can businesses take pragmatic steps toward closing off this attack vector? Let’s explore.

Risky Credentials

Weak Credentials

Weak credentials include easy-to-guess passwords like the world’s most common “123456” or common dictionary words like “password.” They can also be those pesky default credentials that never got updated. Threat actors favor weak credentials because they’re low-hanging fruit, often yielding success using brute force or credential stuffing. These techniques make weak credentials a go-to in the hacker’s toolkit, accounting for a huge chunk of breaches every year. To make matters worse, once threat actors gain access with a weak account, they can move laterally across systems using legitimate credentials, making them difficult to detect and stop.

Credential Reuse

Another common credential hygiene issue is reuse, especially in unmanaged accounts. When employees recycle the same password across multiple SaaS apps, a single compromised account in a low-sensitivity app can open the door to high-sensitivity apps throughout the environment. Making matters worse, when employees reuse passwords across their personal and corporate identities, the issue becomes an even more dangerous practice.

Account Sharing

Likewise, account sharing, the practice of multiple users accessing a single set of login credentials, poses significant security risks and dramatically increases the odds of the account credentials becoming compromised. This behavior can lead to unauthorized access, data breaches, and compliance violations. For instance, when employees share accounts, it becomes challenging to track individual actions, complicating audits and accountability. Moreover, shared credentials often bypass standard authentication measures like multi-factor authentication (MFA), increasing vulnerability to attacks.

Compromised Credentials

Compromised credentials are a significant security concern, as they provide unauthorized individuals with direct access to sensitive systems and data. When attackers obtain valid login details—often through phishing, prior data breaches, or infostealer malware—they can infiltrate networks without triggering immediate suspicion. This unauthorized access can lead to data theft, financial loss, and reputational damage.

Other Identity Hygiene Issues

Lack of MFA

MFA is far from a panacea, but it does add an extra layer of security. Despite this, many organizations still don’t take full advantage of MFA. Most organizations have MFA on the centralized accounts used for SSO. Once you venture outside of this zone, however, MFA utilization drops dramatically. According to Savvy’s own internal research, a whopping 92% of unmanaged accounts in an enterprise environment lack MFA. Part of this is due to the lack of visibility into which apps are properly configured to take advantage of the additional security that MFA offers.

We also commonly see that older systems may not support MFA, making broad coverage difficult. And while MFA adoption can face resistance from employees who find it inconvenient, the absence of this critical layer of protection in public-facing accounts leaves SaaS apps and other systems highly vulnerable to unauthorized access.

SSO Bypass

Even when SSO has been setup for an app, backdoor access might remain via local accounts. Sometimes this access remains because of misconfiguration of the app. At other times and depending on how the app was implemented by the developer, it might be impossible to disable local accounts. Finally, local accounts are commonly used by admins as “break glass” accounts to gain access to an app in the event of an emergency and the centralized authentication system is unavailable.

Detecting bypass of SSO must be a top priority for identity and security teams. Securing only centralized accounts while ignoring the credential hygiene of local accounts creates an easy-to-exploit target for threat actors. It also simultaneously creates a false sense of security for the organization.

Visibility to this activity remains the biggest barrier to resolving it. The centralized authentication system, by its very nature, cannot be the single source of truth. It paints an incomplete picture that can only be detected by gaining observability to actual login behaviors of users.

Delayed or incomplete offboarding

Delayed or incomplete offboarding is a critical lapse in identity hygiene that leaves organizations vulnerable. When an employee leaves, yet retains access to systems, applications, or sensitive data, it creates an unsecured entry point for potential threat actors. Former employees may inadvertently or intentionally misuse access, either for personal gain or under pressure from competitors. Even if no malicious intent exists, unmonitored accounts are prime targets for hackers, who can leverage them to infiltrate networks undetected.

Over time, these orphaned accounts accumulate, making it challenging for security teams to track and manage access effectively. Each unused account becomes a potential backdoor, bypassing current security protocols and complicating threat detection. Given that many breaches involve compromised or unmanaged accounts, swift, thorough offboarding should be standard practice. By proactively revoking all access when an employee departs, organizations can close an open door to potential security threats and uphold better identity hygiene.

Cleaning up Identity Hygiene at Scale

Tackling identity hygiene at scale requires a strategic approach, leveraging the right capabilities to identify, prioritize, and mitigate risks across the entire organization. Critical capabilities to look for include: Automated discovery, continuous inventory, automated workflows, just-time security guardrails, and auditing and reporting. Let’s explore each in more detail.

Automated Discovery

The cornerstone of strong identity hygiene is complete visibility. A solution like Savvy provides continuous discovery by identifying every app, every identity, and every login event across your app ecosystem. This ensures that access controls are used as intended, preventing blind spots that could leave your organization vulnerable to breaches.

Continuous Inventory

Building on discovery, a comprehensive inventory of all accounts, including those outside your centralized authentication system, is essential. This includes unmanaged, shadow IT apps, and orphaned accounts that often fall through the cracks.

Automated Workflows

Manual processes are no match for the speed and scale required to maintain good identity hygiene on an enterprise scale. Savvy’s automated workflows are the key to swiftly identify risks like credential reuse, compromised accounts, and incomplete offboarding, and then remediate them before they can be exploited.

Just-in-time Security Guardrails

Savvy’s just-in-time guardrails ensure that users are guided in making secure decisions without disrupting workflows. This proactive approach helps prevent risky behaviors, such as weak passwords or bypassing MFA, from taking root.

Auditing & Reporting

Continuous monitoring, auditing, and reporting are critical to sustaining identity hygiene. Regular audits provide insights into compliance with security policies, while reporting helps identify trends, gaps, and areas for improvement.

Fortify Your Identity Security with Savvy

Savvy brings all these capabilities together in a seamless, scalable solution. From comprehensive discovery and inventory to automated risk detection and proactive guardrails, our platform ensures your organization stays ahead of identity-based threats. With Savvy, you not only help you clean up your workforce’s identity hygiene but we also help you maintain it effortlessly, safeguarding your business from identity-based attacks.