Written by Rob Quickenden, Cisilion’s Chief Strategy Officer
Covid-19 has accelerated the already annually increasing cyberattacks upon businesses. What is most concerning, perhaps, is that many of the attacks have been successful without the use of specific and advanced technology.
The majority of attacks target users through phishing, attempting to gain important credentials and information – for instance, emails pretending to be from someone else, often from HR or someone within the company. The intent is to collect the user’s password in order to steal data or impersonate the user to damage the company internally.
The fundamental reason behind the success of these attacks is that, despite all of the press and push for cyber awareness that companies like Cisco, Microsoft etc., many organisations still don’t have the basic security measures put in place to protect users from identity theft or compromise. At even the largest, most security adverse company, all it takes is one compromised credential or legacy application to cause a data breach.
Therefore, it’s critical to ensure that password security and a strong authentication process is put in place across your organisation. Whilst there are a multitude of solutions out there to protect networks, applications and data, there is one simple thing that organisations can do – regardless of the size and sector of the company – that can have a significant impact on protection against cyberattacks and data breaches.
It is a fact that MFA is the single most important thing that your business can do to immediately reduce the risk of identity breach by 99.9%.
WHAT YOU CAN DO TO PROTECT YOUR COMPANY?
There are multiple simple steps that can and should be undertaken to provide some basic account and security hygiene.
Administrators can help to prevent attacks by banning the use of poorly configured passwords – the Azure Active Directory (AD) can assist with this. Additionally, attempts can be prevented by blocking legacy authentication and providing basic training to staff on how to spot common phishing attacks.
Whilst all of this will help to some degree, the most effective step to take as a business is to utilise Multi-Factor Authentication (MFA). The extra layer of user account protection creates a highly effective barrier and layer of security. Such barriers will make it incredibly difficult for attackers to log on or use the stolen/compromised credentials, even if a user freely ‘hands them over’ as a result of a successful phishing attack.
“SIMPLY PUT, MFA CAN BLOCK OVER 99.9% OF COMPROMISING ATTACKS”
MFA is the most critical part of a Zero Trust approach to security.
With MFA, knowing or deciphering a password is not enough to gain access, since the user will then be challenged to enter a code, respond to a text sent directly to them, or approve the log on via an app that they have in their possession.
To learn more, read Your Pa$$word doesn’t matter.
MFA IS EASY TO ENABLE AND USE
In our experience, supported by leading research, there are two primary obstacles to adopting MFA implementations:
- A misconception that MFA requires external hardware devices, which it does not, or that it cannot protect all of our systems, which it can.
- Concern surrounding potential user disruption or concern over what may break, of which it does not.
Typically, the second point is the most common among our customers. Many cite that the “owner won’t like it”, or alternatively asking “what if it stops person X from logging on, and they can’t talk to IT?”
- FACT: No bank allows their customers to access their online banking without some form of MFA and we all, as we have to, simply accept this as part of the process. So why should accessing your company’s data be any different?
Depending on your organisation’s choice of MFA technology, and the level of licensing that they have put in place, services such as MFA can be used in conjunction with Risk–Based Condition Access – a feature that is included within Azure AD.
Essentially, Risk–Based Conditional Access (RBCA) is an adaptive authentication process which looks at a variety of risk factors to determine what, and how, to allow a user to gain access to resources. In the MFA example, RBCA can be configured to now require MFA to be used when on a corporate device in the office, but enforced whenever users are remote or on a non-encrypted device.
WHERE ELSE ARE YOU MOST VULNERABLE?
According to a recent report from the SANS Software Security Institute, the most common vulnerabilities include:
CORPORATE EMAIL COMPROMISE
In this instance, an attacker – often called ‘bad-actor’ – gains access to a corporate email account. This is typically conducted through a phishing or ‘spoofing’ attack, whereby the attacker users emails that look like they are from the in-house IT team or a trusted source. In turn, this can prompt users to freely hand their credentials to the attacker, giving them the ability to exploit the system and compromise the data and business. Accounts that are protected with only a User ID and password are therefore easy targets.
How to avoid this: MFA | User Training | Mail Security – including safe links and safe attachment protection
Older email clients and many “stock” smartphone email clients can create a vulnerable pressure point, since such applications use older, basic protocols like SMTP, which were not designed to leverage or use modern security technologies like MFA. So, even if you require MFA in most cases, if legacy protocols are enabled, attackers will search for opportunities to use outdated browsers or email applications to bypass the less-secure protocols that are currently in place.
How to avoid this: Review which apps require legacy authentication and reinforce this.
Commonly, this is where attacks such as a “password spray” or “credential stuffing attack” will come into play. Common passwords and credentials that are compromised by attackers in public breaches are used against corporate accounts to try and gain access.
It is considered that more than 70% of passwords are duplicates and used on other public sites, such as shopping or consumer sites. This strategy has been successful for many attackers for a number of years and it is easy to do. Most users often re-use passwords as many will stick to a complex password that contain a mixture of numbers, letters and symbols, believing that it will make the passwords and accounts more secure. However, this can have a counter-effect, since such passwords are more likely to be re-used across several accounts and sites.
How to avoid this: Leverage services like Azure AD Protection, enforce MFA, enable password self-reset and user identity protection tools to ban common and stolen passwords.
YOUR NEXT STEPS
Register for a MFA Workshop
Here at Cisilion, we are able to configure MFA for your critical applications within a few days. If you’re interested, please book a workshop with us via the form below: