Data Privacy Day: Don’t put all your eggs in one basket
Privacy Day is of extra importance this year because of a dramatic increase in attacks designed to get around measures that make account log-ins more secure, and therefore protect our privacy.
For example, in mid-September, Uber reported a network breach that led to shutting down some of its internal communications and locking its codebase to prevent any new code changes. The attacker reportedly targeted a contractor by repeatedly sending multi-factor authentication login messages until the contractor accepted and gave the attacker access, according to Uber. Several days later, video game maker Rockstar Games announced it also had suffered a network intrusion from an unauthorised third party. The company says the attacker was able to gain confidential information, including early development footage for its upcoming and much anticipated game, Grand Theft Auto VI.
Social engineering attacks, when attempted by someone competent, are extremely hard to defend against as they target our human vulnerabilities rather than trying to bypass technology security.
In a 2019 paper from the SANS Software Security Institute, the most common vulnerabilities then, which are still relevant now, include:
- Business email compromise -- Is a form of phishing attack where a criminal attempts to trick a senior executive (or budget holder) into transferring funds, or revealing sensitive information. Accounts that are only protected with only a password are easy targets.
- Legacy protocols -- Can be the cause of a major vulnerability within your environment because some applications that use basic protocols, such as SMTP, were never designed to manage Multi-Factor Authentication (MFA). Hackers will search for opportunities to use outdated browsers or email applications to force the use of these less secure protocols.
- Password reuse -- This is where password spray and credential stuffing attacks come into play. Common passwords and credentials compromised by attackers in public breaches are used against corporate accounts to try to gain access. In a Password Spraying attack, the attacker circumvents common countermeasures (e.g., account lock out) by "spraying" the same password across many accounts before trying another password. Credential stuffing is where the attacker collects stolen account credentials, typically consisting of lists of usernames and/or email addresses and the corresponding passwords (often from a data breach), and then uses the credentials to gain unauthorized access to user accounts on other systems through large-scale automated login requests directed against a web application.
To keep your and your company’s data secure, it’s vitally important to use strong passwords. BlueVoyant continues to observe large volumes of compromised credentials being sold on dark web forums, which are in turn used to breach victim organizations. Organizations should ensure they have monitoring in place to detect when their credentials are compromised and potentially being sold by cyber criminals.
In addition to password hygiene, MFA should be enabled by default across all organizations. Multi-factor authentication (MFA) adds another level of protection to merely using a password. MFA requires users to provide at least two verification factors in order to access a device or account. BlueVoyant has seen threat actors move on from potential victim organizations once they determine MFA is in place, and move on to an organization that doesn’t have it.
However, given the uptick in organizations using MFA in their cyber defense, there has been a recent increase in MFA-bypass attacks. These attacks rely on social engineering techniques to lure and trick users into accepting fake MFA requests. Some specific methods of attacks include sending a large amount of MFA requests (MFA fatigue) and hoping the target finally accepts one to make the noise stop, or sending one or two prompts per day, which attracts less attention, but still has a good chance the target will accept the request. Attackers will also use more aggressive social engineering, such as Vishing (voice phishing) that requires calling the target, pretending to be part of the company, and telling the target they need to send an MFA request as part of a company process. Sometimes attackers even use bots to call, instead of a live person.
Despite the recent attacks, MFA remains an important part of cyber defence strategy for companies and individuals. To help make MFA as secure as possible, look for opportunities to use a code from an application instead of one sent via texting.
You could take a further leap and go passwordless. Protocols such as WebAuthn and CTAP2, which were ratified in 2018, have made it possible to remove passwords from the equation altogether. These standards, collectively known as the FIDO2 standard, ensure that user credentials are protected. The use of biometrics has become more mainstream after being popularized on mobile devices and laptops, making it a familiar and often preferred technology for many users.
Passwordless authentication technologies are not only more convenient for people but they are extremely difficult and costly for hackers to compromise, which is essentially what you are trying to accomplish with the attacker. A good privacy solution makes the return of investment for attacks so high that attackers will move on to much easier targets. So, to help protect your data, just remember; the defenses ensuring your data privacy should have many layers of protection. Don’t give the attacker just one hurdle to overcome, aim to make it as difficult as possible. Stay safe out there and happy Privacy Day!
Tom Huckle is Director of Information Security and Compliance, EMEA at BlueVoyant.