Powered by MOMENTUM MEDIA
cyber daily logo
Breaking news and updates daily. Subscribe to our Newsletter

Think like a cyber criminal to get ahead of MFA attacks

Cyber attacks are not subsiding. The recent Office of the Australian Information Commissioner (OAIC) report showed a 6 per cent increase in breaches in the last six months which begs the question whether governments, individuals and companies are focusing their efforts in the right areas to protect themselves. Lloyd Evans, Identity lead at LastPass JAPAC writes.

user iconLloyd Evans
Fri, 01 Apr 2022
Think like a cyber criminal to get ahead of MFA attacks
expand image

These types of reports explain in detail the extensive ways hackers can get into an organisation and the damage that is done. Yet, many still do not take action.

To begin improving a business’ cyber security posture, we need to take a closer look at cyber criminal methods. By understanding the steps taken before an attack takes place, companies can better protect themselves from traditional multi-factor authentication (MFA) attack patterns.

The value of MFA for corporate cyber protection

Many businesses believe using MFA alone provides sufficient security to the login process. Indeed, the additional layer of authentication required by MFA is designed to prevent cyber criminals from hijacking third-party systems. Yet what is often undervalued, is the use of proper password practices.

While there are many ways to use MFA, the most common is SMS token authentication, in which a code is sent to the stored mobile phone number in the event of a login attempt.

============
============

Users can use this to verify themselves once. Authentication, with the aid of an email token, is also frequently used, in which the same type of code is sent by email. Biometric authentication, on the other hand, uses fingerprints or other biometric information to verify the login attempt.

Some apps and websites can be connected to such authentication apps to optimise user protection. However, in a lot of cases, not all apps can be managed under MFA or SSO due to the increased use of cloud applications and legacy systems that don’t federate to SSO or identity providers, so gaps exist. What mustn’t be overlooked is MFA can only protect individuals and companies to a certain extent. Many breaches start off with compromised or stolen credentials that is caused by weak or re-used passwords. Therefore, it is imperative for companies to fortify MFA with the use of a secure, integrated password manager that offers features such as adaptive authentication, which combines biometric and contextual information.

Why is MFA a favourite for cyber criminals?

Cyber criminals are always on the lookout for new ways into systems and clearly do not shy away from MFA-secured devices. According to the latest IDC Global Survey by LastPass, 75 per cent of organisations that have implemented SSO and MFA believe they also need password management. MFA alone is not enough to steer away cyber criminals and at times can be an indication of poor password hygiene.

When it comes to cyber security, businesses must find a balance between convenience and safety. MFA is no exception. Opting for SMS authentication is the most common form of MFA, but it is also the most insecure. Cyber criminals can easily imitate the target’s phone through a tactic called the SIM swap scan. This gives the intruder access to incoming messages and completes the login process unnoticed. They can then move freely through the entire network.

Counting on a false sense of security, cyber criminals can also infiltrate corporate networks using pass-the-cookie attacks. Here, they exploit the fact that many users rely on the convenience offered in browsers and websites to store authentication information in cookies. These cookies are convenient for users because they allow them to stay logged into their accounts without having to repeatedly confirm their identity. But unfortunately, this convenience can come at a high price when cyber criminals can steal stored information which enables them to carry out attacks with the credentials.

Thwart attackers with a zero-trust approach

These threats may seem daunting at first, but cyber criminals are not invincible. If companies learn to think like cyber criminals, they can identify potential risks early on and implement appropriate security measures.

First and foremost, businesses must take a zero-trust approach to cyber security. Cyber criminals detect and abuse gaps in security systems and user behaviour. Even the best security tools can’t protect organisations without constant review for suspicious behaviour and activity. If something seems suspicious, it probably is.

Organisations should also approach MFA with caution. A weak or immature MFA implementation will not provide the necessary protection. They need to look beyond convenience and identify tools like a password manager that combine MFA with adaptive authentication techniques to reliably verify user identity.

However, if an attack does happen, businesses must have multi-level cyber defence to warn hackers off the scent. If cyber criminals successfully log into an account, they may have control of the entire system. It’s important that companies do not rely on MFA alone but also use an ongoing authentication model where users are asked to prove their identity at regular intervals – limiting the access window hackers have, to gain entry.

The most important step a business can take is to provide regular security training. Employees need to embrace the zero-trust approach, and that comes with education. As more and more professionals work in a hybrid environment, regular training can strengthen security awareness so that suspicious behaviour can be identified, and potential attacks can be averted. Cyber criminals are getting braver and more ruthless, sparing no effort to threaten companies. While these crimes are worrisome for any internet user, they provide valuable insight into how to improve the protection of our personal and business information. The most secure organisations will be the ones who know where their key vulnerabilities are and implement multi-level cyber defence in place to combat potential threats.

Lloyd Evans is the Identity lead at LastPass JAPAC. He has over 15 years experience in developing teams and go to market cyber security strategies, having served in a multitude of roles in the technology, identity and password management solutions sector.

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.