A Modern Phishing Attack – Part 3
Authentication Best Practices to Prevent Sophisticated Phishing Attacks
This is part three of a three-part series on the anatomy of a phishing attack. Our partners at Cisco have outlined how-to prevent a phishing attack below.
As the case study from Part 2 reveals, compromised credentials and access to the right account allow hackers to infiltrate an organization’s internal system, in spite of using devices that are not known to or inventoried by the IT teams. To prevent such sophisticated attacks, organizations must consider implementing strong authentication and authorization controls that verify users’ identities and their devices’ trustworthiness.
Here are some best practices that can help organizations prevent sophisticated attacks by adopting an identity-centric approach to security:
1. Implement Multi-Factor Authentication (MFA)
Passwords are low-hanging fruit for hackers; they are hard for users to remember and for IT to secure. Requiring MFA is a critical security control that can reduce the risk of unauthorized access when passwords are stolen or compromised. There are several user authentication methods available for MFA — but not all MFA methods are equal. Using SMS or text messages as the authentication method for MFA is vulnerable to compromise. The one-time code can be easily intercepted or phished using readily available online resources such as SS7 intercept services or Modlishka.
Mobile “push” notification is a more secure authentication method for MFA because hackers can not intercept it. Wherever possible, use FIDO-based (Fast IDentity Online, an open industry standard for strong authentication) security keys that leverage WebAuthn and provide the highest level of assurance for authentication because it can not be intercepted or phished.
Bonus: Protect Your MFA Implementation
Typically, MFA solutions use secret keys (credentials) to integrate with applications to enforce the additional authentication factor. If these secret keys are not safeguarded, hackers can steal them and compromise the MFA implementation. The secret keys should be treated like passwords. They must be securely handled and stored to maintain the security and integrity of MFA’s critical access control. It is recommended to rotate the secret keys in case of a suspected compromise.
2. Reduce Reliance on Passwords With Single Sign-On (SSO)
An average enterprise uses over 1,000 cloud apps today, and employees typically need to access more than 10 apps to perform their daily tasks. That’s too many passwords for humans to keep track of and results in password fatigue. In the future, providing a passwordless authentication option wherever possible will mitigate many password-related problems, but for now, implementing single sign-on (SSO) along with MFA is a great way to start the passwordless journey without compromising on security.
SSO provides access to multiple applications with a single login (using one set combo of username and password). Reducing the number of passwords a user has to remember and the times one has to enter them eliminates bad password habits such as password reuse. For administrators, SSO serves as a unified point of visibility for authentication and access logs and an effective policy enforcement point in the authentication workflow to enforce each application’s security policies depending on its risk profile.
3. Maintain a Detailed Device Inventory
Many organizations embrace varying levels of bringing your own device (BYOD), and the recent boom in remote work has exacerbated this trend. BYOD enables employees to use multiple devices, including personal devices, for work. Multiple devices mean multiple operating systems and their versions. The right tool should help IT teams maintain an up-to-date inventory of all devices and the associated users.
4. Verify Device Trust as Part of the Authentication Workflow
The authentication workflow must consider the security status of the device used and grant access only if it meets the organization’s requirements. Major operating systems regularly issue critical security patches that need to be installed. Verifying that updates are installed before granting access adds another layer of security.
For critical internal systems, access must be granted only to company-managed devices. For hackers, this raises the bar that they need to gain access to internal systems clearly. Organizations can significantly reduce the risk of a targeted phishing attack by limiting access to internal systems only from managed devices and preventing access from risky or unknown devices, even when the user’s credentials are used, combating compromised credentials.
5. Enforce Adaptive Access Policies
Context is everything when it comes to securing access. Implement granular policies for each application when possible to provide the right level of access by taking into account the user’s role, location, network, and trustworthiness of the device before granting application access.
6. Continuously Monitor for Unusual Login Activity
Leverage user behavior analytics to flag and triage suspicious login activities such as access from a new location or a new device, which could indicate a potential breach. These alerts can be used to block access automatically or generate a service-desk ticket for remediation or escalation.
Social engineering and spear phishing are successful because they exploit the human element of an organization’s security. There is no silver bullet for security, and cyberattacks are becoming increasingly common. Hence it is important to adopt and implement an “assume compromise” or a zero-trust philosophy to security where credentials are assumed to be compromised. Every access request needs to be authenticated with the appropriate level of security. IT security teams should carefully evaluate and invest in security technologies and create processes that empower their users to minimize the human element and strengthen the organization’s overall security.
If you find that your company has been compromised, we can help. If you need additional assistance monitoring your systems, we can help. If you want to increase training for your employees to be able to spot phishing attacks before they happen, we can help there too. Contact us to discuss an appropriate plan to implement for your business today!