Conventional authentication policies that depend on usernames and passwords alone are no longer secure. As our data evolves, the way we protect access to that data needs to change. Identity attacks are the easiest way into your systems.
As we move data from a complete on-premise environment to cloud applications and hosted services, the perimeter of your security footprint has moved.
Poor authentication practices are #2 in the list of security risks published by OWASP. Confirmation of your staff’s identity is critical to protect against authentication-related attacks.
Cyber criminals know about the security challenges you face. They are actively finding ways to trap your staff into handing over credentials. They are also relying on people’s tendency to re-use passwords everywhere. Often, they’ll use the same password across their work and personal accounts.
Here are 5 ways an attacker could gain access to your systems if you only have username and password authentication. There’s no doubt that someone is trying these attacks on your business right now.
#1 Broad-based phishing campaigns
Why are phishing emails still the number one way of gaining access to someone’s credentials? Simply, the numbers are in their favour. After all this time they are still effective.
Through a phishing campaign, an attacker knows that they only need to gain access to a few accounts or one admin account to infiltrate an organisation. With a list of email addresses and a crafted email, a phishing attack can compromise 1 in 20 accounts.
Credential theft from phishing is often the first step in a cyber attack. Over 90% of all data breaches start with a phishing attack.
Phishing attacks are getting a lot harder to spot and are becoming more sophisticated than ever before.
For a cyber criminal, a full-blown phishing attack can be setup for less than $50. All you need is a list of addresses and a mechanism to send out the email from.
How does a broad-based phishing attack work?
- An attacker acquires a list of email addresses and designs an email with a generic call to action that’s relevant for that list (such as a fake Office 365 login page).
- The phishing message is broadly distributed, and the attacker waits to see which credentials are collected.
- The attacker uses stolen credentials to access the data they are after or adopts that identity for a more targeted attack on a high-value employees, or launches a fresh attack using the compromised credentials.
#2 Spear phishing campaigns
Spear phishing is a targeted form of phishing that often involves more research designing the target list and the phishing message. As opposed to broad-based campaigns, spear phishing typically focuses on a small number of employees to evade automated filters.
The level of social engineering in a spear phishing is also more sophisticated, with messages being more personal and the malicious call-to-action playing on emotions such as curiosity, fear, or rewards.
How does a spear phishing attack work?
- An Attacker picks targets carefully, doing extensive research across available resources such as social media or web presence.
- Attacker crafts a phishing message designed to appear legitimate, such as pretending to be a colleague and referencing a topical situation, such as a recent company party that the attacker learned of online.
- The victim is compelled to enter credentials by appealing to his or her emotions, such as a curiosity to see photos from the party behind a fake login page.
- The attacker uses the credentials from the high-value target to access sensitive data or execute the next stage of their attack.
#3 Credential Stuffing Identity Attacks
Credential stuffing is a form of brute force attack that takes advantage of peoples apathy to select unique passwords across our various accounts. Both work and personal.
Through our work accounts and personal accounts, the average person has over 100 accounts that should have a unique and complex password. Many of us have had account compromised as part of a data breach. You can check yours at https://haveibeenpwned.com/
Attackers using credential stuffing techniques will use compromised credentials on several other websites to test if the login details have been re-used.
These types of attacks can be done at scale by bots. This leads to a higher likelihood of these attacks affecting your organisation. Hosting company Akamai has found that more than 40% of global log-in attempts are malicious thanks to bot-driven credential stuffing attacks.
How does a credential stuffing attack work?
- An attacker acquires credentials from the dark web via a website breach or password dump.
- Automated tools are used to test credentials across a variety of different sites including Office 365.
- When a successful login occurs, the attacker harvests sensitive data or executes the next stage of their breach.
#4 Password Spraying
Password spraying is another form of brute force attack whereby an attacker takes advantage of our tendency to rely on common passwords such as “password1234”.
How does a password spraying attack work?
- An attacker uses a small list of commonly-used passwords that match the complexity policy of the targeted systems.
- Instead of trying multiple passwords for one user, the attacker uses the same common password across many different accounts which helps avoid detection.
- Once the attacker encounters a successful login, the attacker harvests sensitive data or executes the next stage of their breach.
#5 Man-in-the-Middle Identity Attacks
A Man-in-the-middle attack on an business is a highly targeted attack that can result in a full take of credentials and data if executed correctly. Man-in-the-middle attacks aren’t as common as phishing attacks. You still need to be vigilant against data theft and account compromise.
How does a man-in-the-middle attack work?
- An attacker intercepts a network connection, often by leveraging tools to mimic a legitimate wireless access point (such as McDonalds Wi-Fi or your local coffee shop).
- If data is encrypted, attacker may attempt to decrypt data by tricking the user into installing a malicious certificate or other technique.
- If attack is successful before the initial authentication, the credentials may be stolen as the attacker is monitoring all the user inputs.
- Alternatively, the attacker steals the session token and is able to authenticate into the account and execute the next stage of their breach.
Using Multi-Factor Authentication to prevent Identity Attacks
Identity is the now the security perimeter. Businesses that have taken an identity-driven approach to security are finding that these attacks can be prevented without impacting staff.
Education for all staff is still vitally important to make sure attacks can be identified and to implement best-practices security policies. The deployment of MFA across your applications will reduce the risk of successful identity attacks.
MFA prevents phishing attacks by requiring a second factor to access sensitive corporate data. Lightweight mobile apps are used to push a validation request. Even if an attacker has a valid username and password, they won’t have access to the push notification to confirm access to the account.
MFA will also prevent unauthorised access to your systems via password spraying and credential stuffing. Once MFA has been deployed, weak or stolen credentials aren’t enough to gain access.
Minimising MFA prompts should also be a key consideration. Second factor requests should only be sent under risky scenarios, such as when staff have signed in on a new device or tried to authenticate outside the corporate network.
Regardless of how well you train your staff, sophisticated phishing and social engineering attacks are on the rise. To mitigate this risk, business are, rightfully, putting identity and access management at the centre of their security strategy.