+61 2 9270 0666

5 Ways You Can Stop Identity Attacks with Multi-Factor Authentication

5 ways to protect against identity attacks with Multi-Factor Authentication

Conventional authentication policies that depend on usernames and passwords alone are no longer secure. As our data evolves, the way we protect access to that data needs to change. Identity attacks are the easiest way into your systems.

As we move data from a complete on-premise environment to cloud applications and hosted services, the perimeter of your security footprint has moved.

Poor authentication practices are #2 in the list of security risks published by OWASP. Confirmation of your staff’s identity is critical to protect against authentication-related attacks.

Cyber criminals know about the security challenges you face. They are actively finding ways to trap your staff into handing over credentials. They are also relying on people’s tendency to re-use passwords everywhere. Often, they’ll use the same password across their work and personal accounts.

Here are 5 ways an attacker could gain access to your systems if you only have username and password authentication. There’s no doubt that someone is trying these attacks on your business right now.

#1 Broad-based phishing campaigns

Why are phishing emails still the number one way of gaining access to someone’s credentials? Simply, the numbers are in their favour. After all this time they are still effective.

Through a phishing campaign, an attacker knows that they only need to gain access to a few accounts or one admin account to infiltrate an organisation. With a list of email addresses and a crafted email, a phishing attack can compromise 1 in 20 accounts.

Credential theft from phishing is often the first step in a cyber attack. Over 90% of all data breaches start with a phishing attack.

Phishing attacks are getting a lot harder to spot and are becoming more sophisticated than ever before.

For a cyber criminal, a full-blown phishing attack can be setup for less than $50. All you need is a list of addresses and a mechanism to send out the email from.

How does a broad-based phishing attack work?

  1. An attacker acquires a list of email addresses and designs an email with a generic call to action that’s relevant for that list (such as a fake Office 365 login page).
  2. The phishing message is broadly distributed, and the attacker waits to see which credentials are collected.
  3. The attacker uses stolen credentials to access the data they are after or adopts that identity for a more targeted attack on a high-value employees, or launches a fresh attack using the compromised credentials.

#2 Spear phishing campaigns

Spear phishing is a targeted form of phishing that often involves more research designing the target list and the phishing message. As opposed to broad-based campaigns, spear phishing typically focuses on a small number of employees to evade automated filters.

The level of social engineering in a spear phishing is also more sophisticated, with messages being more personal and the malicious call-to-action playing on emotions such as curiosity, fear, or rewards.

How does a spear phishing attack work?

  1. An Attacker picks targets carefully, doing extensive research across available resources such as social media or web presence.
  2. Attacker crafts a phishing message designed to appear legitimate, such as pretending to be a colleague and referencing a topical situation, such as a recent company party that the attacker learned of online.
  3. The victim is compelled to enter credentials by appealing to his or her emotions, such as a curiosity to see photos from the party behind a fake login page.
  4. The attacker uses the credentials from the high-value target to access sensitive data or execute the next stage of their attack.

#3 Credential Stuffing Identity Attacks

Credential stuffing is a form of brute force attack that takes advantage of peoples apathy to select unique passwords across our various accounts. Both work and personal.

Through our work accounts and personal accounts, the average person has over 100 accounts that should have a unique and complex password. Many of us have had account compromised as part of a data breach. You can check yours at https://haveibeenpwned.com/

Attackers using credential stuffing techniques will use compromised credentials on several other websites to test if the login details have been re-used.

These types of attacks can be done at scale by bots. This leads to a higher likelihood of these attacks affecting your organisation. Hosting company Akamai has found that more than 40% of global log-in attempts are malicious thanks to bot-driven credential stuffing attacks.

How does a credential stuffing attack work?

  1. An attacker acquires credentials from the dark web via a website breach or password dump.
  2. Automated tools are used to test credentials across a variety of different sites including Office 365.
  3. When a successful login occurs, the attacker harvests sensitive data or executes the next stage of their breach.

#4 Password Spraying

Password spraying is another form of brute force attack whereby an attacker takes advantage of our tendency to rely on common passwords such as “password1234”.

How does a password spraying attack work?

  1. An attacker uses a small list of commonly-used passwords that match the complexity policy of the targeted systems.
  2. Instead of trying multiple passwords for one user, the attacker uses the same common password across many different accounts which helps avoid detection.
  3. Once the attacker encounters a successful login, the attacker harvests sensitive data or executes the next stage of their breach.

#5 Man-in-the-Middle Identity Attacks

A Man-in-the-middle attack on an business is a highly targeted attack that can result in a full take of credentials and data if executed correctly. Man-in-the-middle attacks aren’t as common as phishing attacks. You still need to be vigilant against data theft and account compromise.

How does a man-in-the-middle attack work?

  1. An attacker intercepts a network connection, often by leveraging tools to mimic a legitimate wireless access point (such as McDonalds Wi-Fi or your local coffee shop).
  2. If data is encrypted, attacker may attempt to decrypt data by tricking the user into installing a malicious certificate or other technique.
  3. If attack is successful before the initial authentication, the credentials may be stolen as the attacker is monitoring all the user inputs.
  4. Alternatively, the attacker steals the session token and is able to authenticate into the account and execute the next stage of their breach.

Using Multi-Factor Authentication to prevent Identity Attacks

Identity is the now the security perimeter. Businesses that have taken an identity-driven approach to security are finding that these attacks can be prevented without impacting staff.

Education for all staff is still vitally important to make sure attacks can be identified and to implement best-practices security policies. The deployment of MFA across your applications will reduce the risk of successful identity attacks.

MFA prevents phishing attacks by requiring a second factor to access sensitive corporate data. Lightweight mobile apps are used to push a validation request. Even if an attacker has a valid username and password, they won’t have access to the push notification to confirm access to the account.

MFA will also prevent unauthorised access to your systems via password spraying and credential stuffing. Once MFA has been deployed, weak or stolen credentials aren’t enough to gain access.

Minimising MFA prompts should also be a key consideration. Second factor requests should only be sent under risky scenarios, such as when staff have signed in on a new device or tried to authenticate outside the corporate network.

Regardless of how well you train your staff, sophisticated phishing and social engineering attacks are on the rise. To mitigate this risk, business are, rightfully, putting identity and access management at the centre of their security strategy.

     

    ITConsult designs, implements and supports IT environments for Australia‘s medium-large organisations through a portfolio of business IT solutions. Navigating technology today can be a minefield and everyone seems to have an agenda.

    If you'd like to have a good old fashioned talk about what might work for you, please get in touch for an obligation-free, over the phone chat.

    Related Posts

    • Using shortcuts in Teams can save you heaps of time. Download our handy guide for Microsoft Teams keyboard shortcuts to improve your productivity

    • Essential Eight Cyber Strategy

      There’s a ton of different ways to implement a cyber security strategy these days. Various vendors and suppliers have their own products and methods. With all the choices out there, the Essential Eight cyber strategy is a good place to start. With the Essential Eight, you’ll get a at least a starting point as a basis for your cyber security strategy. Fortunately, it’s easy to implement, it’s not going to break the bank and it will co-exist with other cyber security strategies. The Australian Signals Directorate’s cyber security teams have developed the Essential Eight program. The Essential Eight is a baseline strategy that your business can deploy as a starting point to mitigate against cyber incidents. What is the Essential Eight Cyber Strategy? The essential eight is a set of initiatives that you can implement within your business. Once you’ve deployed the Essential Eight, it’s going to make it harder for the ‘Bad Actors’ to get access to your environment from the outside. The Essential Eight strategies are: Application white listingApplication patchingMicrosoft Office macro configurationApplication hardeningRestricting administration privilegesOperating system patchingMulti-factor authenticationDaily backups To implement many of the ASD’s initiatives, you may not need to put in a lot of effort.

    • Office 365 Security Best Practices

      Even though Microsoft’s Office 365 is an easy-to-use platform, securing your data in the cloud is not that simple. Implementing a few Office 365 security best practices can at you’ll have your data in a safer place than it was yesterday. Office 365 is constantly evolving with new features being added every month. Keeping on top of your security posture is critical. Out of the box, Office 365’s settings for data security are fairly weak. We’ve seen organisations that have been in a far worse position than they thought when it came to cloud security. By modernising their security, many business are incorporating a zero trust methodology. This helps to secure sensitive data and improve their ability to defend against modern cyber threats. Office 365 can form part of that zero trust framework if security is planned right. To help get your business in a better position, we’ve put together a list of our top Office 365 security best practices. We aim to configure these principles for all our clients. By implementing this list, we’re sure that your data will be safer and you’ll be back in control. Office 365 Security Best Practices Start With Your Password Policy Password policies

    • Office 365 Email Security

      Out of the box, Microsoft’s Office 365 email security provides some good levels of protection around basic spam and malware filtering. If you want something more substantial that will suit your business, it’s most likely that you need to look at 3rd party products to fill the gap. The Office 365 suite isn’t a one-site fits all platform. Microsoft have built the platform with all it’s tools as a great starting point. In many cases, adding 3rd party products can enhance the functionality and security than the uplift that Microsoft would charge for similar services. You will need to plan your strategy to help thwart the security attacks on your Office 365 email. Industry pundits are already suggesting that phishing scams will be more of a problem than hacking or ransomware. When you’re moving your business to the cloud, managing all the security requirements adds another layer of complexity and consideration. It’s important to make sure you know what you need and what you are getting. What’s in the box with Office 365 Exchange Online Protection? Exchange Online Protection (EOP) includes a lot of features that you would expect in many on-premise email filtering platforms. With Office 365, the included

    • Microsoft Azure Cloud

      Building a hybrid cloud environment just got a whole lot easier. Are you ready for tried and proven way of given your applications fast access to on premise data and replicating to the cloud for DR? Enter NetApp Cloud Volumes. It’s true that you can outsource infrastructure, applications and services through various as-a-service programs. You can’t outsource the responsibility you have for your business data. Your business data must be secured, protected and managed. Now, you can implement a single, cohesive data fabric that is geared for performance. With this single data fabric that stretches from on-premise to the cloud, you can maintain control of your data and still attached a myriad of as-a-service resources. We’ve found that progressive business need to: Migrate workloads seamlesslyImplement unified data management across your on-premise and Azure cloud environmentsDeliver cost-effective data protectionStand up DR and Backup up to Azure cloudImplement consumption-based cost savings through the cloud NetApp Cloud Volumes ONTAP for Azure provides a data storage solution that is flexible enough to fit nearly any requirement. You can implement NetApp Cloud Volumes disaster recovery, DevOps and test environments through to cloud-based applications and file services. NetApp Cloud Volumes can help you minimize your storage

    Level 1, 237 Mona Vale Road
    St Ives NSW 2075 Australia

    Phone: +61 2 9270 0666

    PO Box 731
    St Ives NSW 2075 Australia

    © 2024 The IT Consultancy Group Pty Ltd. All Rights Reserved.

    Privacy Policy | Disclaimer | Acceptable Use Policy | Fair Use Policy