*All comments to be attributed to Tom Huckle, BlueVoyant Director of Information Security & Compliance EMEA*
“Implementing a robust multi-factor authentication (MFA) strategy is a fundamental way to secure your business against credential and social engineering attacks and is a great focus behaviour for this year’s Cyber Security Awareness Month campaign.
“Cybercriminals are increasingly using sophisticated phishing and social engineering attacks to target employees, gain their credentials and obtain a foothold into an organisation’s network, which makes user verification technology such as MFA, an essential defence against these tactics.
“Phishing and social engineering attacks can be extremely hard to defend against as they target human vulnerabilities, rather than trying to bypass technology vulnerabilities. MFA requires users to provide two or more identification verification factors to gain access to an account or resource and is a recognised and highly-recommended way to prevent account takeovers.
“However, the recent attacks against Uber and Rockstar Games have proven that, even with MFA in place, this additional layer of security can be bypassed. Like many cyber security solutions, MFA can be undermined by human error. By continuously triggering push notifications, particularly during the night when employees are sleeping and less prone to be thinking of the consequences of their actions, attackers can easily manipulate employees into allowing access to their networks. This is called ‘MFA Prompt Bombing’, and reportedly it was the tactic behind attacks such as SolarWinds, various Lapsus$ hacks, and the recent Uber breach. Enterprises should look to learn from these tactics and reassess at how they are managing this complex area of cybersecurity.
“Using authentication methods such as number matching, a method in which users must enter codes from authentication applications, offers a more secure way of verifying an identity when compared to sending codes sent via text or email, which are more easily intercepted. Another option is switching to a physical authentication key for employees. There are various methods of employing MFA within a business and various ways to configure it. Not all MFA is equal.
“The best defence for companies is a holistic cyber security program that is appropriately resourced and one that continuously reviews the threats against the business, adapts to them and promotes a culture of awareness and healthy scepticism amongst its staff. Security is fluid and never static. What may work one day as a defence may fail the next. Never assume you are safe simply because you have not had a breach or incident. Always remain vigilant”
About Tom Huckle
Tom Huckle is an experienced cyber security director qualified in CISO engagements, security programme building, cyber defence, cyber threat intelligence and incident response. After an eight-year career in the Royal Marines, Tom joined Barclays’ Cyber Operations in the bank’s Cyber Attack Monitoring team before moving to Crucial, one of the UK’s premier cyber security training academies, where he was responsible for training over 150 individuals in a range of cyber disciplines. As a Director of Information and Security and Compliance for EMEA, Tom has moved into an internal role and is responsible for managing BlueVoyant’s EMEA the UK business’s security requirements.