Despite advances in IT systems and security software, cyberattacks are still on the rise and threaten to bring down bigger and bigger networks. Why? Because the cyberattack can be the result of something as simple as clicking on a link embedded in an innocuous-looking e-mail.
This is what’s known as a phishing attack, which can unlock private information and hold up networks for ransomware. Additionally, with the rise of remote work, where people do their jobs from home, there are greater opportunities to deceive unsuspecting employees. It’s simply harder to track down which device might have been hacked when the individuals and systems are not visible.
As a result, when security cannot be verified as closely as is possible in an office environment, perhaps because the remote worker is using devices not managed by IT personnel from new locations on insecure wireless networks, you have a perfect storm.
Since the beginning of the COVID pandemic in 2020, there have been increasing numbers of remote workers, resulting in more work being performed in a digital environment. Hackers may capitalize on this scenario with increased phishing attempts. The growing inter-connectedness of computers that “talk” to each other and the proliferation of software packages that may have less than adequate security mechanisms in place leaves open pathways for increasingly savvy hackers.
In this environment, one alternative is to require being logged in to a virtual private network (VPN). This is where encryption is used over the public network, typically the internet. VPNs may help some, but without the natural safeguards of physical office buildings protected by badges, attackers can now target virtually anyone. There is more data online and companies across all industries are now more reliant on digital work. This has made attacks more lucrative and resulted in an increased frequency of cyberattacks.
When some go phishing
Common phishing scenarios include sending e-mails or text messages from supposedly reputable addresses and companies to individuals induced to click on links that allow access to their passwords, credit card information—and maybe to a company’s proprietary databases.
Fortunately, businesses have become more adept at having employees log-on using enhanced security practices such as multi-factor authentication. With secure policies and improved systems to monitor for signs of a cyberattack on the rise, companies are working to protect themselves from security breaches. At the same time, however, hackers continue to up their game as well.
Phishing can be as simple as a fake website that looks like one that online shoppers might use, where they type in a username and password that is captured by the “bad actors.” That link typically comes in an e-mail. Often the website domain name will be slightly different than the legitimate one. E-mails or texts purportedly coming from the company CEO for example to key employees that have access to critical information, which the hacker wishes to steal, is another trend. Recipients of those messages are more likely to think its in their own best interest to click a link on those bogus memos.
Hackers can then sign in once they capture user or password information revealed by the unsuspecting person sitting at their laptop or checking their mobile devices.
Phishing isn’t the only problem
Remember the SolarWinds incident of 2020, where IT management software used by most of the Fortune 500 companies in some capacity had a malicious code embedded into an update for the Orion platform? That may have led to stolen passwords.
Some 18,000 public and private sector victims had downloaded the infected software update. A U.S. Senate committee document issued in early 2021 (via rpc.senate.gov) stated that, “some experts estimate it may cost as much as $100 billion over many months to root out malicious code and ensure systems are not compromised.”
The SolarWinds hackers did not start impacting computers systems for several months until they had amassed passwords and other login information for thousands of organizations and could attack at once. Techtarget.com reports that hackers (believed to be a foreign state actor) created a backdoor, enabling them to impersonate users and accounts of victim organizations, without detection by antivirus software.
Also in 2020, when children were distance learning from home, some hackers were able to invade school district files through a student’s remote computer. Ransomware attacks where money was demanded to “unfreeze” a school district or local government operating system became an issue. In short, the more online activity a user responds to or initiates, be it e-mails, social media messages, website searches or transactions, checking a bank statement online, the more opportunity there is to be the target of a cyberattack.
Ensuring that something only the legitimate user knows such as a password or PIN should be the first step in accessing a computer system. For a higher degree of assurance, either a message is sent to the user via text to a mobile phone or an automated phone call, or confirmation is sent via an authenticator app to enable the log-in. A second-level option could be a biometric scan (fingerprint, face, retina). Multi-factor authentication provides an additional verification step to the process of logging on.
Government agencies were among the early adopters of this multi-factor approach. One major reason according to nextrequest.com: disparity in system age and sophistication as some new technologies are adopted while other legacy systems—with fewer robust firewalls—remain in use. NextRequest stresses that all software vendors should be offering multi-factor capabilities for government agencies. The US government website cisa.gov/mfa warns that bad actors are increasingly capable of guessing or harvesting passwords; noting that, “password cracking techniques are becoming more sophisticated and high-powered computing [used for code cracking] is increasingly affordable.”
Despite its advantages, there are some issues with multi-factor authentication, like forgetting a password or not receiving a security code. Cell phones can be taken over via a SIM cloning attack, where unknowing users that receive multi-factor authentication via text messages are vulnerable. Mobile phone numbers can be “ported” from one provider to another during an upgrade for example, but scammers can initiate a porting request, conning the victim’s mobile phone company into believing the request is from the authorized account holder.
If successful, “the phone number will be ported to a different mobile device controlled by the scammer,” warns the FCC. E-mail accounts that can be accessed from more than one device allow hackers additional opportunities to penetrate one of those computer systems.
Before mobile phones became the norm, some companies issued unique “smart cards” to each user for security. The smart cards still in use do not work with all applications, removing that layer of security from the user log-on routine. Another problem is that many people working away from the corporate offices are not using smart cards or don’t have access to smart card readers.
What works best when it comes to cybersecurity?
What is secure must also be practical for business. Here are some important considerations:
- Use a hardware authentication device. A physical security key, built to ensure the key hasn’t been physically tampered with, and one that provides cryptographic proof of legitimate user interaction is probably the most secure form of a phishing-resistant system on the market. Google built its own hardware security key with a hardware security chip. Using such a key from Google or Yubikey is akin to using a unique key for someone’s home. Even hackers who clone a SIM and steal a password cannot log on without possession of the physical hardware key. Those keys can now be paired with a mobile phone just like a Bluetooth device without having to be plugged in.
- Use authenticator apps on phone. This is a process where users can securely authenticate multiple applications and websites by using just one set of credentials. A company can then request a multi-factor authentication step at this point as another tier of protection. Authenticator apps can supply a one-time login code, but websites or Identity Providers that will be accessed need to be registered on that app beforehand. Google, Microsoft, Authy, Duo Mobile and LastPass are among the companies that now have authenticator apps in place. A “Is this You?” message then sent to a phone about the login attempt is yet another added security defense mechanism. Okta Verify is a multi-factor authentication app that once installed makes it easier to determine when the actual user is accessing an account. After they sign into Okta, users can simply approve a push notification in the app or enter a one-time code.
- Require an OTP method: A one-time password (OTP) allows users to authenticate a password sent to a registered e-mail address. The OTP’s must be used within a short time frame, or they become invalid. Since not all websites support e-mail OTP, text messages or phone calls are often used too.
Multi-factor authentication: ready for mainstreaming
A consortium of companies launched in 2013 as the FIDO Alliance (Fast Identity Online Alliance) is focused on developing authentication standards that reduce the over-reliance on passwords. FIDO promotes methodologies including fingerprint, facial and voice recognition for sign-on purposes. The alliance also promotes security token devices and FIDO protocols use standard public key cryptography techniques to provide stronger authentication. Those who dislike maintaining a long list of passwords and are concerned about phishing may find FIDO’s mission appealing. It means one safety net and one physical hardware key to gain computer system access, with FIDO members working with open standards to ensure compatibility. Google, Microsoft, Amazon Express, Bank of America, Meta and Mastercard are among the 100+ members of the FIDO Alliance.
Lessons from the early multi-factor adopters
Early adopters helped pave the way for wider acceptance of multi-factor authentication. Some lessons learned include:
- It is convenient for users and often simpler and more secure for websites or Software-as-a-service (SaaS) applications to rely on single sign-on, where users login one time and access multiple websites.
- Hardware security keys are sometimes seen as being too expensive by some larger companies, due to the cost of hardware involved. While some models can reach $100, there are several options under $50 provided by YubiKey, Google and other vendors.
- Cloud services (AWS, Microsoft Azure, Google Cloud, IBM Cloud, Oracle, Rackspace, SAP etc.) now provide multi-factor authentication functions that allow companies to adopt MFA more quickly.
- The Federal Risk and Authorization Management Program (FedRAMP) is a United States federal government-wide program that provides a standardized approach (including multi-factor authentication) to security assessment, authorization, and continuous monitoring for cloud products and services. Providers that become FedRAMP certified have found that designation makes it more compatible with the government’s “cloud-first” strategy and easier to do business with the public sector.
How to avoid a phishing attack
Multi-factor authentication and hardware security keys are the best defenses against a phishing cyberattack. Reminding employees not to click on suspicious or unfamiliar e-mail links is helpful and adding a module to raise phishing awareness during annual security training is a good idea. For businesses with a heightened cybersecurity posture or compliance requirements, system administrators and IT administrators should review authentication policies and employee onboarding procedures.
Good operational rigor such as making sure security patches are put in place promptly and monitoring computer systems for any sign of anomalies are a must. Having a “Red Team” that can emulate possible cyberattack scenarios, looking for weaknesses, while facing off against a “Blue Team” trying to fend off those attacks, is a worthwhile inhouse exercise for maintaining and enhancing security hygiene.
What does the future hold?
Moving forward, users will be able to access multiple websites after one secure log-on. For access attempts that involve sensitive applications or tasks, adding an additional user verification step is more likely to become the norm. The more security-conscious larger organizations are, the more likely they will employ hardware security keys. Passwordless login from codes sent by an authenticator app or via links sent by e-mail is also becoming increasingly popular.
A recent Google blog (May 2022) claims a “password-less” future will mean a FIDO credential called a passkey would be stored on a mobile phone, that when accessed, will be able to unlock the user’s online account. Just make sure the phone is near the computer device being accessed. That passkey is stored in the cloud and can be retrieved if a phone is lost and must be replaced. On May 5, World Password Day, Microsoft also advocated for a future without passwords, noting that “there are 921 password attacks every second—nearly doubling in frequency over the past 12 months,” while highlighting its own authenticator app and Windows Hello for Business, which replaces passwords with strong two-factor authentication.
One concept might allow for limited access to an online source (to check a bank account balance, for example) before requiring multi-factor authentication for actions like transfers between accounts. Another concept called “Context-Aware Access” allows control over which apps a user can access based on their context, such as whether their device complies with an IT policy. Where a user logs in from physically, what time of day it is and what type of application is being accessed are taken into consideration. If those scenarios are outside the norm, access can be prevented until another multi-factor security step is taken.
That person may even have to receive approval from a higher-up or a second team member in some cases, especially where the data online is extremely sensitive. One variation called “Adaptive Multi-Factor Authentication” allows for using contextual information and business rules to determine which authentication factors to apply in a particular situation. For example, cyberark.com reports that businesses can use Adaptive Authentication to balance security requirements with the user experience. Adaptive Authentication solutions can require step-up/step-down authentication methods based on contextual factors like the number of failed logins, the source IP address, physical location and who the user is.
Cybersecurity is an ever-changing challenge Finding better ways to protect online networks from cyberattacks has seen advances, as multi-factor authentication becomes more prevalent and alternatives like single sign-on and password-less systems are explored. Yet some users remain prone to phishing attacks that can let an intruder in the back door.
It never hurts to remind employees not to open e-mails where the origin is unknown. Strong or multi-factor authentication appears to be a good option at this point to prevent bad actors from getting past the typical security systems in place. A hardware physical security key may be the best protection at this point to deter phishing attacks. For the remote worker at home or IT admins cybersecurity is an evolving process that needs to be evaluated on a regular basis and upgraded, as hackers toil furiously to exploit the latest vulnerabilities.