Hacking
Representational Image Image by Pexels from Pixabay

Nearly every day, it seems that there's more news of an organization suffering an avoidable data breach.

Rockstar Games was a recent victim of a breach with hackers releasing screenshots of its highly anticipated GTA 6 game. Uber and Fast Company are among additional recent high-profile victims, with the former learning about the incident when the hacker posted a message on a company Slack channel.

These incidents have left many industry leaders questioning their cybersecurity postures. Clearly, security standards must change faster to keep pace with threat vectors. While agile workflows such as DevSecOps are promising, companies must retreat to the basics and reorient their postures and cultures.

Here are three changes enterprises must make right now.

Introduce Credential Agility

DevSecOps has pushed organizations to consider the benefits and repercussions of agility in their security postures. Concepts such as Zero Trust (ZT) are gaining ground in the security community. However, practical applications of ZT in DevSecOps lag.

The modern DevOps landscape is a mesh of microservices and cloud containers interacting to produce output. Machine-to-machine access is far more prevalent than human-to-machine interactions, and "always-on" credentials are a huge problem.

"True Zero Trust (ZT) means requiring every entity to verify access at every interaction," Refael Angel, chief technology officer and co-founder of secrets management platform Akeyless, said. "Allowing machines to have constant access after verifying credentials just once upon login opens you up to serious security consequences."

Angel is a huge proponent of just-in-time or JIT credentials. Security admins can automate JIT credential creation workflows to ensure no entity accesses sensitive data for longer than necessary. "Just-in-time (JIT) credentials not only increase agility, but they also seamlessly fit into the ZT framework," he said. "They provide access as needed, for as long as needed. As a result, you reduce the burden on your security admins and basically circumvent any need for a kill chain, severely minimizing the risks associated with an undetected breach."

Beyond JIT, with the right monitoring tools, security admins can pay more attention to unnatural network usage, whether such activity emanates from a machine or human credential. This increased attention and analysis secures company networks from possible breaches and allows for swift kill-chain execution.

Reconsider MFA

Multi-factor authentication, or MFA, has been a security darling for a while. While implementing MFA is good practice, do not expect it to solve every security issue. MFA is not invulnerable, and the recent Fast Company breach proved this true.

The media company had MFA and stringent password controls in place, but hackers penetrated its network nonetheless, prompting executives to take both Fast Company's and Inc's websites down for over a week until they were confident that all leaks were plugged. The culprit was a reused password that helped hackers bypass MFA control.

Rachel Tobac, chief executive officer of SocialProof Security, opined that MFA code siphoning could have been a potential attack vector. "Fast Company's Apple News push alert just pushed a terrible message to devices, likely because the account that manages those alerts was compromised," she tweeted. "Potentially a compromised password/MFA?"

The problem with MFA is that hackers can steal user credentials and bypass these controls in adversary-in-the-middle (AiTM) attacks. Typically, the attacker sends a phishing email with a link leading to a spoof website. In the background, this spoof passes on a login request to the real website, and the user enters their credentials, giving the hacker full access.

David Braue, a veteran journalist in the security industry, has long pointed out that MFA is flawed. "Hackers have spent years closely studying MFA systems, poking and prodding them to understand how they work and where they may be vulnerable — and figuring out how they can be bypassed or compromised," he explained. "Security executives mustn't rest on their laurels by treating the technology as a cure-all."

Braue's words proved prescient when examining the Uber security incident. Hackers barraged a user with multiple authentication requests. They then messaged the user via WhatsApp, asking them to approve the requests to put an end to the barrage. This method is commonly called "MFA fatigue" and highlights how robust security systems can ultimately fall prey to human factors.

Invest in the Human Firewall

Security experts have long pointed out that human beings are the most vulnerable weak link in cybersecurity. While enterprise leaders are busy installing complex workflows for DDoS mitigation and automating their kill chains, the human beings most affected by security incidents are too often neglected.

Companies have long held security training sessions and other workshops to educate employees about security risks. However, phishing attempts grow ever more sophisticated. Hackers are adept at camouflaging malicious pages with realistic branding, confusing even the most cyber-aware employees.

"It's telling that these two companies — Uber and Rockstar — have spent tens of millions of dollars on building elaborate firewalls to keep prying eyes out of their data, only to have the human firewall breached by a simple WhatsApp or Slack message," Edward Dymoe from autonomous cybersecurity training platform Hoxhunt noted.

"There has been no official word on whether user data (including payment and location data) has leaked," he added. "Our own theory is that the hacker is most likely doing this to make (potentially) a lot of money and a name for themselves, not to ruin the lives of hundreds of millions of people."

While moving toward dynamic certificate-based authentication and away from over-reliance on MFA is a good move, executives must rethink their security training approach. Where a one-size-fits-all approach used to work, phishing techniques have become too sophisticated for this approach to work.

Personalized training, breach simulations and other modern techniques such as risk-based training are the need of the hour.

A Wakeup Call

Data breaches are never good news, and the recent high-profile attacks revealed serious security gaps in the respective organizations. The three processes described above will help enterprises craft a robust security posture and maintain integrity at all times. Not every business has the resources of Uber, Rockstar and Fast Company, with the ability to sustain and recover from breaches like these. The price of ignoring these measures could be fatal.

(Asim Rahal is an IT & Infosec expert and cybersecurity writer.)

Hacking
Representational Image Image by Pexels from Pixabay