Cyber 321: 15th July 2022 - Cybersecurity Without Insanity

Plain English Cyber in 3 articles, 2 numbers and 1 action.

This week: Multi-factor authentication, multi-factor authentication, 1 billion stolen records, and multi-factor authentication.

This week’s action: Yep, you guessed it: Multi-Factor authentication.

If you’d prefer to listen to Cyber 3-2-1: This week’s episode is accessible from https://www.codeinmotion.ie/podcast or wherever you get your podcasts.

THREE ARTICLES

1: Multi-Factor Authentication is not yet widely adopted

A recent survey by Cyber Readiness Institute reveals that almost half of all small and medium-sized businesses do not understand the benefits of Multi-Factor Authentication, and do not enforce its use across key systems. This means that “Small and medium-sized business owners across the globe are still relying only on usernames and passwords to secure critical employee, customer, and partner data.”

We all know the importance of our passwords. For years, we’ve been told they must be ‘strong’, which unfortunately usually meant we were forced to use complex passwords that were impossible to remember.

The joy of Multi-Factor Authentication (MFA)* is that your password is no longer particularly important anymore, because it is only one of the two or more things that an attacker needs before they can log in to your IT system.

* “Multi-Factor Authentication” means that a password is not the only thing needed to log in to a system. You need something else – e.g. a security code generated by an app on your phone or sent as an SMS text message.

2: MFA is not 100% effective. But you should turn it on 100% of the time.

In a Cybercrime Magazine article sponsored by KnowBe4, a cybersecurity training provider, the weaknesses of MFA are discussed in detail, including numerous ways that attackers can find ways around this particular security measure.

So, why would I point out that MFA is not 100% effective, when I harp on about the benefit of using MFA whenever possible?

Firstly, because it is important to recognise that no single security measure can protect you from all types of cyber-attack.

But more importantly, because the article itself describes why MFA is so valuable, even if it can be bypassed by a determined attacker in a very targeted attack. The author mentions a Google survey that found the use of SMS codes blocked 100% of automated attacks, 96% of bulk phishing attacks, and 76% of targeted attacks.

The last line of the article says it best: “Turn [MFA] on 100 percent of the time because it always makes sense to do so.”

3: Even IT giants can be victims of an attack

The Record reports that SHI, an IT organisation with 5,000 staff and $12 billion in revenue, and described by one Twitter user as Amazon for customers ordering computer equipment, was the recent victim of a malware attack. As part of its response to the attack, the company took its website offline, causing significant disruption to its customers and resulting in reputational damage.

It’s another reminder that even large firms with presumably significant cybersecurity budgets can still be victims, and why it is therefore important for every organisation to have an Incident Response Plan, so you know how you will respond when you are attacked.

TWO NUMBERS

1: 1 billion

The number of people whose personal data was stolen from Shanghai Police by a cyber attacker, according to a report in The Register. Apparently, the data was stolen when “a government developer wrote a blog post [..] that, presumably accidentally, included the credentials necessary to access the information”.

If the system was protected by Multi-Factor Authentication, the human’s error may not have led to what looks like the world’s biggest personal data breach, because the password would not have been enough for the attacker to gain access. A bit of cybersecurity awareness training may also have reduced the likelihood of the human making this error in the first place.

2: 13%

The percentage of SMEs that force staff to use MFA, according to the Cyber Readiness Institute survey that I mentioned earlier. This means that for 87% of SMEs, a password may be the only thing that sits between their important data and a cyber attacker. A password that is set by a human and who could be fooled into revealing it to an attacker.

This statistic should reinforce why baselining yourself against your peers is not a good strategy. Because in this case, the vast majority of your peers may be wide open to attack.

ONE ACTION

1: Yes, once again, it’s all about MFA

This is not the first time I’ve mentioned MFA. In fact, a search on my site indicates I’ve mentioned ‘MFA’ in at least 13 issues of Cyber 3-2-1 over the last 12 months. This indicates that the search functionality on my site is broken, as I’m sure I’ve mentioned it more frequently than that!

I keep talking about it because MFA is one of the most significant security improvements you can make. It’s usually simple to set up, it doesn’t cost much (if anything at all). Significant benefit and low (possible no) cost. Could there be a stronger business case?

You need to check that all accounts are protected with Multi-Factor Authentication, especially important accounts like your email and any accounts that are accessible from the internet.

At work, don’t just look at your accounts and those of your business colleagues. Review the accounts used by IT support teams. After all, their accounts are the keys to the kingdom.

Where MFA is not available on a particular system, you need to consider the risk that this poses and find ways to mitigate this risk – For example

By ensuring the system is not accessible online,
By ensuring the system cannot be accessed from non-corporate devices, or
By finding a better system that isn’t hanging you out to dry by failing to provide MFA functionality.