Companies often think they have the necessary security tools to protect their users working in the cloud. Malware protection, anti-phishing solutions, and geolocation tracking are great tools, but they may not be enough.
A security nightmare: hackers bypassing multiple layers of expensive security tools
I’d like to share a common example of what can happen when multi-factor authentication is not implemented. A company was targeted by a foreign attacker. The hackers focused on the accounting team and chose an accounts payable clerk with a healthy online presence on social media. For this story, we’ll call her Susan. Susan received an email with an invoice attached and an urgent note stating the vendor needed the payment sent to a new bank routing number. Working quickly, Susan thought she recognized the name and email address, and overlooked the misspelled domain. When she clicked on the attachment, a malicious payload installed a key-logger on her computer. From there, the attackers were able to capture her email login credentials and began sending and responding to emails within the company, posing as Susan. The hackers logged into the email system from all over the United States, France, and Nigeria. They successfully persuaded the internal accounting managers to authorize a wire transfer to a new, fraudulent bank account. In the end, the company wired over $100K to the fraudsters. Spoiler alert, the company was able to recover the money, but not without significant impacts to the business.
Susan’s company had several security features in place to prevent this from happening. The company used Microsoft’s logon monitoring solution for monitoring suspicious logins and added Advanced Threat Protection (ATP) provided for their O365 email and office application solutions. The company also had a third-party security monitoring vendor watching for alerts from these systems. Like many companies, they thought they were getting an effective solution intended to protect users from any location.
A breakdown of how the existing security solutions failed
How could all these layers of Microsoft security tools fail to protect Susan’s company from a scam?! Let’s analyze what went wrong.
The first security alert should have come from phishing protection from the O365 email monitoring with the misspelled domain. Instead, it did not capture the email and, according to the solution provider, didn’t understand why it was not blocked. Through multiple steps, Susan’s company could increase the intensity of the email settings to block more emails, but this would impact the flow of mail for the business.
Second, the malware protection in the ATP solution and on the desktop should have captured the malicious payload in the attachment. Albeit, new malware enters the wild daily, and it’s very difficult to rely on just this one protection to stop malware.
Third, the suspicious login monitoring should have noticed the logins occurring from Nigeria and flagged and blocked those at a minimum. It should be noted that Susan is located in San Francisco, California, and is not traveling outside of the country at the moment (especially since we’re in a global pandemic.) Suspicious login blocking should have captured the logons from unknown sources.
An alternative and simpler approach to security
While none of the security solutions the company was using should be removed, they can add one piece to their toolkit that would have easily prevented the issue. Multi-factor authentication provided by one service provider, as Google offers, is the best defense against an attack like this.
Multi-factor authentication, Two-factor authentication, and Two-Step Verification – what’s the difference?
Before we dive into how to use multi-factor authentication (MFA), let’s discuss what it is and the different names it goes by.
MFA is when a system uses multiple checkpoints or factors to verify a user’s identity before allowing that user to access information, resources, or applications. MFA is one of the best security tools that an organization can enforce and should always be used in cloud accessible systems. It is possibly one of the best security tools that an organization can enforce to avoid account hijacking and credential theft. MFA is also known as Two Factor Authentication (2FA) by some providers and is generally the same technology. Not all companies offer the exact same solutions, quality, or pricing for authentication offerings.
Google’s version of MFA/2FA is called Two-Step Verification and includes a secure application for users. Today’s implementations include geo-blocking and intelligent tools to identify suspicious authentication that may be bot-based or from systems that are not authorized.
Google’s Two-Step Verification provides the most necessary features for security and is available with Google’s most basic offerings, Google Workplace; even users with free Google offerings can access Two-Step Verification. Compared to authentication offered at companies like Microsoft, Google’s offering is more affordable and includes everything needed to keep you and your coworkers safe.
Two-Step Verification setup is easy
Some companies are hesitant to enforce verification or authentication because they believe it will add time to worker’s schedules or increase support tickets because users will be locked out of their accounts. This is simply not true.
Setting up Two-Step Verification typically does not increase support tickets submitted or troubleshooting by end-users; in fact, it significantly decreases troubleshooting time for the company because security threats are being combatted, saving time that would be spent retroactively resolving security attacks. The two steps to sign-in require something the user knows (their password) and something they have (another device to access a verification code.) This process takes a matter of seconds. I’m surprised how many companies do not implement this throughout their organization. Some departments or groups may implement (or may be asked to implement it) but a majority of users do not. With all that’s going on, the one, simple thing you can do is turn on Two-Step Verification.
With the new year coming, now is a great time to get a gut-check on the security health of your organization. Wursta offers complimentary security reviews to see what steps you’re already taking and where you could tighten security.
If you have any questions or would like to schedule a complimentary security review for your company, let’s connect.