Qtr 4 | 2023
In this Issue:
-
The Buzz: national cybersecurity awareness month
-
Product Highlight: Multi-Factor Authentication (MFA)
-
Business Stats: 2023 Cybersecurity Awareness
-
Behind the Scenes: Halloween Costume Contest
-
Tech Tips and Tricks: Avoid an MFA Fatigue attack
ePress Archive
QTR 3 | 2023
THE BUZZ – Cybersecurity Awareness Month
In 2004, the President of the United States and Congress officially declared October National Cybersecurity Awareness Month. During this dedicated month, public and private sectors join forces to spread awareness about the significance of cybersecurity and encourage people to take necessary precautions to safeguard their online presence.
Secure Our World: 2023 and Beyond
In recognition of the 20th year, the Cybersecurity and Infrastructure Security Agency (CISA) announced a new cybersecurity awareness program, Secure our World. Secure Our World encourages everyone to be proactive about security.
Four Easy Ways to Stay Safe Online
The program promotes behavioral change across the Nation, focusing on how individuals, families, and small to medium-sized businesses can Secure Our World by following the four critical actions below.
Strong passwords are long, random, unique and include all four character types (uppercase, lowercase, numbers, and symbols). Password managers or vaults are powerful tools to help create strong passwords for your accounts.
MFA can protect 99.9% of the attacks on your accounts by offering more robust security than relying solely on passwords. Check your devices, apps, and account settings to enable multi-factor authentication.
One hour and 12 minutes is the average time for an attacker to access your private data if you fall victim to a phishing email. Be cautious of unsolicited messages asking for personal information. Avoid sharing sensitive information or credentials with unknown sources. Report phishing attempts and delete the message. Avoid the bait!
-
- Check the sender’s email address for verifiable contact information and phishing tip-offs such as an unrelated sender address. If in doubt for any reason, do not reply.
- Don’t click on links or open email attachments unless you have verified the sender.
- Look for poor grammar or misspellings.
Update Software
Keeping your software up to date is the best way to ensure you have the latest security patches and updates on your devices. Regularly check for updates if automatic updates are not available.
Celebrate cybersecurity awareness year round.
Cybersecurity Awareness Month holds special significance globally as it brings together industry, academia, and government with a united mission to keep our users safe. However, it is vital that cybersecurity awareness and training happen all year round.
Solution Highlight – Business Continuity
What is Multi-factor authentication (MFA)?
Multi-factor authentication (MFA) is a highly effective cybersecurity tool that safeguards online accounts or applications by requiring an additional security identifier alongside the username and password. The use of MFA is essential in today’s digital ecosystem, as passwords alone are insufficient to protect against cyberattacks. MFA effectively blocks almost the entirety of account hacks. Microsoft’s Alex Weinert, Group Program Manager for Identity Security and Protection, has stated that “your account is more than 99.9% less likely to be compromised if you use MFA.”
How does multi-factor authentication work?
The three elements of MFA are mobile phone, username and password, and fingerprint, which are unique to individuals and difficult to replicate by bad actors. The MFA process is comprised of the following steps:
- Register the mobile device to verify ownership
- Login by entering a username and password
- Receive verification by the system connecting to the registered device
- Reaction by entering the verification code received or clicking the verification button within a specified time limit.
Important things to know
Although MFA is the most effective protection against hackers, many companies have yet to embrace it fully. A global survey by the Cyber Readiness Institute of 1,400 small and medium-sized businesses revealed:
- 55% of companies have not implemented MFA
- 28% of those implementing MFA do not require their employees to use it.
- Nearly 60% of survey respondents reported that they had not even discussed MFA with their employees.
The main reason for the resistance is convenience, as MFA requires an additional step in the login process. However, the inconvenience of multiple login steps pales in comparison to the risk of using only passwords and leaving your business vulnerable to cyberattacks.
Microsoft Authenticator
For businesses seeking an MFA tool, Microsoft Authenticator is an excellent choice that offers outstanding network protection. It provides passwordless sign-in and password autofill, enabling users to sign in to online accounts securely and conveniently using MFA. Additionally, it is free for small businesses, making it an attractive option for those seeking a cost-effective cybersecurity solution.
Business Stats: 2023 Cybersecurity Awareness
The world of cybersecurity is constantly developing and so are the cyberattacks. Cyber crime is on the rise and becoming more sophisticated, which makes it essential to analyze the different threats in your environment. The following list does not aim to create fear, but instead, it serves as a way to increase awareness about the growing frequency of cyber crime in today’s world.
Let’s take a look at some recent security statistics:
- On average, 26,000 DDoS attacks are executed per day, which is equivalent to 18 per minute.
- By 2025, the annual worldwide cost of cyberattacks is estimated to be $10.5 trillion.
- 56% of Americans are unaware of the steps to take in response to a data breach.
- 80% of data breaches result from reused or weak passwords.
Check out the weakest passwords in the world!!
Behind the scenes – Halloween Costume Contest
We ended National Cybersecurity Awareness Month with a team event that each participate was asked to dress as a “hack attack” and it goes without saying that these geeks are very creative!
**An extra special thank you goes out to our judges for participating in our event. We had a lot of fun all in the name of Cybersecurity!
Tech Tip – MFA Fatigue
What is an MFA Fatigue Attack?
A multi-factor authentication (MFA) fatigue attack, also known as MFA bombing or MFA spamming, is a social engineering cyberattack where the attacker repeatedly sends MFA requests to the victim’s email, phone, or other registered devices. This attack aims to coerce the victim into confirming their identity via notification, which would authenticate the attacker’s attempt to access the victim’s account or device. This is part of a series of articles about insider threats.
How MFA Fatigue Works
MFA fatigue attacks are a form of social engineering. To execute an MFA fatigue attack, the attacker must first access the victim’s login credentials, typically through a phishing email, a credential stuffing attack, or purchasing them on the dark web. Once the attacker has obtained the victim’s login credentials, they can attempt to log in to the victim’s account or device. If the account has MFA enabled, the attacker will be prompted to provide the second-factor authentication code.
To trigger the MFA push notifications, the attacker enters the victim’s email or phone number as the registered device for MFA. The attacker then repeatedly sends MFA requests to the victim’s registered devices, typically with a frequency that is designed to overwhelm the victim’s ability to properly verify the requests.
The victim may receive multiple MFA requests in quick succession, with the attacker using various social engineering tactics to make the victim feel under pressure to approve the requests quickly. For example, the attacker may claim that there is suspicious activity on the account or that failure to approve the requests will lock the account.
If the victim falls for the attacker’s tactics and approves the MFA requests without properly verifying that they are legitimate, the attacker gains access to the victim’s account or device. This can allow the attacker to steal sensitive information, carry out fraudulent transactions, or install malware on the victim’s device.
6 Ways to Protect Against MFA Fatigue Attacks
Enable Additional Context – Enabling additional context is one way to protect against MFA fatigue attacks. Providing users with more information about the authentication request can help them to determine whether it is legitimate. Here are some ways to enable additional context for MFA.
Adopt Risk-Based Authentication – Adopt risk-based authentication for MFA such as risk scoring, adaptive authentication, & dynamic policy management.
Implement the FIDO2 Authentication – FIDO2 is an open authentication standard designed to provide strong authentication without passwords. FIDO2 authentication can be implemented using hardware security keys like USB or NFC. These keys store the user’s private key and use public-key cryptography to verify the user’s identity.
Disable Push Notification as a Verification Method – MFA push notifications are designed to be easy to use, as users must click “Yes” or “Allow” to approve login attempts. However, this simplicity also makes it easier for attackers to overwhelm users with fraudulent MFA requests.
Improve Security Awareness Around MFA – Educating users on the risks of MFA fatigue attacks and providing guidance on verifying MFA requests can help reduce the likelihood of successful attacks. Here are some ways to improve security awareness around MFA.
Protecting Against MFA Fatigue Attacks with an Advanced SIEM Platform – Protecting against MFA fatigue attacks requires a proactive approach, which can be achieved by combining advanced SIEM (Security Information and Event Management) solutions with user and entity behavior analytics (UEBA) and other security best practices. Advanced SIEM platforms provide real-time monitoring, threat detection, and incident response capabilities to help organizations detect and mitigate MFA fatigue attacks.