Microsoft moves ahead with a plan to sunset basic authentication, and other providers are moving — or have moved — to requiring more secure authentication as well. Is your company ready?
Microsoft and major cloud providers are starting to take steps to move their business customers toward more secure forms of authentication and the elimination of basic security weaknesses — such as using usernames and passwords over unencrypted channels to access cloud services.
Microsoft, for example, will remove the ability to use basic authentication for its Exchange Online service starting Oct. 1, requiring that its customers use token-based authentication instead. Google meanwhile has auto-enrolled 150 million people in its two-step verification process, and online cloud provider Rackspace plans to turn off cleartext email protocols by the end of the year.
The deadlines are a warning to companies that efforts to secure their access to cloud services can no longer be put off, says Pieter Arntz, malware intelligence researcher at Malwarebytes, who penned a recent blog post highlighting the coming deadline for Microsoft Exchange Online users.
“I think the balance is shifting to the point where they feel they can convince users that the extra security is in their best interest, while trying to offer solutions that are still relatively easy to use,” he says. “Microsoft is often a trendsetter and announced these plans years ago, but you will still find organizations straggling and struggling to take the appropriate measures.”
While some security-conscious companies have taken the initiative to secure access to cloud services, others have to be prodded — something that cloud providers, such as Microsoft, are increasingly willing to do, especially as companies struggle with more identity-related breaches. In 2022, 84% of companies suffered an identity-related breach, up from 79% in the previous two years, according to the Identity Defined Security Alliance‘s “2022 Trends in Securing Digital Identities” report.
Turning off basic forms of authentication is a simple way to block attackers, which are increasingly using credential stuffing and other mass access attempts as a first step to compromising victims. Companies with weak authentication leave themselves open to brute-force attacks, abuse of reused passwords, credentials stolen through phishing, and hijacked sessions.
And once attackers have gained access to corporate email services, they can exfiltrate sensitive information or conduct damaging attacks, such as business email compromise (BEC) and ransomware attacks, says Igal Gofman, head of research for Ermetic, a provider of identity security for cloud services.
“The use of weak authentication protocols, especially in the cloud, can be very dangerous and lead to major data leaks,” he says. “Nation-states and cybercriminals are constantly abusing weak authentication protocols by executing a variety of different brute-force attacks against cloud services.”
The benefits of shoring up the security of authentication can have immediate benefits. Google found that auto-enrolling people in its two-step verification process resulted in a 50% decrease in account compromises. A significant portion of companies that suffered a breach (43%) believe that having multifactor authentication could have stopped the attackers, according to the IDSA’s “2022 Trends in Securing Digital Identities” report.
In addition, cloud and zero-trust initiatives have driven the pursuit of more secure identities, with more than half of companies investing in identity security as part of those initiatives, according to the IDSA’s Technical Working Group, in an email to Dark Reading.
For many companies, the move away from simple authentication mechanisms that rely on merely a user’s credentials has been spurred by ransomware and other threats, which have caused companies to look to minimizing their attack surface area and hardening defenses where they can, the IDSA’s Technical Working Group wrote.
“As the majority of companies accelerate their zero-trust initiatives, they are also implementing stronger authentication where feasible — although, it is surprising that there are still some companies struggling with the basics, or [that] haven’t yet embraced zero trust, leaving them exposed,” researchers there wrote.
Every major cloud provider offers multifactor authentication over secure channels and using secure tokens, such as OAuth 2.0. While turning on the feature may be simple, managing secure access can lead to an increase in work for the IT department — something for which businesses need to be ready, says Malwarebytes’ Arntz.
Companies “sometimes fail when it comes to managing who has access to the service and which permissions they require,” he says. “It is the extra amount of work for IT staff that comes with a higher authentication level — that is the bottleneck.”
Researchers at the IDSA’s Technical Working Group explained that legacy infrastructure is also a hurdle.
“While Microsoft has been in the process of moving their authentication protocols forward for some time, the challenge of migrating and backward compatibility for legacy apps, protocols, and devices has delayed their adoption,” they noted. “It’s good news that the end is in sight for basic auth.”
Consumer-focused services are also slow to adopt more secure approaches to authentication. While Google’s move has improved security for many consumers, and Apple has enabled two-factor authentication for more than 95% of its users, for the most part consumers continue to only use multifactor authentication for a few services.
While almost two-thirds of companies (64%) have identified initiatives to secure digital identities as one of their top three priorities in 2022, only 12% of organizations have implemented multifactor authentication for their users, according to the IDSA’s report. However, firms are looking to provide the option, with 29% of consumer-focused cloud providers currently implementing better authentication and 21% planning on it for the future.
Lily Hay Newman
Whether the first six months of 2022 have felt interminable or fleeting—or both—massive hacks, data breaches, digital scams, and ransomware attacks continued apace throughout the first half of this complicated year. With the Covid-19 pandemic, economic instability, geopolitical unrest, and bitter human rights disputes grinding on around the world, cybersecurity vulnerabilities and digital attacks have proved to be thoroughly enmeshed in all aspects of life.
With another six months left in the year, though, there’s more still to come. Here are the biggest digital security debacles that have played out so far.
For years, Russia has aggressively and recklessly mounted digital attacks against Ukraine, causing blackouts, attempting to skew elections, stealing data, and releasing destructive malware to rampage across the country—and the world. After invading Ukraine in February, though, the digital dynamic between the two countries has changed as Russia struggles to support a massive and costly kinetic war and Ukraine mounts resistance on every front it can think of. This has meant that while Russia has continued to pummel Ukrainian institutions and infrastructure with cyberattacks, Ukraine has also been hacking back with surprising success. Ukraine formed a volunteer “IT Army” at the beginning of the war, which has focused on mounting DDoS attacks and disruptive hacks against Russian institutions and services to cause as much chaos as possible. Hacktivists from around the world have also turned their attention—and digital firepower—toward the conflict. And as Ukraine launches other types of hacks against Russia, including attacks utilizing custom malware, Russia has suffered data breaches and service disruptions at an unprecedented scale.
The digital extortion gang Lapsus$ went on an extreme hacking bender in the first months of 2022. The group emerged in December and began stealing source code and other valuable data from increasingly prominent and sensitive companies—including Nvidia, Samsung, and Ubisoft—before leaking it in apparent extortion attempts. The spree reached its zenith in March when the group announced that it had breached and leaked portions of Microsoft Bing and Cortana source code and compromised a contractor with access to the internal systems of the ubiquitous authentication service Okta. The attackers, who appeared to be based in the United Kingdom and South America, largely relied on phishing attacks to gain access to targets’ systems. At the end of March, British police arrested seven people believed to have associations with the group and charged two at the beginning of April. Lapsus$ seemed to briefly continue to operate following the arrests but then became dormant.
In one of the most disruptive ransomware attacks to date, Russia-linked cybercrime gang Conti brought Costa Rica to a screeching halt in April—and the disruptions would last for months. The group’s attack on the country’s Ministry of Finance paralyzed Costa Rica’s import/export businesses, causing losses of tens of millions of dollars a day. So serious was the attack that Costa Rica’s president declared a “national emergency”—the first country to do so because of a ransomware attack—and one security expert described Conti’s campaign as “unprecedented.” A second attack in late May, this one on the Costa Rican Social Security Fund, was attributed to the Conti-linked HIVE ransomware and caused widespread disruptions to the country’s health care system. While Conti’s attack on Costa Rica is historic, some believe that it was meant as a diversion while the gang attempts to rebrand to evade sanctions against Russia over its war with Ukraine.
As the cryptocurrency ecosystem has evolved, tools and utilities for storing, converting, and otherwise managing it have developed at breakneck speed. Such rapid expansion has come with its share of oversights and missteps, though. And cybercriminals have been eager to capitalize on these mistakes, frequently stealing vast troves of cryptocurrency worth tens or hundreds of millions of dollars. At the end of March, for example, North Korea’s Lazarus Group memorably stole what at the time was $540 million worth of Ethereum and USDC stablecoin from the popular Ronin blockchain “bridge.” Meanwhile, in February, attackers exploited a flaw in the Wormhole bridge to grab what was then about $321 million worth of Wormhole’s Ethereum variant. And in April, attackers targeted the stablecoin protocol Beanstalk, granting themselves a “flash loan” to steal about $182 million worth of cryptocurrency at the time.
Health care providers and hospitals have long been a favorite target of ransomware actors, who look to create maximum urgency to entice victims to pay up in the hopes of restoring their digital systems. But health care data breaches have also continued in 2022 as criminals pool data they can monetize through identity theft and other types of financial fraud. In June, the Massachusetts-based service provider Shields Health Care Group disclosed that it suffered a data breach throughout much of March impacting roughly 2 million people in the United States. The stolen data included names, Social Security numbers, birth dates, addresses, and billing information, as well as medical information like diagnoses and medical record indicators. In Texas, patients of Baptist Health System and Resolute Health Hospital announced a similar breach in June that exposed similar data, including Social Security numbers and sensitive patient medical information. Both Kaiser Permanente and Yuma Regional Medical Center in Arizona also disclosed data breaches in June.
At the beginning of June, the US Cybersecurity and Infrastructure Security Agency warned that Chinese government-backed hackers had breached a number of sensitive victims worldwide, including “major telecommunications companies.” They did so, according to CISA, by targeting known router vulnerabilities and bugs in other network equipment, including those made by Cisco and Fortinet among other vendors. The warning did not identify any specific victims, but it hinted at alarm over the findings and a need for organizations to step up their digital defenses, especially when handling massive quantities of sensitive user data. “The advisory details the targeting and compromise of major telecommunications companies and network service providers,” CISA wrote. “Over the last few years, a series of high-severity vulnerabilities for network devices provided cyber actors with the ability to regularly exploit and gain access to vulnerable infrastructure devices. In addition, these devices are often overlooked.”
Separately, hackers likely conducting Chinese espionage breached News Corp in an intrusion that was discovered by the company on January 20. Attackers accessed journalists’ emails and other documents as part of the breach. News Corp owns a number of high-profile news outlets, including The Wall Street Journal and its parent, Dow Jones, the New York Post, and several publications in Australia.
Just days after a consequential US Supreme Court decision at the end of June pertaining to concealed-carry permit laws, an unrelated data breach potentially exposed the information of everyone who applied for a concealed-carry permit in California between 2011 and 2021. The incident impacted data including names, ages, addresses, and license types. The breach occurred after a misconfiguration in the California Department of Justice 2022 Firearms Dashboard Portal exposed data that should not have been publicly accessible. “This unauthorized release of personal information is unacceptable and falls far short of my expectations for this department,” state attorney general Rob Bonta said in a statement. “The California Department of Justice is entrusted to protect Californians and their data. We acknowledge the stress this may cause those individuals whose information was exposed. I am deeply disturbed and angered.”
Wired, July 4, 2022
According to the 2022 X-Force Threat Intelligence Index, phishing was the most common way that cyber criminals got inside an organization. Typically, they do so to launch a much larger attack such as ransomware. The Index also found that phishing was used in 41% of the attacks that X-Force remediated in 2021. That’s a 33% increase from 2021.
One of the biggest reasons threat actors are increasing phishing attacks is that all it takes is one employee to make a split-second mistake to cause major business and reputation loss. Cybersecurity workers must continually stay on top of new phishing trends. That way, they can use the right technology to help prevent the right types of attacks. Most importantly, they need to focus on training employees on how to spot and prevent attacks.
Here are five phishing trends that your organization is likely to see in 2022:
You likely think of spam calls as just annoying. But that’s why vishing, or voice phishing, is on the rise. Cybersecurity training stresses not to click on links. However, many users do not realize that spam phone calls may actually be the start of a cybersecurity attack. In a vishing call, the person on the other end of a VoIP phone typically impersonates a legitimate organization, such as the IRS or a bank. From there, they ask the person who answered to visit a website. The attacker then uses the information entered into the website to launch a cyber attack. Common vishing scams include imposters (meaning the caller pretends to be someone else), debt relief scams and charity scams.
Vishing became such an issue in 2021 that the FBI even issued an alert. Proofpoint’s State of the Phish report found that 69% of the organizations were the recipient of a vishing attack. That’s an increase of 54% from 2020. Most concerning is that the X-Force index found that vishing attacks were three times more effective than a classic phishing scheme. Because the attack starts with the phone, using cybersecurity applications to stop the attack is challenging.
Train your employees about the rise of vishing and how to spot a vishing attack. Many vishing attacks are successful because employees don’t recognize this tactic as a potential cybersecurity attack. Stress to employees that they should never visit a website given to them over the phone. Keep employees updated on current vishing scams to help them more accurately spot threats.
If you receive an email from a bank that you’ve never used before, then it’s very likely that you will recognize it’s a phishing email and hit delete. But if you get an email from your own bank, you are much more likely to fall for the scam. The difference is the first type of attack was a general phishing attack. The second is referred to as spear phishing, which is an attack targeted at specific people.
A 2021 FireEye report found that spear phishing recipients were 10 times more likely to click on the link than general phishing email recipients. Not surprisingly, spear phishing is on the rise. Proofpoint found that 79% of organizations were targets of spear phishing attacks. That’s an increase of 66% from 2020, which is a very concerning increase.
The IBM Threat Index found that the brands most imitated by threat actors were large and trusted companies. Attackers might pretend to be from Microsoft, Apple or Google. In addition, these types of attacks work as spear phishing since most consumers do business in some shape or form with these companies. Train employees to carefully look at logos and check email addresses. Often phishing attacks use an email that looks official at first glance. After close investigation, you’ll be able to see it is phony, such as Apple99991@gmail.com. You can also reduce the likelihood of a spear phishing attack gaining control of an employee’s access by installing multi-factor authentication on all employee accounts.
Smishing is when threat actors target someone over SMS texting. One of the reasons that this type of attack is even more effective is many people do not have cybersecurity software on their phones. The same attack might get blocked on their laptop. Many people are not as aware of smishing. Therefore, they may be more vulnerable to falling prey over text than email. Proofpoint found that 74% of organizations faced smishing attacks in 2021, which is an increase of 13% from 2020.
Many people began using food delivery and meal kits during the pandemic. So, cyber criminals began creating smishing schemes mentioning these services. Other common schemes include upcoming package deliveries and giveaways.
Start by updating your cybersecurity training to include smishing. Surprisingly, Proofpoint found that only 26% of organizations included Smishing in cybersecurity training. You should also let employees know what type of legitimate SMS messages they may receive from your organization. That way, they know what to expect from their commonly used work systems. As new smishing schemes emerge, keep employees updated on new types of text messages to watch out for.
Attackers are increasingly turning to social media for their phishing attacks. Proofpoint found that 74% of organizations were targeted by social media phishing attacks. That’s an increase of 13% from 2020. Many people are suspicious of blatant phishing attacks on social media, such as a stranger messaging you through a private message on social media with a link to click. But other schemes are harder to spot. Attackers often take over accounts and then target their friends with phishing attacks. Other schemes include social media quizzes that get users to enter information that can then be used for social engineering accounts. Threat actors also create clone accounts of real companies to get people to click on malicious links thinking they are trustworthy.
With employees using personal devices for work with increased remote and hybrid work, social media phishing attacks are likely to continue to pose a big risk. You should include a section in your cybersecurity training on social media phishing and keep employees updated on new types of schemes. Require that any personal devices that employees use for work have the latest patches and company-approved cybersecurity technology installed.
Phishing is expected to remain a top threat as attackers get more creative in their social engineering and targeting techniques. By staying on top of the latest phishing schemes, you keep your employees up to date, too. If employees know that the latest trend is to impersonate a specific company or type of email, then they are going to be more aware and suspicious when that message lands in their social media account, email, text or even at the other end of a phone call.
Security Intelligence, April 28, 2022
Multi-factor authentication (MFA) solutions are not new to data security. Already decades in use, MFA adoption became more commonplace post-pandemic thanks to remote work conditions. While companies like Google and Microsoft have claimed how MFA blocks all but .01% of account abuse attacks, the sad truth is that MFA is far from perfect, and attacks are on the rise.
Verizon research pegs 82% of all cyberattacks on human error (stolen credentials, phishing, misuse). Attackers need some level of human involvement to circumvent MFA controls. Phishing and social engineering tactics help distract users while different techniques are employed to hack MFA defenses.
MFA only makes sense if it is resilient against bypassing and hacking; otherwise, why would anyone enable MFA to only get mildly better protection? Here are three best practices that can help.
1. Deploy phishing-resistant MFA if possible.
The U.S. government has been mandating all federal agencies to use “phishing-resistant” MFA. This means organizations must steer clear of any MFA technology that can easily be phished (such as one-time passcodes, SMS text messages, dynamic codes and push notifications). The strongest forms of MFA are based on the FIDO2 framework that allows users to unlock access to resources using fingerprint readers, cameras and other device-level/hardware security checks on their devices. Since credentials don’t leave a user’s device and are not stored anywhere, it eliminates the risk of phishing and credential theft.
2. Make existing phishable MFA solutions less phishable.
There are a number of things organizations can do to make their current MFA less phishable. This includes adding more information and context to user logins since most MFA solutions oversimplify (via simple allow/reject buttons) instead of displaying more context so that users can be more assured of what they are logging into. This can include things like device name, global ID and device location. MFA solutions must also be tied to specific URLs, devices and hosts, so if a MitM attack is involved, the solution will not allow access to the resource.
Additionally, ensure MFA is built using NIST-approved (or FIPS-validated) cryptography. These are time-tested, publicly reviewed protocols; there is no need for people to invent their own cryptography. Further, stop allowing an easy reset of credentials when MFA is not working—the recovery and bypass process must instead be rigorous. Finally, ensure that anything like a session cookie, security token or a seed value expires in less than 24 hours.
3. Improve security awareness around MFA.
The core foundation of any security strategy is mitigating the root causes of threats. For example, ransomware is not the problem; more worrisome is how ransomware got in. Similarly, in the case of MFA attacks, phishing is the key root cause that needs to be addressed. No matter how strong your MFA solution is, all stakeholders must understand the strengths and weaknesses of MFA and how hackers exploit users to bypass MFA defenses. Employees must be trained to spot and report unusual activity; they must especially be careful with push notifications and login attempts they’re not directly involved with. Additionally, they should use unique, 20-character passwords to avoid credential theft.
Always opt for a defense-in-depth approach. Eliminate the risks associated with standard MFA by deploying one based on FIDO2. Ensure employees are awareness-trained to identify a cyber threat masquerading as an MFA request.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
Follow me on Twitter or LinkedIn. Check out my website.
Stu Sjouwerman
Stu Sjouwerman is the founder and CEO of KnowBe4 Inc., a security awareness training and simulated phishing platform. Read Stu Sjouwerman’s full executive profile here.
Forbes, August 11, 2022
Netlok® has announced its patented Photolok™ technology, which replaces passwords with photos, has been selected as the 2018 winner of the Cyber Defense 2018 Global Awards in the category of Most Innovative Multi, Single and Two Factor Authentication.
The industry competition honors the top companies, technologies and products in the world for online security, with particular emphasis on solutions for preventing hacking and other cyber threats. Photolok is Netlok’s groundbreaking product, which protects the online entry point (login) from Internet and Intranet cyber disruptions, or attacks, using proprietary-coded photos that make logging in substantially more secure and easier to use than passwords.
“We are thrilled to receive this award for our Photolok authentication system because there is nothing like it on the market today that prevents unauthorized access to your computer and mobile devices,” said Tony Perez, CEO at Netlok. “The escalation of cybercrime demands that new solutions be found and Netlok is committed to protecting online privacy by shutting down the entry points for hackers.”
Photolok employs a unique approach to secure authentication: Photolok’s image-based technology enables the user to have a positive emotional connection to his/her security login through the use of personal photos or photos that represent the user’s passions or interests – making them easier to remember than passwords. More importantly, photos are more secure than passwords, thanks to Netlok’s application of unique, proprietary coding to each user photo.
Photolok also offers situational security for instances where the user is working online in high-risk environments, such as airports or coffee shops, where the potential for hacking is greater. The user can designate a personal photo, or Netlok-provided photo, as a “single use” security login or “duress” security login in situations where the user’s immediate safety and security is at risk.
This is Cyber Defense Magazine’s sixth year of honoring cyber defense and information security innovators, spanning start-up and early stage companies to later stage and public entities. Nominations were judged by an independent panel of experts – CISSP, FMDHS and CEH certified security professionals – who voted based on their independent review of the company’s product for innovation and uniqueness, rather than number of customers or revenues. Netlok’s patented Photolok™ technology was a stand-out among those nominated in this category, because of its innovative use of photos in the authentication system, combined with a simple set-up process and its ease-of-use.
“Cyber Defense Magazine spent six months searching the globe to find the most innovative and cutting-edge cyber security companies for its Cyber Defense 2018 Global Awards,” said Gary S. Miliefsky, Publisher, Cyber Defense Magazine. “Netlok won this award for Most Innovative Multi, Single and Two Factor Authentication because it is an innovator on a mission to help stop breaches and get one step ahead of the next threat.”
Netlok® announced today that its patented Photolok™ technology, which replaces passwords with photos, has been selected as the 2018 winner in the category of Cybersecurity Authentication and Identity from Business Intelligence Group in its inaugural Fortress Cyber Security Awards. The industry competition honors the top companies, technologies and products in the online security space, with particular emphasis on solutions for preventing hacking and other cyber threats. Photolok is part of Netlok’s groundbreaking Netlokr® product, which integrates private messaging, confidential file sharing and protected data storage in one secure environment. 
“We are thrilled to be the first recipient of this award for our Photolok authentication system because there is nothing like it on the market today that truly protects the most common activities you do as a business or an individual online,” said Tony Perez, CEO at Netlok. “The escalation of cybercrime demands that new solutions be found and Netlok is committed to protecting online privacy by shutting down the entry points for hackers.”
Netlokr, featuring the Photolok authentication technology, pairs its patented photo-based login system with a cloud-based cybervault that operates in Netlok’s own proprietary eco-system, avoiding the vulnerable public pathways of the Internet. The system is designed to protect personal, business or client information and correspondence that are deemed highly confidential, sensitive or private. The Netlokr market includes individuals, groups and organizations, small and medium-sized businesses, large enterprises, government entities, celebrities and other high-profile individuals.
“According to recent reports, only 38 percent of global organizations say they are prepared to handle a sophisticated cyber attack and, worse, an estimated 54 percent of companies say they have experienced one or more attacks in the last 12 months,” said Russ Fordyce, Managing Director of Business Intelligence Group. “Netlok and the other 35 elite companies selected as winners of the Fortress Cyber Security Awards are creating breakthrough solutions that will stem the cybercrime tide and bring real protection to online activity.”
Nominations were judged by an independent panel of experts within the information security industry using a proprietary scoring model to determine uniqueness and innovation. Netlok’s patented Photolok™ technology was a stand-out among those nominated in this category, because of its innovative use of photos in the authentication system, combined with a simple set-up process and its ease-of-use.
ABOUT NETLOK
Netlok is a cyber security company founded on the belief that everyone has something they value and wish to keep secure and private, and it extends to the way in which they operate online. From personal information, to confidential documents, to private communications with others, Internet users want to protect certain aspects of their online activities from unauthorized access. Netlokr®, the company’s inaugural product, addresses the need for online privacy and security using a break-through photo authentication technology called Photolok™ for private messaging, as well as file and data sharing and storage. Netlok’s products are built for the full range of Internet users: individuals, businesses, large enterprises, organizations and associations, and government entities. Netlokr customers enjoy a highly secure, simple and affordable product that creates peace of mind for what matters most to them online. Netlok is based in Playa del Rey, in the heart of Southern California’s Silicon Beach. To learn more about the company and its security solutions, visit www.netlok.com.
ABOUT BUSINESS INTELLIGENCE GROUP
The Business Intelligence Group was founded with the mission of recognizing true talent and superior performance in the business world. The Fortress Cyber Security Awards, unlike other industry recognition programs, are judged by business executives with deep experience and knowledge in the online security space. The organization’s proprietary and unique scoring system selectively measures performance across multiple business domains and rewards those companies whose achievements stand above those of their peers.
Member – Insider GovTech
FOLLOW US ON SOCIAL MEDIA
©2015-2025 Netlok. All rights reserved.