In our four-part series investigating the vulnerabilities of multi-factor authentication (MFA), we’ve learned a lot about the methods hackers use to crack these systems. Social engineering, technical hacks, and a mixture of both can all play a role in weakening the authentication factors we depend on to protect our business’s critical data.
The truth is that cybersecurity measures can’t be a set-it-and-forget-it activity. These days, the risks of cyberattacks are higher than ever before, and companies need to be proactive and hands-on with their countermeasures. Setting up an MFA solution is one step you can take, but it shouldn’t end there.
Each authentication factor requires complete protection for a multi-factor solution to live up to its name. And passwords, a nearly universal factor in every MFA solution, need to be fortified against risks that come from password reuse and data breaches.
Guarding Against Social Engineering Tactics
Hackers use social engineering tactics against well-meaning tech support employees who want to make their customers happy. This desire to be helpful makes them vulnerable to fast-talking scammers who will use it to get around MFA protections. Phishing emails are another social strategy bad actors use to bypass MFA. Emails, social media messages, and texts sent to victims convince them to click a link they should not click on, resulting in a visit to a decoy website or a malware download right onto the company server or device.
The best way to avoid these social engineering scams is to educate your workforce about the methods hackers use to engineer their way past security systems socially. Teach employees how their actions can result in a breach and what they can do if they spot something suspicious. Information on the latest phishing scams should be readily available, and you should train tech support in the social engineering techniques cybercriminals may use against them.
Fending Off Technical Threats
We have gone over many of the technical ways attackers can use to hack MFA. Brute force attacks, guessing unique session tokens, and malicious software and hardware are all too common approaches to crack MFA. Closely monitoring your systems will help. So will utilizing account lockout features, practicing good password hygiene, and making sure hardware isn’t compromised in the supply chain (like working with cell phone providers with policies and procedures to prevent malicious SIM swapping).
Hackers are taking advantage of the increase in remote working with accelerating session hijacking attempts, as we’ve seen from recent “Zoombombing” issues. Session takeovers include man-in-the-middle attacks where communication between two systems is intercepted, guessing the session tokens to take over covertly, and cross-site script attacks that utilize malicious code to steal a session ID. When possible, encrypt data transmitted on a web page, and use cybersecurity tools that detect and block threatening websites before an IP connection is established.
Layers of Security and Preventative Measures are Key
MFA is still a highly recommended piece of your overall cybersecurity puzzle. By acknowledging its limitations, we can take the extra steps necessary to protect these systems. The goal is to build a security strategy with many layers. Here are a few more tips to keep in mind to tighten your lines of defense.
1. Enable MFA for all users, data, and devices across your entire organization, not just for particular applications or a specific network.
2. Lessen friction for users wherever possible. A system is only going to work if your employees can engage with it and use it properly.
3. Continuously review your anti-virus and anti-malware logs and be confident that they are installing updates as required.
4. Have system administrators keep a lookout for signs of intrusion in your systems at deeper levels, for example, in the log of UPN updates.
5. Rework network configurations so that communication paths between servers only exist when they are required. By isolating the servers that store your sensitive data, it will be easier to impede an attacker if they breach your network.
6. Have the absolute highest standards for password hygiene. This means mitigating the chances of password reuse or using a common password that should be blacklisted. You can also utilize password hashing and add additional security measures around users with more privileged access.
7. Implement a zero-trust approach to digital security.
Every system has vulnerabilities, but by making it extraordinarily difficult to circumnavigate multi-factor authentication defenses, you’ll have a better chance at safeguarding your systems from criminal threats. Learn more about preventing account takeovers and securing employee accounts by hardening the password layer with complete, advanced password protection by checking out Enzoic’s automated solutions.