Over the first 6 months of 2019, I am seeing more and more accounts being taken over by malicious actors on office 365 and google mail where the attacker will create some rules in the backend to redirect emails of interest into deleted items, RSS feeds or any other folder they think may be overlooked by the user. They would then either use the account and information gleaned from the account or redirected emails to try to get clients/customers of the business that the account belongs to make payments into a new account for outstanding invoices or something along those lines.
The malicious actor would then use the accounts to spread their access to further accounts to continue the cycle over and over. I see this type of scenario all the time and the sad part about this is that there is a simple solution that may protect many of these victims from having their accounts breached in the first place. MULTIFACTOR AUTHENTICATION. It's pretty simple and in most platforms is turned on very easily with no additional costs. In office 365 to turn it in for the organisation, it is as easy as selecting a tick box. Then all users in that organisation can log in to the online portal and run through a very simple wizard to get the two-factor setup. You can use a text or the authenticator app (the app is the best option, but the text option is still better than not using it).
Look, yes I get it I am sure that the change over will not be perfectly smooth and you could have some interruption by doing so with some users who have trouble with the process but honestly this small amount of pain will be much better than explaining to the CFO or CEO why you hadn’t done it after an attack could have been stopped and prevented a $50K payment or worse to a malicious actor. Come on you know I am right!
I am sure that google mail will have a similar easy process that can be carried out to allow for the same two-factor authentication to be switched on and used. So why do I keep seeing some many businesses that don’t have this turned on? It just seems really stupid to me, I just honestly don’t get it why organisations don’t turn it on. Is it our fault (IT, Security industry) for not getting the message out there for why it is important? Or is it because businesses just don’t know what they should be doing in the first place or even that it Is an option that they can even have in the first place.
I think it is a little bit of all of them, we as the protectors should do more to help businesses protect themselves, we need to look past the money and actually help them get the basics right in the first place. The funny thing is if you do put the business first and help them in knowing what they need to do and not just push to sell some more blinky lights then they may just become your best customer you have ever had because of that trust you have created. You won't just be about the next quick buck you can make from them as many businesses think of the MSP or MSSP industry. This goes for the whole industry though, do the right thing by people and they will remember.
So, if it isn't all our fault (it really isn't but we can do better), what is the problem that stops users and organisations alike adopting MFA (Multifactor Authentication). I personally think that it could be a couple of reasons and different for each user or business. Laziness is certainly one of the reasons, people like to do things the easiest way possible, the path of least resistance. If all they need to have is a password then that is all they will have. Yes, they might know that they should do MFA with either a text or app but if they don't have to do it they will just do what is the easiest option. We all do it sometimes, admit it we all do. This fact alone is why Shadow IT was born, they needed something and couldn't get it done easily so they plugged their own wifi device in.
What we need to do is not make it optional at all on the very top level, Microsoft and Google and every other platform provider don't let users access systems without MFA of some form. Simple and very effective result don't you think? I know that is easier said than done but this mandatory change will make systems much more secure and not rely entirely on passwords alone for authentication.
Now why we wait for the commotion to settle down and people to stop freaking out about what I just said you all know what I have said is right. Take away the choice and the problem becomes a bit simpler to resolve. Look I know that MFA isn’t perfect and there are techniques that can get around this as well, but it is really difficult and is rarely successful. So just because it’s not perfect doesn’t mean we shouldn’t use it as part of our defence. Improvements are just that improvements.
If any of my readers work for Microsoft or Google and has access to anyone who could put this suggestion to the right people, it would be greatly appreciated. I am sure in time we will all come to see that it was for the best even if it causes us a little bit of pain because of it.
Now I don’t think that will actually happen anytime soon but if it does it will be terrific. However, until then we need to do what we can to help people understand that the option is there and that honestly, it won't be that inconvenient to them to use the MFA component. They won’t have to pay any more money, but it will make them much more secure against the many threats that face them and their online presence. If we can do that I will be much happier, and I have a feeling that many of you will be as well.
Let's do this together and reap the rewards with a better-protected world. As always tell me what you think. Disagree, I don't mind. We always need to look at other opinions and options. If we can't do that we will never stand a chance in the virtual war, we are fighting.
Until next time…