Why try and break in through a side window when you have working keys for the front door?
Credentials remain one of the most sought-after pieces of information for hackers, and it’s still proving to be effective in their attack effort. In Verizon’s 2021 Data Breach Report, they attributed 61% of breaches to use of compromised credentials. In Crowdstrike’s 2022 Global Threat Report they updated that number to 80%.
The list of ways hackers harvest credentials isn’t a short one. Phishing, social engineering, password crackers, brute force, credential stuffing, password spraying, guesswork (“password1!”), man-in-the-middle (MITM), and Malware payloads such as keyloggers and screen scrapers, are the most common.
This isn’t new information as compromised credentials have been attributed to third party breaches for years. However, it should serve as a warning because the trend is on the rise. There is additional upside for attackers who succeed at account compromise; following a cloud/SaaS account takeover, attackers can potentially use the account (and often do) for data exfiltration, business email compromise, and lateral movement (including sophisticated social engineering). These extended campaigns can lead to more account compromises and greater data and financial loss for organizations.
How network credentials are managed (whether that be Azure AD or Okta) directly reflects overall security. Passwords, especially passwords with privileged access to organizational systems and networks, are targets for hackers since they’re able to gather so much information from a singular source.
Multi-Factor Authentication (MFA) is a need to have to increase the security of user accounts. However, we need to stop looking at MFA as a Yes or No checklist, and more like an A-F efficacy grade:
A – Enforced Biometric authentication with device and network conditions check
B – Enforced Biometric authentication
C – Passcode push (sms, call, or email)
D – non changing pin code
F – no MFA enforcement
Biometric MFA? Sounds complicated and expensive right? It isn’t. Virtually every laptop and smart phone built in the 5 years has a fingerprint scanner or facial recognition. Apple and Google have already invested almost $500M each into facial the recognition in IOS and Android devices your users already have. There’s no need to reinvent the wheel here.
So now that you’ve Authenticated the user, it’s time to do the same with the device they are signing in with. We recommend a device posture check that only allows sign in if device posture checks are passed- this should include operating system being up to date, Endpoint Security software running, and Endpoint Management software (MDM or UEM) running. This secondary check should be completely invisible to the end user as to not cause them any delays when they are doing everything correctly.
Network conditions checks get a little more involved from a configuration standpoint. We recommend using a Zero Trust Network Access (ZTNA) tool for access to any private applications and Cloud Application Security Broker (CASB) leveraging a forward proxy to access all Public SaaS tools. Assuming you have both in place- only allow access if you are authenticating over the correct network, simple as that.