CloudXone Blog

​Mauro Gris and Alexi Helligar

​Mauro Gris and Alexi Helligar
Microsoft Certified System Engineer (MCSE) practising for over 20 years. My focus is on strategic alignment between business goals and technology. The current president of Toronto-based technology service partner, CloudXone has over 20 years of experience in the industry under the belt.
Find me on:

Recent Posts

What Is the Deal With Passwords Vs. Passwordless Vs. Multi-Factor Authentication (MFA)?

Posted by   ​Mauro Gris and Alexi Helligar on March 10, 2020 at 7:17 PM

security cameras

Authentication

Passwords vs. “Passwordless” vs. Multi-Factor Authentication (MFA)

Passwords are an attraction for attackers and are susceptible to a variety of attacks such as phishing, malware, social engineering, and credential stuffing. Research indicates increasing password complexity sometimes may result in less security, due to the weakest link of the security chain — the human factor. Many people cannot remember long or complex passwords, so they tend to write them down.

“Passwordless” authentication vs. MFA

As companies gradually awaken to the security dangers of relying on easily stolen and shared passwords, alternative security systems have taken the spotlight. There are several alternative authentication methods that do not involve passwords: hardware tokens (an object or device the user has, that verifies their identity); or biometric sensing of a physical feature belonging to a user, like their fingerprint or facial features.

And while these methods all include a different approach to passwordless authentication, they have one thing in common: the user's authentication data is never stored within the system, as a password would be. It is this crucial element that gives passwordless solutions their security advantage.

Passwords are one of three possible authentication factors. Authentication is generally accomplished by validating one or more of three types of factors:

  1. something you know (i.e., a password);

  2. something you have (i.e., a hardware token or smart phone); and

  3. something you are (i.e., a fingerprint).

MFA employs two or more types of authentication factors. In a MFA solution a password may not be one of the factors used. MFA has rapidly gained adoption as a method for increasing the assurance of authentication for consumer and enterprise web and mobile applications.

Regulatory bodies acknowledge the weaknesses and security threats associated with the storage and use of passwords. That is why they are constantly raising the bar for the minimum requirements of passwords (length, complexity, encryption, change cycles). In many cases, regulators require the use of two-factor authentication.

For example, the National Institute of Standards and Technology (NIST) — the body that sets technology standards in the U.S. and acts as a point of reference for many other countries

  • requires that MFA be used in many scenarios, such as for financial institutes. Many web services (such as Google and Facebook) have adopted MFA in order to protect users.

MFA is certainly better than relying on a password for security, but eliminating passwords altogether would be even better. A password-plus-second-factor policy retains the inherent flaws of passwords; users are still required to memorize and safeguard secrets, so the security risk of password reuse still exists, and the costs of maintaining passwords also remain. In fact, according to researchers at Proofpoint, hackers can even use passwords to bypass the second authentication factor altogether. It appears in many cases, the second factor is just a “band-aid” organizations use to strengthen the first line security protocol which is passwords with its attendant weaknesses. Here they are making a big, and potentially expensive, mistake.

Emerging passwordless standards and the increased availability of devices that support passwordless authentication methods are driving increased adoption. Biometrics have become increasingly popular as a “passwordless” method for stronger identification, but other options include hardware tokens, phone as a token, fast IDentity Online and analytics based on passive behaviors.

 

Benefits of passwordless authentication

    • User Experience: Passwordless authentication means no more user-memorized secrets, streamlining the authentication process. Removing passwords from the picture means users no longer have to devise and remember a password for each of their accounts. Nor do they have to type them in every time they log on.

    • Better Security: User-controlled passwords are a major vulnerability. Users reuse passwords and can share them with others. Passwords, the biggest attack vector, also are vulnerable to credentials stuffing, corporate account takeover (CATO), password spraying, brute force attacks, and more.

    • Reduction in Total Cost of Ownership (TCO): Passwords are expensive; they require constant maintenance from IT staff, who have to update systems when users change their passwords, and they need to be changed on a regular basis. According to industry research, password resets account for as much as half of all help desk calls, which places a tremendous burden on company IT. According to Forrester, the cost of a single password reset averages $70.

    • IT Gains Control and Visibility: Reuse, and sharing are common issues in password-based authentication. With passwordless authentication, IT reclaims its

purpose of having complete visibility over identity and access management. Without passwords, there is nothing to phish, share, or reuse. The user is no longer the wild card in an organization’s access scheme.

Password management software

Because it is still impossible to imagine a world without passwords, how do we protect them?

A password manager is a software application that is used to store and manage passwords that a user has for various online accounts and security features. Password managers help users and managers handle a large number of passwords and account information. They store the login information of the various accounts and automatically enter them into the forms. This helps in the prevention of hacker attacks like keystroke logging and it prevents the need for users to remember multiple passwords.

The login information is encrypted and stored in either the local memory of the user’s system or in cloud storage. Portable password manager applications installed in mobile devices can also be used to manage and remember passwords anywhere and use them on shared systems. The passwords database can be accessed and using a MFA approach that does not require a password.

 

Click Here To Learn More About Security Auditing Services and Technology Assessment

FOLLOW US ON SOCIAL MEDIA.

What You Need To Know About Email Security Best Practices For Your Business

Posted by   ​Mauro Gris and Alexi Helligar on March 7, 2020 at 11:13 AM

Email Security Blog Graphic

Email Security

Business Email Compromise (BCE)

Enterprise email security is essential. A compromised email system can seriously damage business interests and reputation. Email is the most commonly used channel for targeted attacks on client endpoints. Safeguarding a company’s finances and privacy is not possible without securing enterprise email.

Modern large-scale migration of email to the cloud needs a strategic shift in how to secure this communication channel. Security and risk management leaders must adopt an approach of continuous adaptive risk and trust assessment to protect inboxes from exposure to increasingly sophisticated threats. Through 2023, business compromise attacks will be persistent and evasive. leading to large losses due to financial fraud for enterprises, and breaches of client privacy for healthcare and government organizations. Gartner: Fighting Phishing – 2020 Foresight 2020.

BEC is an exploit in which an attacker gains access to a business email account and imitates the owner’s identity, in order to defraud the company and its customers or partners. This type of attack is known as “phishing” in Internet terminology. BEC can take a variety of forms and is typically carried out by transnational criminal organizations that employ hackers, social engineers, linguists, and lawyers. Often an attacker will create an account with an email address almost identical to the one on the corporate network, relying on the assumed trust between the victim and their email account. As a matter of fact, in most cases, scammers will focus their efforts on the employees with access to company finances and attempt to trick them into performing money transfers to bank accounts thought to be trusted, when in reality the money ends up in accounts owned by the criminals.

BEC emails are currently the top concern for most enterprises. These phishing emails operate without links and attachments, which are two common red flags of malicious messages. They also leverage the power structures within companies, using the names of key players, customers, and even board members to trick employees into doing things like transferring money or sharing security information.

BEC: The numbers

Incidents of BEC attacks are rising, along with the global losses from these crimes. Here are recent BEC statistics issued by the USA FBI on September 10, 2019:

  • 95% of breaches begin with targeted phishing

  • Targeted attacks have a 90% success rate when sent to 10+ users

  • Over 166,349: number of victims from at least 131 Countries, for $26B Estimated Loss (Numbers of victims and estimated loss from 2016 to 2019)

  • Which Countries are most affected by BEC?

 

 

 

  • Which Company positions are most faked in BEC?

 

  • Which Company positions are most targeted in BEC?

 

Specific Types of BEC

The USA FBI identified 5 major types of BEC scams:

  • Data Theft: HR and bookkeeping employees will be targeted in order to obtain sensitive or personal information about the employees or executives. This data can be very helpful for future attacks.

  • Account Compromise: An executive or employee’s email account is hacked and used to request invoice payments to vendors listed in their email contacts. Payments are then sent to fraudulent bank accounts.

  • C-level Fraud: Attackers act the part of the company CEO or any executive and send an email to employees in finance, requesting them to transfer money to the account they control.

  • Attorney Impersonation: An attacker will impersonate a lawyer or other representative from the law firm responsible for sensitive matters.

  • False Invoice: Companies with foreign suppliers are often targeted with this tactic, wherein attackers pretend to be the suppliers requesting fund transfers for payments to an account owned by fraudsters.

These types of attacks often occur through email or phone, near the end of the business day. The victims are low-level employees who lack the knowledge or authority to question the validity of the communication.

 

How BEC exploits work in details

In a BEC exploit, the attacker uses a set of tactics to trick their victims. A common plan involves the attacker gaining access to a business network using what is known as a “spear-phishing” attack in conjunction with malicious software (malware):

  • Spoofing email accounts and websites: Slight variations on legitimate addresses (john.kelly@abccompany.com vs. john.kelley@abccompany.com) fool victims into thinking fake accounts are authentic.

  • Spear-phishing: Bogus emails believed to be from a trusted sender prompt victims to reveal confidential information to the BEC criminals.

  • Malware: Used to infiltrate networks in order to gain access to internal data and systems, especially to view legitimate emails regarding the finances of the company. That information is then used to avoid raising the suspicions of any financial officer when a falsified wire transfer is submitted. Malware also lets criminals gain access to their victim’s sensitive data.

If the attacker stays undetected, they can spend time studying all facets of the organization, from billing systems, to vendors, to the correspondence habits of employees and executives.

As mentioned, the attacker typically uses the identity of someone on a corporate network to trick the target or targets into sending money to the attacker’s account. The most common victims of BEC are usually companies that use wire transfers to pay international clients.

At an appropriate time – usually when the employee being impersonated is out of the office

  • the attacker will send a bogus email to an employee in the finance department or to the purchasing officer. A request is made for an immediate wire transfer, usually to a trusted vendor. The targeted employee thinks the money is being sent to the expected account, but the account numbers have been altered slightly, and the transfer is actually deposited in the account controlled by the criminal group.

If the money fraud fails to be spotted in a timely manner, the funds can often be close to impossible to recover, due to any number of laundering techniques that transfer the funds into other accounts.

 

Defenses Against BEC

    • Email Rules: these flag email communications where the “reply” email address is different from the “from” email address shown.

    • Intrusion Detection System Rules: these flag emails with extensions that are like company email. For example, legitimate email of xyx_business.com would flag fraudulent email of xyz-business.com.

    • Color Coding: virtual correspondence so e-mails from employee/internal accounts are one color and e-mails from non-employee/external accounts are another.

    • Payment Verification: ensures security by requiring additional two-factor authentication.

    • Confirmation Requests: for fund transfers with something like phone verification as a part of a two-factor authentication scheme. Also, confirmation may require that company directory numbers are used, as opposed to numbers provided in an email.

    • Careful Scrutiny: of all e-mail requests for transfer of funds to determine if the requests are out of the ordinary.

    • CloudXone security auditing and security support services.

Click Here To Learn More About Security Auditing Services and Technology Assessment

FOLLOW US ON SOCIAL MEDIA.

CloudXone is at the intersection of your office and the Internet.

The Future is Friendly, So Are We!

CloudXone is an established, Toronto-based business technology consulting and service provider. Our client-first philosophy ensures the technology we put in place for you will be tailored for your use and will fit perfectly into your day-to-day operations.

Our Blog is a way to:

  • Stay on top of exciting tech updates
  • Get free advice on how to optimize your IT solutions
  • Meet the experts on our team and get to know us! 

Subscribe Here For Updates!

Recent Posts

Posts by Tag