Phishing remains hacker's favorite: finally putting a stop to one of the oldest hacking tricks. Phishing is one of the oldest tricks in the cybercriminal arsenal. With this tactic, employees can become ignorant accomplices in a major cyber attack with just one click.
Since the pandemic puts additional strain on employees, attackers are abusing the situation to capitalize on the crisis with a flood of corona-related phishing campaigns. Especially when cybercriminals gain access to legitimate credentials through phishing attacks, the consequences for businesses can be devastating. Forrester estimates that 80 percent of security breaches are related to compromised privileged credentials.
When phishing succeeds
If an attacker gains access to a privileged account, he or she has more or less control of the entire network. In this way, he can operate unnoticed and, for example, exfiltrate sensitive data sets. It is therefore not surprising that an overwhelming number of attackers are now using phishing to gain access to API keys, AWS Identity & Access Management credentials or IP addresses, for example. Companies should therefore take a two-step approach of employee training and technology to protect themselves against these attacks.
Phishing-resistant corporate culture
Almost 38 percent of users who do not complete cyber awareness training fail phishing tests. Training the security awareness of end users is therefore crucial in order to stop phishing attacks. Employees - especially those with privileged access such as IT and network administrators and members of the management level - must be aware that they can become the target of attackers at any time. Basic training should include the following information for employees:
- Carefully check the sender address for mixed up letters or other slight deviations to deceive the recipient
- Avoid clicking on links if possible. Instead, check the authenticity of the corresponding website via the browser
- Check for spelling and grammatical errors as well as unusual formulations
After the theoretical training, companies should consolidate the knowledge of their employees with simulated phishing attacks in practice in order to test and strengthen safe user behavior.
Build a layered defense strategy
Even the best trained employee can fall victim to a phishing campaign. Therefore, companies should adopt a deep defense strategy that focuses on protecting identities and their access permissions in order to harden their security perimeter. This strategy should include the following measures:
Multi-factor authentication (MFA)
Özkan Topal, Sales Director at Centrify
MFA is still one of the most reliable options for extending an organization's existing access controls. The addition or replacement of username and password with MFA represents a massive hurdle for attackers and reduces the compromise rate to almost zero. Based on research conducted by Microsoft, using MFA reduces the likelihood of an account being compromised by more than 99,9 percent.
In addition, a growing number of government regulations and industry standards such as PCI (Payment Card Industry Data Security Standard) now require the use of MFA. If companies already include MFA in their security strategy now, this can prevent them from being fined later for lack of compliance.
Safe telework
In the past, remote workers, outsourced IT departments, and partners have relied on virtual private networks (VPNs) to keep them safe. However, if a hacker breaks into a VPN, they will now have access to the entire network. Attackers can smuggle malware into the remote system and simply pretend to be a legitimate user whose credentials they obtained via a phishing campaign.
Proxy-based technologies are a safer alternative to VPNs. These technologies enable privileged internal IT administrators to access the necessary infrastructure. They also limit the access of outsourced teams or remote workers to only the servers and hardware their role requires, thus preventing lateral attacks.
Implementation of Least Privilege
For IT administrators, least privilege access with the management of required and time-limited privileged access authorizations is a best practice. By giving administrators only the privileges they need to perform a specific task in a controlled amount of time, the likelihood of security incidents is drastically reduced by closing a hacker's attack window at a specific point in time.
With the pandemic and increased remote work in mind, it's more important than ever for companies to take the right steps to combat phishing. With security training against phishing campaigns and the protection of the perimeter with MFA, proxy-based technologies and least privilege, companies can significantly reduce the risk of falling victim to a data breach.
More on this at Centrify.com
About Centrify
Centrify offers modern Privileged Access Management (PAM) solutions based on Zero Trust principles to enable digital transformation on a large scale. Centrify provides modern Least Privilege Access for human and machine identities based on the verification of who is requesting access, the context of the access request and the risk of the access environment. Centrify centralizes and orchestrates fragmented identities, improves audit and compliance transparency and reduces risks, complexity and costs for modern, hybrid companies. More than half of the Fortune 100 trust Centrify, including the world's largest financial institutions, intelligence agencies, and critical infrastructure companies. Whether human or machine, in the cloud or on site - with Centrify, privileged access is secure.