Couldn’t attend Transform 2022? View all summit sessions in our on-demand library now! Watch here.
Few techniques are as popular among cybercriminals as social engineering. Research shows that IT staff receive an average of 40 targeted phishing attacks per year, and many organizations struggle to intercept them before it’s too late.
Just yesterday, Uber joined the long list of companies defeated by social engineering after an attacker managed to gain access to the organization’s internal IT systems, email dashboard, Slack server, endpoints, Windows domain and in the Amazon Web Services console.
The New York Times [subscription required] reported that an 18-year-old hacker sent an SMS message to an Uber employee posing as support staff to trick him into giving him his password. The hacker then used this to take control of the person’s Slack account, before later gaining access to other critical systems.
The data breach sheds light on the effectiveness of social engineering techniques and suggests that businesses should re-evaluate their reliance on multi-factor authentication (MFA) to secure their employees’ online accounts.
MetaBeat will bring together thought leaders to provide guidance on how metaverse technology will transform the way all industries communicate and do business on October 4 in San Francisco, California.
Social engineering: the low-barrier way
In many ways, the Uber data breach further illustrates the problem of password-based authentication for controlling access to online accounts. Passwords are easy to steal with brute force hacks and social engineering scams and provide a convenient entry point for attackers to exploit.
At the same time, no matter how good a company’s defenses are, if it relies on passwords to secure online accounts, it only takes one employee to share their login credentials for a breach to take place.
“Uber is the latest in a series of victims of social engineering attacks. Employees are only human and eventually mistakes will be made with dire consequences,” said Arti Raman, CEO and founder of Titaniam. “As this incident demonstrated, despite security protocols in place, information can be accessed using privileged credentials, allowing hackers to steal underlying data and share it with the world.”
While measures such as enabling multi-factor authentication can help reduce the likelihood of account takeover attempts, they will not completely prevent them.
Review account security
In general, user awareness is an organization’s best defense against social engineering threats. Using security awareness training to teach employees how to detect manipulation attempts in the form of phishing or SMS messages can reduce the likelihood of them being tricked into handing over sensitive information.
“General cyber security awareness training, penetration testing and anti-phishing training are strong deterrents to such attacks,” said Neil Jones, director of cyber evangelism at Egnyte.
Organizations simply cannot afford to make the mistake of thinking that multi-factor authentication is enough to prevent unauthorized access to online accounts. Instead, company leaders must assess the level of risk based on the authentication options supported by the account provider and implement additional controls accordingly.
“Not all MFA agents are created equal. Factors like nudging, one-time passwords (OTPs) and voice calls are more vulnerable and easier to bypass through social engineering,” said Josh Yavor, CISO at Tessian.
Rather than relying on them, Yavor recommends implementing security key technology based on modern MFA protocols, such as FIDO2, that have phishing resistance built into their designs. These can then be augmented with secure access controls to enforce device-based requirements before granting users access to online resources.
VentureBeat’s mission is set to be a digital town square for technical decision makers to learn about and transact business-transformative technology. Discover our Updates.