For organisations that publish services (email/web portals/VPNs or suchlike) to the internet the first line of defence against Threat Actors is commonly their perimeter firewall.

Combined with the inbound decryption of traffic security features can be enabled that prevent attacks. However, as organisations adopt SaaS services administrators have found that new protections are required to prevent cyber-attacks.

Service providers who handle sensitive data like Microsoft 365 and Salesforce give administrators the option to restrict access to only known source addresses, this simple and effective method ensured that employees inside the office could access their data securely. However, with COVID-19 upon us and not all organisations being able support their employees with a ‘full tunnel’ VPN this traditional approach is no longer viable with their users logging in from potentially any source IP.

It’s now time to afford the same level of protections to your users’ accounts as you would your internal services published to the internet.

The threat – Your Data is FOR SALE!

We all know that password reuse is rife, phishing attacks are still commonplace and I bet you that there are people within your business that still use something like Password1! (I bet I can also guess their level of seniority within the business!!).

In password reuse attacks (otherwise known as Credential Stuffing) a database of perhaps weakly secured passwords is obtained by the Threat Actors who in turn have all the time they need to decrypt its data. Once successful this data is typically sold as a commodity allowing others to compromise these accounts, while your more sophisticated attacker will look to compromise other services (perhaps including domain logins) which share the same credentials.

It’s likely that you’ve seen a phishing attack in the past (you might even bought a service to allow simulated attacks) so you’ll know the deal – an email asking you to ‘confirm’ your details or other such nonsense takes advantage of an untrained eye.

Low and slow password spraying attacks exploit the repetitive use of some passwords for example qwerty1234 or password1. By only trying a select few (common) passwords against a large number of user accounts and only trying a few at a time a Threat Actor will eventually get a valid hit, while the account that they access may have only low privileges it still opens up the possibility for further attacks using privilege escalations or by pivoting inside a network.

Q:  What Should You be Doing About It? A:  Multi Factor Authentication!

To mitigate the threat posed by these attacks MFA in the form of push notification response, one time passcode, email, text or even hardware key ensures that only the owner of the account (who has access to the mobile phone/key) can actually use the account.

Many will remember the physical key-fob tokens of old and having to support RADIUS servers with obscure configurations but just as with everything else in IT the times have moved on. Authentication through services like SAML (Secure Assertion Markup Language) allow a consistent user experience when signing in across a range of services with a common web portal. At time of login the web portal can also present the MFA challenge, commonly this is push notification based where the user has installed an app on their mobile phone and by simply unlocking their device and pressing accept the MFA process is complete. Fall back methods also exist to provide additional flexibility when needed and support for legacy services (commonly VPNs) via a lightweight and cloud managed RADIUS proxy ensures that every service you might want to integrate can be included.

Multi Factor Authentication is our near universal cure to the problem with Microsoft citing that it can prevent 99.9% of account-based attacks. Password reuse may continue to exist but there’s no way for a user to share their one-time (and the key is in the name) passcode between services, while phishing and password spraying attacks are stopped cold as Threat Actors hit the MFA prompt.

Taking it to the next level

As mentioned in our previous blog post the Cyber Essentials programme from the NCSC makes strong emphasis on how credentials are managed, in particular how passwords are changed if they are believed to be compromised. MFA can play its part here in blocking attempts to compromise credentials while the modern authentication back ends of MFA providers identify abnormal behaviour from a user’s account. Perhaps they’ve been detected attempting to login from a previously unseen location – they passed the initial username/password check but did not complete the MFA challenge, with this extra visibility in hand the user’s password can be changed and perhaps even the initial compromise detected and prevented in the future. Microsoft on preventing 99.9% of identity-based attacks.

As a business we are committed to providing help, guidance and support to our customers, particularly those on the front line and in critical industries.  We want to do our part to help, so if you have questions, want to chat some things through, you know where we are.


Image by on Freepik