IT security can be a painful process, with the huge numbers of variables involved and each business having its own topography to navigate. It’s a necessary undertaking, however; ransomware (crypto) attacks and phishing attacks are becoming overly fashionable, with many organisations experiencing at least some business disruption this year thanks to them.
COVID-19 has forced many business owners to implement remote access infrastructure, and with many people forecasted to keep working from home for the foreseeable future, most networks must get comfortable with a bigger attack surface.
Small and medium-sized businesses still have plenty of options to make things much more difficult for attackers. Firewalls can create a configurable network bubble for a business, and antivirus software can scan files and network activity for known malware behaviour. Modern backup solutions enable data restoration and disaster recovery should the worst happen.
A spam filtering service will reduce the amount of potentially malicious email your people have to deal with, but there’s always going to be a trade-off between security and usability. Even with the most aggressive spam filters, it’s inevitable that some malicious emails will get through. That’s where user awareness training comes in. Regular awareness training greatly reduces the risk of human error, email-based attacks and the need for excessively complicated passwords.
With most businesses now on Office 365, email security is growing into a major concern. Email is a large vector for phishing and malware, and is still one of the biggest cybersecurity vulnerabilities that affect businesses. Phishing attacks usually follow a fairly standard process, which looks like this:
1. A user receives a plausible looking email with a link
2. The link opens a new page (usually a fake website), which prompts the user to enter their credentials
3. Attackers steal the credentials and use them to access the user’s Office 365 account
4. The attackers implement Mailflow rules to stop bounced mail from being seen by the user
5. The phishing mail is sent to everyone on the user’s address list, and the cycle continues
The easiest way to stop Office 365 accounts from being compromised via a password extraction exploit is to implement Multifactor Authentication. MFA has been common in the banking and finance sector for some time now, and most people will be familiar with it. It’s an account-based service, active whether you are accessing your data via browser, mobile device or mail application, and protects your account with secondary authentication from a verified mobile device. Secondary authentication can be done in many ways; incoming call, SMS, or an authentication app that requires either a randomly generated code to be entered as part of the login process, or an “Is this you?” prompt on the phone.
There are pros and cons for all these methods. SMS and incoming call-based authentication are less secure, but don’t require anything to be installed, while application–based authentication requires employees to install an app, which can result in pushback from users. Verification via app prompt, while being the most convenient method, can also result in false activations if users aren’t paying attention. The result, however, is an authentication process that isn’t vulnerable to password compromise.
MFA can also be implemented on the Windows login side of things. Many businesses are operating Remote Desktop Services, where applications running inside the business network and satellite machines are connected via the web. The Remote Desktop authentication process uses Windows Active Directory and an encrypted connection, but if the credentials are phished, attackers will have access to everything on a network that the user’s credentials entitle them to – this can lead to a crypto attack with guaranteed business downtime at the bare minimum.
MFA provides a robust, easily–implemented way to mitigate the risk of compromise on inbound connections, and should be applied wherever possible.
If you would like to learn more about implementing MFA for your business, contact us and let’s have a conversation about the possibilities.