Watch for social engineering and spear phishing, bypassing MFA, targeting MSPs, and compromising cloud environments to emerge as areas of vulnerability.
In 2022 we saw threat actors accelerating the use of techniques that gained traction in, among them MFA bypass and exploitation of MFA fatigue. Reorienting the way you train employees around this type of evolved risk, explaining “we know this is burdensome but here’s why it’s important,” may be helpful.
We advise organisations to adjust to make MFA solutions more secure. For example, for some MFA solutions, the default validity duration for a session token can be reduced from 30 days to 12 hours, limiting the lifespan of a successful attack. The session can be tied to one device (ideally an enrolled device). Additionally, hardware tokens implementing FIDO2 seem to be the most resilient to MFA session theft.
With 45% of incidents now cloud-based according to some estimates, we will also see more compromise of cloud environments in 2023. Organisations can’t simply assume their cloud services provider is handling their cloud environment securely. Minimum security requirements should be established, used when vetting MSPs, and included in contracts.
Furthermore, to avoid billing surprises, it’s advisable to set alerts for budget thresholds, and for when unexpected resources are launched or over-utilized. This allows organisations to quickly detect when their cloud environment is compromised or abused.
Technology IS keeping up with the threat landscape, but following up with all new security features and new security patches can be challenging, especially when IT security resources are tight. To assist, CIS Benchmarks are good best practices for technologies that you can impose on your MSP.
Ryan Stanley
Cyber Services Manager, Chicago, IL
We’ve recently witnessed different ways to bypass MFA. Here’s one example of how this attack is being executed:
La información contenida en este sitio web pretende ser información general sobre gestión de riesgos. Beazley no presta servicios o asesoramiento jurídico ninguno con dicha información. No debe interpretarse como asesoramiento jurídico y no pretende sustituir la consulta con un abogado o experto jurídico. Aunque se ha tenido un cuidado razonable en la preparación de la información expuesta en esta comunicación, Beazley no acepta responsabilidad alguna por los errores que pueda contener ni por las pérdidas presuntamente atribuibles a esta información. Los productos y servicios no relacionados con seguros son proporcionados por filiales de Beazley que no son compañías de seguros y por terceros independientes. Pueden aplicarse términos y condiciones independientes.
Technology IS keeping up with the threat landscape, but following up with all new security features and new security patches can be challenging, especially when IT security resources are tight. To assist, CIS Benchmarks are good best practices for technologies that you can impose on your MSP.
