Avoid Becoming the Next Breach Victim
Phishing Attacks: How You Can Avoid Breaches From Happening
Over the course of the last few years there have been many breaches at top companies.
Although this is something that cannot be fully avoided, due to the evolving nature of vulnerabilities and attacks in cybersecurity.
There has however been one common theme in these: phishing or social engineering. Through the use of some form of social engineering, the credentials of an employee (typically with a lot of access) are obtained and thus becoming the entry point for the attacker.
The thing is this breed of attacks can be prevented through security controls.
Through the use of two-factor authentication (2FA), and the right form of 2FA, accounts can be protected from this class of attacks.
Breaches That Could Have Been Avoided
Just to name a few that have suffered at the hands of this class of attack:
GoDaddy
Marriott
Twilio
Twitter
Although there were several factors contributing here, the fact that there was not a strong form of 2FA led to the spread of the damage in the compromises of accounts in each of these breaches. At the very least, mitigation would have been in place, at best the entire breach could have been avoided.
These are some of many real world examples of why security keys using Universal 2nd Factor (U2F) is currently the only way to fully secure your account. This is due to the way U2F works, consisting of public and private keys and making it so that only the legitimate website can be logged into. Essentially making it phish-proof.
See below for an overview of the login process with FIDO U2F
Here you will only be able to authenticate to the real “site.com”, and any look-alike phishing pages will fail upon login. The attack surface that this gets rid of is significant.
Forms of 2FA
The technical details will be discussed in a future post. For now, just know that this is the most secure form of second factor authentication.
The strength of choices in a second factor are in order:
SMS codes (worst)
Authenticator app (better)
Biometrics (better)
Security keys (best)
Some examples of U2F in practice are YubiKeys, TouchID(MacOS)/Windows Hello.
On the mobile side, iOS and Google has come out with options for using Security Keys as well. This will phase out the usage of passwords with adoption.
For more details on each of these see the official documentation below
https://support.apple.com/guide/mac-help/use-security-keys-mchld6920426/mac
Thank you for reading, and stay tuned for next week's post!