How To Mitigate The Risk Of Identity-based Cyberattacks As Digital Lives Merge

This article was written by guest contributor Chris Henderson, who runs threat operations and internal security at Huntress.

MSPs need to rethink risk assessment and how to protect against identity-based cyberattacks. That’s because the digital separation of our private and professional lives continues to blur.

Take LinkedIn, for example. For many, LinkedIn is a fully private digital footprint, used to make professional advancements through networking. However, for sellers, LinkedIn is a tool used to ensure their paycheck is full. This convergence of the employee’s personal and professional digital life is making threat modeling more difficult for MSPs.

Here’s a breakdown of the risk, and how to mitigate it.

Risks Of A Private Breach

Earlier this summer, cloud storage firm Snowflake was in the headlines due to a number of high-profile breaches whose root cause was the lack of multifactor authentication (MFA) on administrative accounts. The lack of secure default configurations led to breaches of Ticketmaster, AT&T, Advanced Auto Parts, Santander Bank, and Neiman Marcus Group.

One of the names on the list of impacted Snowflake users (AT&T) should cause MSPs to take pause, however. How many of you have set up SMS-based MFA using your personal cell phone? Outside of tightly regulated environments, the use of personal cell phones for work purposes is becoming more and more common. This significantly heightens the business risks of breaches that would otherwise seem to be minor incidents.

To de-risk private breaches from impacting your MSP business or your clients, you need to think through the risks that a breach to someone’s personal or private identity will cause. The majority of the risk results from an increased likelihood that your employees or your customers’ employees may have their personal identity compromised. If an attacker can impersonate either your own employee or your customer’s, how will they use that to their advantage?

An attacker able to impersonate your employee or client may use that to target your helpdesk and gain access to their account. We saw this type of attack target MGM. The attacker called into the helpdesk, impersonated an employee, and gained access to an administrative account.

Two Ways To Minimize Identity-based Risk

There are two primary ways to address this risk. The first option is to establish procedures that require video confirmation from your clients’ end users. Get the requester on video and verify their identity. This allows your helpdesk staff to verify that the employee is actually the one requesting a password reset, for example. In situations where your helpdesk is unfamiliar with the employees, establish a procedure that involves the requestor’s manager as a default participant.

Alternatively, you can utilize MFA and require the user to accept a push notification prior to performing the requested reset (assuming you are not utilizing SMS-based MFA). This verifies the user is still in possession of their previously trusted device and is the one making the request, not a threat actor.

The other major risk applies to MFA, specifically SMS-based MFA. While you may be following the world’s best procedures for verifying that a helpdesk requester is who they claim to be, there is no guarantee that other organizations are holding themselves to a similar standard. An attacker armed with enough personal information about an employee or client will potentially have enough information to authenticate with the phone companies. They will use this access to swap the victim’s SIM information to a new phone that they are in possession of. This will route all text messages and phone calls, including MFA challenges, to the attacker’s phone instead of your employee’s or client’s.

Controlling The Threat of Identity-based Cyberattacks

Controlling this threat requires auditing your SaaS and authentication tools and ensuring none of them are utilizing SMS for MFA. Additionally, you can coach your employees and MSP clients to call their phone provider and lock their pin. The ability to do this will vary from carrier to carrier, but if it is an available option, it absolutely should be enabled in today’s threat climate.

As we hear of new breaches moving forward, remember to assess the indirect impacts caused by the convergence of our personal and professional digital lives. Every breach adds to the online collection of lost information about our staff and clients so we should consider how the new additions may increase the likelihood of identity attacks.

Every MSP must factor in how these breaches increase the likelihood of identity-based cyberattacks and prepare accordingly.

If you missed it, check out Chris Henderson’s previous column, 4 Cybersecurity Headaches Your Healthcare Clients Face—And The MSP Remedies

Share:

Author:

Chris Henderson

Chris Henderson runs threat operations and internal security at Huntress. He has been securing MSPs and their clients for over 10 years through various roles in software quality assurance, business intelligence, and information security. Huntress.com

RELATED ARTICLES

Get The #1 Media Source For MSPs!
Thousands Of MSPs Trust
MSP Success Magazine
For The Best Industry News, Trends And Business Growth Strategies. Subscribe now!
 

Upcoming Events