On September 19, ride-sharing company Uber suffered another high-profile security breach. A hacker now believed to be affiliated with the hacking group Lapsus$ may have purchased credentials from the dark web. They use these credentials to perform multi-factor authentication (MFA) fatigue attacks. The attackers repeatedly attempted to log in using the credentials, prompting Uber contractors to respond to two-factor authentication requests. Ultimately, the contractor did reply to what they believed to be Uber’s IT staff, and the hackers were able to gain advanced access to multiple tools within Uber’s network.
The same hacker is also allegedly responsible for the breach by Rockstar Games. The details of how the attackers gained access to Rockstar Games’ systems are unclear, but the attacks appear to be the work of social engineering.
A high-profile security breach like this could be a relief to the rest of the leadership team. At least not their company. But the breaches at Uber and Rockstar Games, as inevitable and common as they seem these days, also offer valuable lessons for IT leaders hoping to avoid the same fate. Here are four to consider:
1. Multi-factor authentication needs a different look
More than half of companies are using MFA, according to CyberThe Cyber Threat Defense Report 2022. While it can be a powerful safety tool, it’s not a foolproof tool, as Uber’s breach made clear. Evaluating and advancing MFA capabilities and access management may be a step toward staying ahead of attackers and their evolving approaches.
“There are more secure approaches to multi-factor authentication. Bob Kolasky, senior vice president and former assistant director of cybersecurity and infrastructure at supply chain risk management firm Exiger Security Agency (CISA), told InformationWeek.
2. Social engineering will continue
Some attacks are successful, Because hackers are able to exploit network and operating system security holes, but in this case, attackers are able to exploit social engineering. Given how successful these types of attacks are, it’s unlikely they will stop anytime soon.
People can be trained to spot social engineering attempts, but human error isn’t going away. “It’s not the victim’s fault; it can happen to anyone, including senior security experts,” says business management consultancy Strive Consulting Kurt Alaybeyoglu, Senior Director, Cybersecurity Services, said. “That’s why security professionals have been advocating a defense-in-depth approach to security for 20 years. “
Rahul Mahna, managing director of consultancy EisnerAmper, sees addressing human error as the next frontier in cybersecurity. “We believe ‘protecting humans’ will be at the forefront of cybersecurity efforts moving forward.” ,” he said. “An enhanced form of human security is to ensure they use hardware-based keys, such as USB sticks. “
3. Know your organization’s risks
” Uber Luckily, they escaped serious operational, financial and possible regulatory consequences – it remains to be seen,” said Alebeyoglu . This is not necessarily Means Uber avoids a costly cleanup process, not to mention damage to its brand.
IT leaders at other companies can take this opportunity to assess their organization’s risk. Where? What would a breach cost the company? “Create a roadmap to implement the missing mitigation components and the metrics you will use to determine how well they work,” advises Alaybeyoglu.
While the network Security is primarily an area of IT leadership, but it cannot exist in isolation. “Remember that cybersecurity is a business risk,” warns Kolaski.
4. Cybersecurity Needs C-suite Support
IT leaders can raise the alarm on cybersecurity risks, but companies remain vulnerable Attacks like Uber’s until cybersecurity becomes a C-suite priority.
“Without executive buy-in and a shift from security as a cost center to a business-enabler, there will be no Possibly training people, establishing processes and using the technology can enhance business capabilities and minimize damage when attackers knock on the door,” Alaybeyoglu said.
Next What to read:
How not to waste money on cybersecurity
Twilio Breach: 5 questions about protecting your own business
Two Minute Kit: CloudSphere Cybersecurity and Departure