On Sep.19, ride share company Uber experienced another high-profile security breach. A hacker, now thought to be affiliated with the hacking group Lapsus$, likely purchased credentials from the dark web. They used those credentials to execute a multi-factor authentication (MFA) fatigue attack. The attacker repeatedly attempted to log in using the credentials, prompting an Uber contractor to respond to a two-factor authentication request. Eventually, the contractor did respond to whom they thought was an Uber IT person, and the hacker was able to gain elevated access to several tools within Uber’s network.
The same hacker is also allegedly responsible for a breach at Rockstar Games. The details of how the attacker gained access to Rockstar Games’ systems are less clear, but these attacks both seem to be the work of social engineering.
High-profile security breaches like this might cause other leadership teams to breathe a sigh of relief. At least it wasn’t their company. But the Uber and Rockstar Games breaches, as inevitable and common as they may seem these days, also come with valuable lessons for IT leaders who want to avoid the same fate. Here are four to consider:
1. Multi-factor authentication needs another look
More than half of companies are using MFA, according to the 2022 Cyberthreat Defense Report from CyberEdge Group. While it can be a powerful security tool, it is not an infallible one, as so clearly illustrated by the Uber breach. Evaluating and advancing MFA capabilities and access management could be a step toward staying ahead of attackers and their evolving methods.
“There are more secure approaches to multi-factor authentication. They may come with additional cost … in terms of the company [losing] some of its operational flexibility or putting additional burdens on employees,” Bob Kolasky, senior vice president for supply chain risk management company Exiger and former assistant director for the Cybersecurity and Infrastructure Security Agency (CISA), tells InformationWeek.
2. Social engineering is here to stay
Some attacks are successful because hackers are able to exploit network and operating system security vulnerabilities, but in this case, the attacker was able to leverage social engineering. Given the level of success these types of attacks have, it is unlikely they will stop anytime soon.
People can be trained to spot social engineering attempts, but human error is not going away. “It’s not the fault of the employee who fell victim; it could happen to anyone, including veteran security professionals,” Kurt Alaybeyoglu, senior director of cybersecurity services at business management consulting company Strive Consulting, contends. “This is why security professionals have advocated for defense-in-depth approaches to security for two decades now.”
Rahul Mahna, managing director at consulting company EisnerAmper, sees addressing human error as the next frontier of cybersecurity. “We believe ‘securing the human’ is going to be a leading edge of cybersecurity efforts moving forward,” he says. “One enhanced form of securing the human is to ensure they are using a hardware-based key, such as a USB stick.”
3. Know your organization’s risks
“Uber was lucky that they escaped serious operational, financial, and possibly regulatory consequences — remains to be seen,” says Alaybeyoglu. That does not necessarily mean Uber has avoided a costly cleanup process, not to mention damage to its brand.
IT leaders at other companies can take the opportunity to evaluate their organizations’ risks. Where are the vulnerabilities? What could a breach cost the company? “Create a roadmap to implement missing mitigation components and the metrics you’ll use to determine how well they’re working,” Alaybeyoglu recommends.
While cybersecurity is largely the domain of IT leadership, it cannot live there in a silo. “Remember that cybersecurity is a business risk,” Kolasky cautions.
4. Cybersecurity needs executive-level buy-in
IT leaders can sound the alarm on cybersecurity risks, but companies will remain vulnerable to attacks like the one Uber suffered until cybersecurity is prioritized in the C-suite.
“Without executive buy-in and a shift in perspective from security as a cost-center to a business — enabler, it will be impossible to train the people, build the processes, and use the technology to empower business and minimize the damage when attackers do come knocking,” says Alaybeyoglu.