From the beginning of November through December, companies and consumers prepare for year-end deals and large-scale purchases. Whether your company is considering allocating IT budget before January 1, or you’re planning what gifts to purchase for your 2nd grader, following these common steps will increase your holiday season digital security.
Multi-factor authentication (MFA) spamming, repeated malicious requests for a user input private credentials, is a common breach tactic during high online traffic for several reasons.
When targeting a consumer, the reason is likely to access personal information like your address, credit card, or banking information. When threat actors compromise an organization, the results are even more far-reaching.
Spammers likely reach an individual user after already social engineering their way into an administrative account with the escalated privileges needed to send verified MFA requests. After that second step in the kill chain, they pick an inconvenient time to target the user, when you need access to your work account and don’t have the time to deal with 10 minutes of back-and-forth permission requests.
Here are 8 steps companies and consumers can take to thwart threat actors this holiday season:
1: Change your passwords
Keep your passwords fresh and stored in a way only you can access. Instead of using confidential information the threat actor could harvest online like your anniversary or your hometown, choose a 3 – 5-word phrase for each account. Refreshing your password makes it more difficult for a hacker to anticipate or bypass your security before acting in a way that the site or organization security can track through suspicious activity alerts.
2: Encourage your employees to update their master passwords
Especially if your organization was vulnerable to phishing tests or real phishing emails in the past, remind your employees to update their passwords with a reward for those who do. Password hygiene keeps their information safe and your company secure.
3: Take the MFA or passwordless option
If you’re shopping online, and a retailer offers you the chance to enable multi-factor authentication like adding your phone number for code confirmation, take it. It might seem overly cautious, but extra steps to verify your account add another layer of protection to your confidential information.
4: Enable MFA or passwordless verification methods across your organization
At this point, we hope MFA is treated as a cybersecurity table stake—so essential your organization can’t operate without it. If it’s not for your organization, most security platforms have the ability to enable MFA for your workforce in a simple, user-friendly way. Passwordless options through email, phone, facial recognition, or other methods are a great step up. We recommend Windows Hello and Microsoft Authenticator to clients for low-friction user security.
5: Pay attention to account alert emails
You likely notice when you purchase a new device or log into a social media site on your desktop rather than your phone that you receive an email confirming the access was you. It’s easy to ignore, but alerts like that are especially valuable in a high-transaction time of year like the holidays. If you didn’t log into an account associated with your name, take action by shutting down or freezing associated bank accounts, resetting your password, and reporting it to the platform provider.
6: Use a SIEM connector to monitor permissions
For an organization, alert triaging is an essential part of confirming the security of registered user profiles and devices. If your organization already works with a SOC, locate, flag, and train analysts to notice MFA spamming requests on a user’s profile, especially for administrator accounts. User account locations should always match the employee’s actual location. A request from Uzbekistan for an employee based in Ohio should raise eyebrows. If your organization doesn’t have the bandwidth to support an in-house analyst team, consider managed services options.
7: Create a ceiling on the number of verification requests you receive
If you have the capability in your personal bank account, customize the number of verifications requests you receive before a digital lock mechanism takes place. It can be frustrating if you simply forgot your password and you’re trying to remember your log in but taking extra precautions with highly valuable information raises the level of effort threat actors need to expend. Extra effort on their part makes you or your business a less attractive target.
8: Create an automated process for locking flagged user accounts
On the administrative side, work with your security professionals to limit the number of requests a user can receive, and only give heightened permissions to specific administrators with account log-in requirements like FIDO2 keys. An extra step for important roles in an organization can reduce the chance of social engineering working on executive or other pivotal leaders.
Before shopping or signing off your work account for time off, take a moment to reset your digital security expectations. Ensuring your company or personal identity is not compromised during the holidays saves both a headache and valuable information loss.
Interested in taking further steps on an organizational level? Ascent Solutions’ consultants work with each firm to design a people-driven technology stack. Reach out to firstname.lastname@example.org for more information.