Cybersecurity’s Status Quo Isn't Working
Originally posted September 17, 2023 on LinkedIn
Last Monday (Sept 11), MGM Resorts experienced the start of a still-escalating significant ransomware attack. It’s unknown for certain how long the bad actors were really present within MGM prior to systematically shutting down systems, impacting multiple areas of the business.
Before you think you’re off the hook, if you’ve rented a room or made a purchase at the MGM Grand, Mandalay Bay, New York, New York, Bellagio, Excalibur, Aria, or Luxor, your personal information could be among the information accessed. Given that Las Vegas visitors are on track to eclipse 40 million in 2023, approaching pre-pandemic numbers, and that just last month hordes of security professionals attended the Black Hat and DEFCON conferences, it’s safe to say there’s a pretty good chance your information is in good company in the compromised data.
How it happened follows a widely-used template. First, social engineering campaigns were used to convince service desk personnel to reset all multi-factor authentication (MFA) factors for high-privileged users, including Okta super admin accounts. Next, those accounts were used to access, assess, and extract increasingly more valuable data and lockdown increasingly more valuable and critical systems.
In other words, there were two significant contributing vulnerabilities: people and the belief that MFA was able to verify who a person is in the real-world. The bad actors are taking advantage of a known issue with MFA. As Nametag CEO Aaron Painter stated in a recent Dark Reading article: "This vulnerability is not unique to MGM nor Okta; it's a systemic problem with multi-factor authentication…MFA verifies devices, not people.”
No doubt many people will wring their hands about how terrible these types of attacks are. If you’re among the hand wringers, what are you doing about it? Here are three facts:
No approach alone is impenetrable.
MFA’s long history contributes to its known weaknesses.
The status quo of account usage security isn’t working.
Clearly “good enough” and “checkbox” security has failed. If you are satisfied with current approaches and believe what’s playing out with MGM is the cost of doing business, you are part of the problem.
A good cybersecurity posture should include verifying humans interacting with systems throughout the organization, not just for access or authentication. Furthermore, it’s equally important to add person-specific security in a no- or low-friction way. Otherwise, this security measure won’t be fully deployed or will be bypassed by the highest-privileged users. Who the real-world human is must also extend to admin and other group accounts. Otherwise, bad actors remain cloaked in the seeming anonymity of a group.
So, where do you stand on the current approach to cybersecurity?