On a daily basis, organizations around the world contend with increasingly sophisticated cyber attacks like phishing that exploit human error, leverage compromised accounts and employ convincing, yet deceptive, tactics to infiltrate corporate networks. Balancing security with a seamless user experience for their front line, employees should be a top goal forevery executive since those are the workers with access to tools that need to be protected. Yet, as we’ll identify in this post, the executives are also the target for account takeovers stemming from phishing attacks.
In one such notable case from late 2022 during the final days of the former crypto exchange FTX, a major hack was carried out that resulted in the loss of $400 million. Initially believed to be an inside job, an investigation into the theft uncovered that a SIM swap gang impersonated an executive and manipulated mobile carriers to gain control over the executive’s phone number – subsequently bypassing two-factor authentication (2FA) mechanisms – and made their way into the FTX database.
Around the same time, Europol dismantled a CEO fraud gang that orchestrated – through a combination of social engineering, email compromise, and financial manipulation – a $40 million heist in just a few days. More recently, unknown attackers have targeted hundreds of Microsoft Azure accounts, including those of senior executives, with the goal of stealing sensitive data and financial assets leveraging an arsenal of credential phishing and account takeovers, using personalized phishing lures and shared documents.
The breadth of these targeted roles suggests a deliberate strategy to overwhelm and compromise accounts known to have access to various resources across affected organizations. These incidents, and those sure to come in the future, underscore the need for advanced defenses against phishing attacks – especially as threat actors become more efficient and organizations grapple with account takeovers stemming from phishing-harvested credentials. As decision-makers strive to protect their executives and front-line employees, a powerful defense should be leveraged that ensures if and when users fall prey to phishing attempts, their identities and the data they access and manage remain secure.
A Zero Trust future: Protecting identities of all users with phishing-resistant multi-factor authentication (MFA)
Attacks against identity are pervasive, and as technologies like Artificial Intelligence (AI) and machine learning make them even more difficult to identify, these modern cyber attacks require modern security approaches to mitigate risk. As a part of the plan to architect a cloud technology with the highest security standards, organizations must embrace the inherent benefits of strong, phishing-resistant MFA, Zero Trust, and passwordless. Given the inherent weaknesses associated with passwords, both from a security and a usability perspective, authentication that does not require the user to provide a password at login is the pathway to Zero Trust and a strong phishing defense.
While PIV/Smart Card met the needs for traditional perimeter-based authentication requirements, today’s ecosystem of digital transformation, the move to the cloud, the modernization of IT and growth of the remote workforce requires an alternative, high-assurance authentication solution in line with Zero Trust principles. The modern FIDO2 authentication standard enables phishing-resistant two-factor, multi-factor and passwordless authentication to easily authenticate to online services in mobile and desktop environments.
YubiKeys offer an exceptional user experience and work out-of-the-box with leading IAM and PAM solutions, while integrating with third-party systems like DUO, Google Cloud, HYPR, Microsoft Entra ID, Okta Workforce Identity, Ping ID, RSA SecurID Suite, and CyberArk. Additionally, Yubico and Microsoft are FIDO Alliance members committed to providing phishing-resistant authentication solutions based on FIDO2 and certificate-based authentication standards. Together with Microsoft, Yubico has defined five use cases for advancing cybersecurity using phishing-resistant, multi-factor authentication (MFA) methods.
Develop a strategy for secure onboarding and account recovery for all of your users so that you get the full value of phishing-resistant MFA. While the path to passwordless can feel daunting, it doesn’t have to be. There are many roads to passwordless, and different passkey implementations offer tradeoffs for organizations and users. Therefore, a ‘one size fits all’ approach for passkeys is sub-optimal for an organization that houses critical customer and financial data with a range of security, compliance, and scale requirements.
Device-bound passkeys on security keys provide higher security assurance, simpler user onboarding, and credential recovery – ensuring compliance with stringent industry requirements and offering Zero Trust, phishing-resistant, modern MFA protection for all levels of workers. Frontline workers, behind the scenes support and engineers – all the way up to the executives who manage them – all can be protected with the Zero Trust, phishing-resistant, modern MFA found in the YubiKey.
Contact us to learn more and learn more here about how Yubico can help you to go passwordless with the YubiKey.
