Tuesday, September 27, 2022
Home TECH Lessons to learn from the latest Uber violation

Lessons to learn from the latest Uber violation

In September 19th, ride-sharing company Uber experienced another high-profile security breach. A hacker, now he thinks he is affiliated with the hacker group Lapsus$, you probably bought credentials from the dark web. They used those credentials to execute a multi-factor authentication (MFA) fatigue attack. The attacker repeatedly tried to log in with the credentials, prompting an Uber contractor to respond to a two-factor authentication request. Eventually, the contractor responded to who they believed to be an Uber IT person, and the hacker was able to gain elevated access to various tools within the Uber network.

The same hacker is also allegedly responsible for a breach at Rockstar Games. Details of how the attacker gained access to Rockstar Games systems are less clear, but both attacks appear to be the work of social engineering.

High-profile security breaches like this can make other leadership teams breathe a sigh of relief. At least it wasn’t his company. But the Uber and Rockstar Games breaches, as inevitable and commonplace as they seem these days, also hold valuable lessons for IT leaders who want to avoid the same fate. Here are four to consider:

1. Multi-factor authentication needs another aspect

More than half of companies use MFA, according to the 2022 Cyber ​​Threat Defense Report of the CyberEdge Group. While it can be a powerful security tool, it is not foolproof, as the Uber breach clearly illustrates. Evaluating and improving MFA and access management capabilities could be one step in staying ahead of attackers and their evolving methods.

“There are more secure approaches to multi-factor authentication. May come with additional costs… in company terms [losing] part of their operational flexibility or impose additional burdens on employees,” Bob Kolasky, senior vice president at supply chain risk management firm Exiger and former deputy director of the Cybersecurity and Infrastructure Security Agency (CISA), told InformationWeek. .

2. Social engineering is here to stay

Some attacks are successful because hackers can exploit network and operating system security vulnerabilities, but in this case, the attacker was able to take advantage of social engineering. Given the level of success these types of attacks have, it is unlikely that they will stop any time soon.

People can be trained to spot social engineering attempts, but human error isn’t going to go away. “It is not the fault of the employee who was the victim; it could happen to anyone, including veteran security professionals,” says Kurt Alaybeyoglu, senior director of cybersecurity services at business management consulting firm Strive Consulting. “This is why defense-in-depth approaches to security have been advocated by security professionals for two decades.”

Rahul Mahna, managing director of consulting firm EisnerAmper, sees tackling human error as the next frontier in cybersecurity. “We believe that ‘protecting the human’ is going to be at the forefront of future cybersecurity efforts,” he says. “An improved way to protect the human is to make sure he’s using a hardware-based key, like a USB stick.”

3. Know the risks of your organization

“Uber was lucky enough to escape serious operational, financial and possibly regulatory fallout – that remains to be seen,” says Alaybeyoglu.. That doesn’t necessarily mean Uber has avoided a costly cleanup process, not to mention the damage to its brand.

IT leaders from other companies can take the opportunity to assess the risks in their organizations. Where are the vulnerabilities? How much could a violation cost the company? “Create a roadmap for implementing the missing mitigation components and the metrics you will use to determine how well they are working,” Alaybeyoglu recommends.

While cybersecurity is very much the domain of IT leadership, you can’t live there in a silo. “Remember that cybersecurity is a business risk,” Kolasky warns.

4. Cybersecurity needs buy-in at the executive level

IT leaders can sound the alarm about cybersecurity risks, but companies will remain vulnerable to attacks like the one Uber suffered until cybersecurity is prioritized in the C-suite.

“Without executive buy-in and a shift in the view of security from a cost center to a business enabler, it will be impossible to empower people, develop processes and use technology to empower businesses and minimize harm. when the attackers knock on the door,” says Alaybeyoglu.

What to read next:

How not to spend money on cybersecurity

Twilio Breach: 5 questions to ask about protecting your own business

Two-Minute Toolkit: CloudSphere on Cybersecurity and Decoupling


NASA’s DART spacecraft crashes into an asteroid, on purpose

“This is the first time we have tried to move something in our solar system with the intention of preventing a natural disaster...

NASA crashed the DART spacecraft into an asteroid and filmed the accident

While most people sat down to dinner, NASA tried to move a space mountain. Out of sight for backyard stargazers, a vending machine-sized spacecraft...


Please enter your comment!
Please enter your name here

- Advertisment -

Most Popular

Putin’s moves to escalate war in Ukraine have sparked panic and protests in Russia: NPR

NPR's Mary Louise Kelly talks with Andrei Soldierov and Irina Borogan, two of Russia's most prominent investigative journalists,...

LAURA INGRAHAM: Regular workers are increasingly fed up with established politicians

Angle: Wave Picks Laura Ingraham looks at how voters around the world are pushing back against the radical elite in 'The Ingraham...

Wordle today: here is the answer, suggestions for September 27

It's Tuesday once again, and we hope you're okay in the swing of things, including Word! But if you've hit a wall in...

NASA shares stunning video of Hurricane Ian seen from space

Hurricane Ian looks just as daunting from an orbit 254 miles above as it does closer to Earth.NASA and the International Space Station on...