In September 19th, ride-sharing company Uber experienced another high-profile security breach. A hacker, now he thinks he is affiliated with the hacker group Lapsus$, you probably bought credentials from the dark web. They used those credentials to execute a multi-factor authentication (MFA) fatigue attack. The attacker repeatedly tried to log in with the credentials, prompting an Uber contractor to respond to a two-factor authentication request. Eventually, the contractor responded to who they believed to be an Uber IT person, and the hacker was able to gain elevated access to various tools within the Uber network.
The same hacker is also allegedly responsible for a breach at Rockstar Games. Details of how the attacker gained access to Rockstar Games systems are less clear, but both attacks appear to be the work of social engineering.
High-profile security breaches like this can make other leadership teams breathe a sigh of relief. At least it wasn’t his company. But the Uber and Rockstar Games breaches, as inevitable and commonplace as they seem these days, also hold valuable lessons for IT leaders who want to avoid the same fate. Here are four to consider:
1. Multi-factor authentication needs another aspect
More than half of companies use MFA, according to the 2022 Cyber Threat Defense Report of the CyberEdge Group. While it can be a powerful security tool, it is not foolproof, as the Uber breach clearly illustrates. Evaluating and improving MFA and access management capabilities could be one step in staying ahead of attackers and their evolving methods.
“There are more secure approaches to multi-factor authentication. May come with additional costs… in company terms [losing] part of their operational flexibility or impose additional burdens on employees,” Bob Kolasky, senior vice president at supply chain risk management firm Exiger and former deputy director of the Cybersecurity and Infrastructure Security Agency (CISA), told InformationWeek. .
2. Social engineering is here to stay
Some attacks are successful because hackers can exploit network and operating system security vulnerabilities, but in this case, the attacker was able to take advantage of social engineering. Given the level of success these types of attacks have, it is unlikely that they will stop any time soon.
People can be trained to spot social engineering attempts, but human error isn’t going to go away. “It is not the fault of the employee who was the victim; it could happen to anyone, including veteran security professionals,” says Kurt Alaybeyoglu, senior director of cybersecurity services at business management consulting firm Strive Consulting. “This is why defense-in-depth approaches to security have been advocated by security professionals for two decades.”
Rahul Mahna, managing director of consulting firm EisnerAmper, sees tackling human error as the next frontier in cybersecurity. “We believe that ‘protecting the human’ is going to be at the forefront of future cybersecurity efforts,” he says. “An improved way to protect the human is to make sure he’s using a hardware-based key, like a USB stick.”
3. Know the risks of your organization
“Uber was lucky enough to escape serious operational, financial and possibly regulatory fallout – that remains to be seen,” says Alaybeyoglu.. That doesn’t necessarily mean Uber has avoided a costly cleanup process, not to mention the damage to its brand.
IT leaders from other companies can take the opportunity to assess the risks in their organizations. Where are the vulnerabilities? How much could a violation cost the company? “Create a roadmap for implementing the missing mitigation components and the metrics you will use to determine how well they are working,” Alaybeyoglu recommends.
While cybersecurity is very much the domain of IT leadership, you can’t live there in a silo. “Remember that cybersecurity is a business risk,” Kolasky warns.
4. Cybersecurity needs buy-in at the executive level
IT leaders can sound the alarm about cybersecurity risks, but companies will remain vulnerable to attacks like the one Uber suffered until cybersecurity is prioritized in the C-suite.
“Without executive buy-in and a shift in the view of security from a cost center to a business enabler, it will be impossible to empower people, develop processes and use technology to empower businesses and minimize harm. when the attackers knock on the door,” says Alaybeyoglu.
What to read next:
How not to spend money on cybersecurity
Twilio Breach: 5 questions to ask about protecting your own business
Two-Minute Toolkit: CloudSphere on Cybersecurity and Decoupling