The last few months have definitely not been business as usual. Threat actors are taking full advantage of these uncertain times by launching a wave of new cyber-attacks, leveraging tactics such as phishing, ransomware, and credential stuffing. Phishing campaigns alone skyrocketed by more than 600% since February 2020, according to Barracuda Networks.
If the past is in any way an indicator for things to come, we’re in for a treat: According to the 2020 Verizon Data Breach Investigations Report, nearly one third of all breaches in the past year involved phishing. In fact, the majority of cyber-attacks are front-ended by phishing campaigns. In the end, the easiest way for threat actors to gain access to sensitive data is by compromising an end user’s identity and credentials.
Things get even worse if a stolen identity belongs to a privileged user, who has broader access, and therefore could provide the intruder with “the keys to the kingdom”. According to a 2019 study by Centrify, 74 percent of respondents whose organizations have been breached acknowledged the incident exploited privileged account access. This number closely aligns with Forrester’s 2018 estimate that 80 percent of security breaches involve compromised privileged credentials.
By leveraging a “trusted” identity, a hacker can operate undetected and exfiltrate sensitive data sets without raising any red flags. As a result, it’s not surprising that an overwhelming number of today’s phishing campaigns go after access credentials and secrets like API keys, AWS Identity & Access Management (IAM) credentials, X.509 certificates, SSH credentials, IP addresses, and more.
At the same time, phishing scams and schemes are becoming more creative every day as businesses and individuals find themselves the target of new tactics and techniques. So, what can organizations do to prevent their users from falling victim to these attacks?
User education and beefing up an organization’s email security systems are two essential steps that can minimize the exposure to phishing campaigns:
- Security awareness training for end users should be leveraged to educate about the risk of phishing and the characteristics of these attacks (e.g., checking the sender’s email address; avoid clicking on links and rather going to the sender’s website to validate the authenticity of the page indicated in the email; checking for spelling and grammatical mistakes, as well as strange phrases; etc.). KnowBe4, one of the industry’s leading cyber awareness training organizations, states in their 2020 Phishing By Industry Benchmarking Report that nearly 38% of users who don’t undergo cyber awareness training fail phishing tests. The security awareness training should be augmented by phishing simulations and other mock attacks to test and reinforce good user behavior.
- Another preventive measure that organizations are taking to mitigate the risk of phishing campaigns is the implementation of email protection software, or so-called secure email gateways. These tools are often deployed to “sandbox” inbound emails and validate, as well as sanitize links users might click on. However, according to the 2019 Phishing Threat & Malware Review nine out of 10 verified phishing emails find their ways past these perimeter defenses and were discovered in environments that use secure email gateways.
Even with these investments, successful phishing attacks are on the rise as evidenced by the breaches occurring and the data above. Instead of overinvesting in security awareness programs and email protection tools that yield limited results, organizations need to adopt an in-depth defense strategy that focuses on identity as the new security perimeter. By implementing Centrify Identity-Centric Privileged Access Management (PAM) based on Zero Trust principles, organizations can achieve just that, as it allows them to:
- Step Up their Multi-Factor Authentication Game
Multi-factor authentication (MFA) remains the most reliable option for augmenting an organization’s existing access controls. Replacing and/or supplementing username and password authentication with MFA significantly raises the bar and costs for carrying out cyber-attacks, which is why its rate of compromise is close to zero. If you haven’t implemented MFA yet, it’s time to do so. Otherwise, you might want to consider hardening your security posture by increasing identity assurance levels as defined by the National Institute of Standards and Technology (NIST) Special Publication 800-63A.
- Establish Secure Remote Access
To enable remote workers, outsourced IT, and partners to safely access corporate resources, organizations have historically relied on Virtual Private Networks (VPNs). The problem with VPNs, however, is that once inside, the user has access to the entire network. Attackers can exploit these connections and inject malware onto the remote system easily via the compromised user credentials they gained through phishing campaigns. Instead of VPNs, organizations should leverage proxy-based technologies that give their privileged internal IT admins access to as much of infrastructure as necessary, while limiting access by an outsourced team or remote workers to only the servers and network hardware their role requires. In combination with Centrify Zones, this security practice significantly reduces the risk of lateral attacks.
- Enforce Least Privilege
For superusers and IT admins, least privilege access based on just enough, just-in-time privileged access management (JIT PAM) is a best practice. The concept of least privilege, whereby IT admins are only provided the needed level of privilege to perform a certain task for the amount of time necessary to perform it, is an antidote for many security incidents.
To learn more about modern phishing campaigns and effective prevention by leveraging Centrify Identity-Centric PAM, join us for our Centrify CyberCast Live: Minimizing Phishing Exposure.
This is written by the individual author in his/her personal capacity, and the opinions, views and/or thoughts expressed herein are solely the author’s own. They are not intended to and may not necessarily reflect the official policy or position, or the opinions or views of ThycoticCentrify or its affiliates, employees, or any other group or individual.