Curated advice, guidance, learning and trends in cybersecurity and privacy, as chosen by our consultants.
To MFA or not to MFA, that is the question
As the security industry cliche goes, there’s no such thing as a silver bullet. Many professionals agree multi-factor authentication (MFA) can improve security, but a recent discovery showed that it’s no panacea either. Researchers from Microsoft identified a phishing campaign that bypasses MFA. The ongoing campaign has targeted more than 10,000 Office 365 organisations since September 2021, using ‘adversary in the middle’ (AiTM) sites to steal passwords and hijack login sessions. Microsoft’s extensive blog has more details.
Ars Technica’s writeup includes this important caveat: “Nothing in Microsoft’s account should be taken to say that deploying MFA isn’t one of the most effective measures to prevent account takeovers. That said, not all MFA is equal.” Dark Reading’s report noted the mitigation steps that Microsoft suggests for reinforcing MFA, such as conditional access.
In a related development, Europol recently said that MFA had caused ransomware actors to give up attacking a victim. “In certain investigations, we saw them trying to access companies – but as soon as they would hit two-factor authentication in this process, they would immediately drop this victim and go to the next,” Marijn Schuurbiers, head of operations at Europol’s European Cybercrime Centre (EC3), told ZDNet. Brian Honan, writing in the SANS Newsletter, said: “While this anecdote highlights the importance of MFA in protecting against attacks, it also reflects the high number of targets available to criminals that they can readily drop one potential victim and move on to the next one with weaker security controls.”
Microsoft enables security by default in popular products
Microsoft has enabled a range of new security features across many of its products. Windows 11 has built in a default account locking policy to help stop brute force attacks via Remote Desktop Protocol. The new feature will lock accounts for 10 minutes after unsuccessful login attempts. This same setting is also available in Windows 10 but it isn’t switched on by default. According to The Hacker News, Microsoft will also enable this feature in older versions of Windows and Windows Server. The Register said the move is aimed at shutting down popular attack vectors for many cybercriminals to infiltrate systems, pilfer data and install malware.
First flagged in April, Windows Autopatch is now available to automatically update Windows 10/11 and Microsoft 365 software. For Windows E3 and E5 licence holders, the service will replace the usual monthly ‘patch Tuesday’ cycle and is claimed to make the patching process easier. Bleeping Computer’s report notes that the service has built-in halt and rollback features in case any updates cause disruption to existing systems. Lastly, Microsoft has also started blocking Office macros by default again. Many customers complained after the software company first did this in February, so Microsoft responded with clearer documentation.
Get schooled in cybersecurity while you work
For anyone interested in studying further in security while they work, University College Dublin has launched its MSc in Cybersecurity. UCD is already known for its work in digital forensics and cybercrime investigation. It developed the MSc programme through extensive consultation with law enforcement and industry. The two-year part-time course will mainly be delivered through distance learning, with occasional one-day workshops on campus. It’s now accepting applications to start in September 2022. The programme’s admission page includes a link to the information webinar detailing the course, the team delivering it, entry criteria and research options. UCD joins Technological University Dublin which also runs a Masters in Applied Cyber Security. Our BH Academy sponsors staff members to deepen their knowledge in the field through studying while working. There’s more information about this programme at https://bhconsulting.ie/bh-academy/.
Links we liked
A detailed primer on end-to-end encryption for those writing public policy. MORE
A useful guide to help distinguish between special, sensitive and confidential data. MORE
The National Cyber Crime Centre’s alert on compromised WordPress sites. MORE
An update to FIRST’s traffic light protocol for security information sharing. MORE
This report from NIST shows ways to measure security awareness programmes. MORE
A short guide from SANS showing how phishing attacks are evolving. MORE
Europol has launched a new podcast, focusing on cybercrime and financial crime. MORE
Recommendations on what to include in a malware analysis report. MORE
Lance Spitzner of SANS has an excellent analysis of Verizon’s 2022 DBIR. MORE
A summer silly season story: trolling text message scammers. MORE
Have you signed up to our monthly newsletter? Every month we send out the latest cybersecurity and data protection news, trends and advice from around the globe. Sign up here