MULTIFACTOR AUTHENTICATION IS NOT SET UP
“I don’t need 2FA, I change my password now and then.”
COMPANY
Sector: Energy
Size: 10-49 employees
Location: Brussels
FACTS & FIGURES
2 out 3 companies were affected
Protection efforts: Medium
Business Impact: High
CONTEXT
During our security assessment of an energy company with 15 employees, a phishing campaign was conducted. The objective was two-sided: to evaluate the awareness level of the employees and get information to gain access to their IT infrastructure. A phishing email was sent, and like dominoes in a line, the company's defenses fell one by one. We successfully retrieved credentials and without any further verification, gained access to an administrator's account.
INCIDENT OVERVIEW
Firstly, we started with a phishing campaign, which is a simulation that involves creating and sending simulated phishing emails to employees to assess their susceptibility to phishing attacks. Phishing is one of the most common and widely used cyberattack methods due to its effectiveness in exploiting human weakness and simplicity to target different individuals, business, and organization in all sectors.
A staggering 55 % clicked on the email and 30% of them even entered their credentials. After ‘stealing’ the credentials, we tried to connect to each account.
We did not have to authenticate in a different way, MFA was not enabled. MFA is a multiple steps login process that requires users besides entering a password to authenticate using an additional method like for example entering a code received by email.
After a couple of tries we were able to connect to an admin account, meaning that we could compromise all users.
BUSINESS IMPACT
The most common business impact of not enabling two-factor authentication (2FA) includes higher risk of unauthorized access that can lead to devasting consequences:
Financial loss: Companies may suffer financial losses due to fraudulent transactions or legal fees resulting from unauthorized access.
Reputation damage: Breaches can tarnish a company's reputation, leading to loss of trust among customers and partners.
Operational disruption: Dealing with security breaches can disrupt normal business operations and divert resources.
Legal consequences: Companies may face legal repercussions, fines, or lawsuits for failing to protect sensitive data.
Customer trust: Breaches erode customer trust and loyalty, leading to customer churn and decreased revenue.
Regulatory compliance: Violations of data protection regulations can result in hefty fines and damage to regulatory standing.
SECURITY MEASURES
We recommend implementing MFA on all internet facing applications allowing to significantly diminish the risk of data breaches. Multi-factor authentication (MFA) is a security measure that requires users to verify their identity using multiple factors, such as a password, fingerprint, or a unique code sent to their mobile device. MFA is essential as it provides an additional layer of protection against unauthorized access, significantly reducing the risk of compromised accounts and data breaches. Other measures to take also to protect against phishing can be the following:
Educate employees about recognizing phishing attempts and the importance of not clicking on suspicious links or providing personal information.
Use email filtering tools to detect and block phishing emails before they reach users' inboxes.
Regularly update security software and conduct phishing simulation exercises to keep employees vigilant and prepared.
RESOURCES
Google Workspace MFA: Link Google MFA Setup
Microsoft MFA: Link Microsoft MFA Setup
