MULTIFACTOR AUTHENTICATION (MFA) IS NOT SET UP
“I don’t need 2FA, I change my password now and then.”
COMPANY
Sector: Energy
Size: 10-49 employees
Location: Brussels
FACTS & FIGURES
2 out 3 companies were affected
Protection efforts: Medium
Business impact: High
CONTEXT
During the security assessment of an energy company with 15 employees, we conducted a phishing campaign. The objective was twofold: evaluate the security awareness of the employees and gather information to gain access to the IT infrastructure. A phishing email was sent. The various defense lines of the company fell like dominoes. We successfully obtained credentials and gained access to an administrator account without further verification.
INCIDENT OVERVIEW
Firstly, we started with a phishing campaign. We simulated phishing emails and sent them to employees to assess their susceptibility to phishing attacks. Phishing is one of the most common cyberattack methods and is highly effective because it exploits human weaknesses to target individuals, businesses, and organizations in all sectors.
An astonishing 55% clicked on the email, and 30% of them even entered their credentials. After 'stealing' the credentials, we attempted to connect to accounts, which was easy.
We didn't need to sign in any other way than with the credentials because Multi-Factor Authentication was not enabled. MFA is a multistep login process that asks users to sign in with their passwords and with an additional method such as a code received via email.
After several attempts, we were able to sign in with an administrator account, meaning we could compromise all users.
BUSINESS IMPACT
The most common business impact of not enabling multifactor authentication includes higher risk of unauthorized access that can lead to devastating consequences:
Financial loss: Companies may suffer financial losses due to fraudulent transactions or legal fees resulting from unauthorized access.
Reputation damage: Breaches can tarnish a company's reputation, leading to loss of trust among customers and partners.
Operational disruption: Dealing with security breaches can disrupt normal business operations and divert resources.
Legal consequences: Companies may face legal repercussions, fines, or lawsuits for failing to protect sensitive data.
Customer trust: Breaches erode customer trust and loyalty, leading to customer churn and decreased revenue.
Regulatory compliance: Violations of data protection regulations can result in hefty fines and damage to regulatory standing.
SECURITY MEASURES
We recommend implementing MFA on all internet facing applications, allowing to significantly diminish the risk of data breaches. Multifactor authentication is a security measure that requires users to verify their identity using multiple factors, such as a password, fingerprint, or a unique code sent to their mobile device. MFA is essential as it provides an additional layer of protection against unauthorized access, significantly reducing the risk of compromised accounts and data breaches. Other measures to take also to protect against phishing can be the following:
Educate employees about recognizing phishing attempts and the importance of not clicking on suspicious links or providing personal information.
Use email filtering tools to detect and block phishing emails before they reach users' inboxes.
Regularly update security software and conduct phishing simulation exercises to keep employees vigilant and prepared.
RESOURCES
Google Workspace MFA: Link Google MFA Setup
Microsoft MFA: Link Microsoft MFA Setup
