Phishing Happens and MFA May Not Save You

by | Sep 25, 2019 | Security

I wrote a blog article a while ago about how sh*t happens. Sh*tty things will happen no matter how hard you try to avoid them, so the important thing is how you deal with them when they become reality. Well, some cybersecurity sh*t happened recently and it was a great learning experience for us. Luckily, it was in a controlled situation so we were never concerned about an official security incident happening. We had one of our security partners do a penetration test, which basically means they did everything they could to try and hack into our systems. And, I mean everything since they were very creative in their efforts. Admittedly, most companies do not need to be worried about being singled out like this by a hacker, but IT support and security firms like Waident are being targeted since we hold the virtual keys to our clients’ kingdoms.

So what happened and what did we learn? By design, no one on the team here knew that we were doing a penetration test and it was done at random dates/times over a 1 week period. Much of the process was invisible to the end-user, but the one item that did cause some angst was a phishing email. The security partner purchased a new domain name similar to waident.com and replicated a web login page for our technology management system. During their process, they identified the person on our team who would most likely send out an email to everyone asking them to test the system and click on a link. Mind you, we are all security conscious and I thought for sure no one would fall for a phishing email, but as it turned out, I was wrong. I was also one of the guilty parties that fell for it! I figured if it could happen to me, someone who is already paranoid about this being a possibility, it could happen to anyone.

What we realized about this phishing exercise is that MFA is not the panacea for login security. The security partner observed their hacker platform and saw the username, password and then the MFA 6 digit code all entered in real-time so they could then enter that into the actual production platform. Voilà, they were in our systems. Our partner did say that they got VERY lucky with several of their items and would not expect this to work in a real-life hack. Yeah, that is great and all, but still sucky that we failed. It did, though, identify a real security hole that we could then address.

Well, sh*t happens, so this is what we did about it.

  • We turned on this text below to be on every email we receive from an external party. This way if someone’s email is spoofed, we will see that it is coming from someone outside of the organization. This is super easy to activate in Office 365.
    • Caution: EXTERNAL EMAIL. Be security smart and DO NOT click on links or open attachments unless you are certain they are harmless.
  • We have new processes in place to avoid this type of situation in the future:
    • We will not send out emails for testing like this again. Instead, the communication will go through our internal Teams channel.
    • We will be doing additional phishing tests.
    • We will continue to communicate and educate our team about security and never stop.
  • We use Cisco DUO for our MFA (Multi-Factor Authentication) platform. This system can handle multiple different MFA options like texting, entering 6 digit codes, phone calls, and the most secure – a pop-up on your phone. Texting is the least secure so we do not use that for any of our internal platforms that contain client data. We use the 6 digit codes for most applications, but several allow for the most secure option, pop-up authentication on your smartphone. We are doing everything we can to incorporate this pop-up option for every eligible system. I understand this all sounds confusing, so just set up a time to chat about this and I can explain it much better.

The moral of the story is to not let down your guard, add more layers to your security sandwich, and learn from when sh*t happens and do better next time!

John Ahlberg, CEO, Waident Technology Solutions

John Ahlberg
CEO, Waident

CIO in the corporate world and now for Waident clients. John injects order and technology into business process to keep employees productive, enterprises running, and data safe.

Related posts

IT Support is NOT IT Security

IT Support is NOT IT Security

I hear all too often from business leaders who think their IT Support team and their Security team are synonymous. They just assume that Support addresses all of their security needs by default. After all, the IT Support gang has been managing the anti-virus software...

Recovering from Cyber Risks in SMBs Using the NIST Framework

Recovering from Cyber Risks in SMBs Using the NIST Framework

A ransomware attack happens every 11 seconds. In 40% of companies that get hacked, the same organization is hit again within 9 months. I don't share that to scare you (Although, it should get your attention.) It happens because companies think they have addressed and...

Responding to Cyber Risks in SMBs Using the NIST Framework

Responding to Cyber Risks in SMBs Using the NIST Framework

Prudent business leaders and risk managers understand that identifying, protecting against, and detecting risks are necessary, albeit fallible, actions to mitigate a complex world full of risks. As we have seen from prior posts, cost, time, and resource tradeoffs...

Share This