Yet another security breach headline may seem like business as usual, but Uber's latest cybersecurity incident is a call for IT leaders to consider their own organizations' vulnerabilities.
On September 19, ride-sharing company Uber suffered another high-profile security breach. A hacker, now believed to be affiliated with the hacking group Lapsus$, likely purchased credentials from the dark web. They used those credentials to execute a multi-factor authentication (MFA) fatigue attack. The attacker repeatedly attempted to log in using the credentials, prompting an Uber contractor to respond to a two-factor authentication prompt. Eventually, the contractor responded to who they believed was an Uber IT person, and the hacker was able to gain elevated access to several tools within Uber’s network.
The same hacker is also allegedly responsible for a breach at Rockstar Games. The details of how the attacker gained access to Rockstar Games' systems are less clear, but these attacks appear to be the work of social engineering.
High-profile security breaches like this might make other leadership bitcoin data teams breathe a sigh of relief. At least it wasn’t their company. But the Uber and Rockstar Games breaches, as inevitable and commonplace as they may seem today, also offer valuable lessons for IT leaders looking to avoid the same fate. Here are four to consider:
1. Multi-factor authentication needs a new look
More than half of businesses are using MFA, according to CyberEdge Group’s 2022 Cyber Threat Defense Report. While it can be a powerful security tool, it’s not foolproof, as the Uber breach clearly illustrated. Evaluating and improving MFA capabilities and access management can be a step toward staying ahead of attackers and their evolving methods.
“There are more secure approaches to multifactor authentication. They may come at an additional cost … in terms of the company [losing] some of its operational flexibility or putting additional burden on employees,” Bob Kolasky, senior vice president at supply chain risk management firm Exiger and former assistant director of the Cybersecurity and Infrastructure Security Agency (CISA), tells InformationWeek.
2. Social engineering is here to stay
Some attacks are successful because hackers are able to exploit network and operating system security vulnerabilities, but in this case, the attacker was able to leverage social engineering. Given the level of success these types of attacks have, it’s unlikely that they’ll stop any time soon.
People can be trained to spot social engineering attempts, but human error isn’t going away. “It’s not the employee’s fault that gets victimized; it can happen to anyone, including veteran security professionals,” says Kurt Alaybeyoglu, senior director of cybersecurity services at business management consulting firm Strive Consulting. “That’s why security professionals have been advocating defense-in-depth approaches to security for two decades.”
Rahul Mahna, managing director at consulting firm EisnerAmper, sees human error as the next frontier in cybersecurity. “We believe that ‘protecting the human’ will be the forefront of cybersecurity efforts in the future,” he says. “An improved way to protect the human is to ensure that they are using a hardware-based key, such as a USB flash drive.”