It's a daily story: user's credentials get stolen, whether by social engineering or other attack. Bad guy logs in to corporate network or user's email. Bad guy steals data, corrupts data, sends fake emails saying payment details have changed. And in every case it could have been thwarted by MFA. iTWire says organisations of all sizes can't leave hardware keys to end users; it must be driven from the top and must have a company-wide approach.
This iTWire story is a little different to others. iTWire reports on the news, telling you what's happening in the world of tech. In this story, however, this iTWire writer wants to make a plea to you that whether your role is business, technology, security, or other, your company must be issuing hardware security keys to staff. For too long these kinds of devices have been left to individuals to think about and take up by themselves. If they can at all. I've seen companies where the option to use one isn't even turned on.
Yes, something that should be as essential as this is disabled by default in many applications and environments. For example, Azure Active Directory requires you to go to Security/Authentication Methods/Policies to turn on FIDO2 security key as a valid authentication option.
Not only should institutions of all types have such settings enabled, but they should be providing the security keys too - well, that's my argument, and that's the message I want to leave you with.
{loadposition david08}
I've been reading stories of cybersecurity breaches, and there's often a common pattern. Here's a true story with no embellishment: one small business suffered a breach when a staff member working from home downloaded a cracked version of Adobe Photoshop on their home computer. Not a wise decision, and one that hurt both he and his employer. The cracked software stole his web browser credentials and transmitted them - including his bank, and other personal details, along with the company's remote access portal. Forensic logs later identified a remote login using his credentials.
There was no activity for several weeks; investigators believe the credentials were sold on the dark web. Then, there was a login ... and this time far more malicious. The attacker downloaded software, used a tool called MimiKatz to retrieve other credentials including administrator accounts, then began encrypting file shares and leaving ransomware notes.
Fortunately, the company was able to recover. However, there are many lessons here. And one of the most simple is that multi-factor authentication is something that is frequently neglected but which would have protected the business from any compromise. The user might still have made their own decision to run untrustworthy software, but the impact would have been lessened, and especially so as far as the company was concerned.
The Medibank and Optus hacks saw usernames and passwords stolen and sold on the dark web, and then used to log into further sites such as The Iconic and Dan Murphy's, because, as we all well know, a lot of people re-use their passwords over and over.
I read the story of this compromise, and many others like it, and it's my sincere conviction hardware security keys are so essential that they cannot be left to individual user's decisions to adopt or not. It must be a coordinated enterprise-wide organisational approach, led from the top.
Why do I say this?
I've long been interested in security keys such as those by Yubico and by Feitian Technologies, among others. For those not in the know, these are primarily USB-based devices (but NFC options exist, as do other formats) which may look like a traditional USB stick but don't offer any user-editable storage. Rather, they are a hardware device that stores encrypted credentials that physically validate your identity. The devices cannot be read from or written to via any conventional means.
Ultimately, you could say they are "yet another" multi-factor authentication device. And, at heart, that is true. Much like you might receive an email-based code, or an SMS-based code, that gives a time-limited one-time use key to confirm your identity, so too, the security key validates your identity and prevents attackers from connecting to a system because they lack the third factor - even if they've stolen your username and password somehow.
However, unlike an email and a text message, the hardware-based security key is a physical asset you carry. Your email can be breached, even your phone number and text messaging can be breached. And then if the bad guy has access to your email or messaging, they can gain access to any system you have which relies on email or text message for its third factor.
A real example of this is the classic "Reply All" podcast episode, the Snapchat Thief. This is a truly engaging story, and one of the most memorable episodes of that podcast (along with the episodes where they travelled to India to visit a scam call telemarketing office). You can hear it at Gimlet Media, Spotify, Soundcloud, Apple Podcasts, and more.
In fact, I so want you to hear it, you can find it embedded below:
The story is that Lizzie's Snapchat account was hijacked and sold. She reached out to the podcast for help getting it back, which led the investigative story in a wild direction as it chased down the buyers and sellers, uncovering an underground movement of hackers taking over "OG" social media accounts for the highest bidder. By "OG" they mean social media accounts with prized usernames - like, say, 'david' instead of 'davidw_132324". And, while Lizzie did have text-based multifactor authentication, the hacking group used SIM swapping to get around this.
SIM swapping is when a mobile service is literally transferred from one SIM card to another through either social engineering tricks or even by working with corrupt telco employees. You can read more here or here. In that latter article, Motherboard said, "In addition to her Instagram handle, one SIM hijacking victim I spoke to got her Amazon, Ebay, Paypal, Netflix, and Hulu accounts hacked as a result."
The podcast has a happy ending; they recovered the Snapchat account for Lizzie and the hacker reflected on how what he does genuinely impacts real people. The hacker also advised on how to protect your online identity from people like him.
This includes separating your phone number from your account credentials. Use a different password for every service. Use lengthy passwords. And ... use a hardware-based security key such as a Yubikey.
Much has been said about Yubikeys, on iTWire and elsewhere, and there is no shortage of help available how to set one up. Yet, all this advice is largely targeted at the individual. If I, David, want to set up a Yubikey I do it like this and like that.
And that's great - for me.
However, if you're in charge of security, safety, finances, technology, or the risk reputation of any business, you need to go further. It can't be left to the individual, hoping that people like me will think about this - even know about the options - and then implement it themselves.
I reached out to Yubico regional VP APJ Geoff Schomburgk for help. Geoff has long been a friend of iTWire, always willing to share his knowledge and expertise. I wanted to know if I was on the right track, and if Yubico had any enterprise support, and if Yubico can help company's implement a Yubikey rollout plan. And sure enough, the answer to all three was yes !
You can see our discussion here. As always, Geoff was extremely informative.
Right from the start Yubico supports enterprise rollouts, helping organisations deploy phishing-resistant hardware-based MFA to its users. This is offered as a subscription service, allowing your company to provide a YubiKey to each staff member, plus have an allowance for lost devices and new staff hires.
I asked Geoff about how a traditional IT department would manage YubiKeys at scale. After all, the IT team is already used to patching operating systems, managing application updates, even driver updates for everything from laptops to headsets. The best advice, Geoff says, is to think about it differently. The YubiKey - by nature - must be a personal device; it is not something that admins can read from and write to. When a staff member leaves, let them take the key with them for their own use - after all, if you deactivate the company accounts the user is locked out, regardless of their YubiKey - and then issue a new one to the next person.
I asked Geoff if a company could use a YubiKey rollout for some marketing - get custom printing with the business logo on it, like you might do with USB sticks or mugs or pens. You can, Geoff said, but it's not a smart idea. After all, why emblazon a security device with information on what it is protecting? This makes it a more attractive target.
I asked Geoff about pricing; there are different YubiKey options that provide varying options including NFC and biometric, among others. There is even a hardware security model (HSM) small form-factor unit to protect servers. You can thus customise the YubiKey rollout for whatever makes sense for your business, in line with budget.
 |  |  |
I asked Geoff if Yubico can help give enterprises advice in how to successfully roll out a hardware security key program. Again, the answer is yes.
The company has a dedicated team who can consult on this, and also conducts research to share best practices and the state of the industry.
Geoff was a font of wisdom, as always.
For the sake of balance, please be aware other providers of hardware-based security keys exist, but my main objective here was twofold.
- Firstly, to make a case why enterprises must take security keys seriously as a company-driven initiative, and
- Secondly, to identify if security key providers had enterprise support, which Geoff has confirmed.
So now, what will you do after reading this? Do you think security is still something to leave to chance? Or do you think it's up to individuals? Let's work together to make your company and your workers safer and more secure, and let's stop seeing security keys as an afterthought or luxury or for some other time.