I wrote a blog article a while ago about how sh*t happens. Sh*tty things will happen no matter how hard you try to avoid them, so the important thing is how you deal with them when they become reality. Well, some cyber security sh*t happened recently and it was a great learning experience for us. Luckily, it was in a controlled situation so we were never concerned about an official security incident happening. We had one of our security partners do a penetration test, which basically means they did everything they could to try and hack in to our systems. And I mean everything since they were very creative in their efforts. Admittedly, most companies do not need to be worried about being singled out like this by a hacker, but IT support and security firms like Waident are being targeted since we hold the virtual keys to our clients’ kingdoms.
So what happened and what did we learn? By design, no one on the team here knew that we were doing a penetration test and it was done at random dates/times over a 1 week period. Much of the process was invisible to the end user, but the one item that did cause some angst was a phishing email. The security partner purchased a new domain name similar to waident.com and replicated a web login page for our technology management system. During their process they identified the person on our team who would most likely send out an email to everyone asking them to test the system and click on a link. Mind you, we are all security conscious and I thought for sure no one would fall for a phishing email, but as it turned out, I was wrong. I was also one of the guilty parties that fell for it! I figured if it could happen to me, someone who is already paranoid about this being a possibility, it could happen to anyone.
What we realized about this phishing exercise is that MFA is not the panacea for login security. The security partner observed their hacker platform and saw the username, password and then the MFA 6 digit code all entered in real time so they could then enter that in to the actual production platform. Voilà, they were in our systems. Our partner did say that they got VERY lucky with several of their items and would not expect this to work in a real life hack. Yeah, that is great and all, but still sucky that we failed. It did, though, identify a real security hole that we could then address.
Well, sh*t happens, so this is what we did about it.
- We turned on this text below to be on every email we receive from an external party. This way if someone’s email is spoofed, we will see that it is coming from someone outside of the organization. This is super easy to activate in Office 365.
- Caution: EXTERNAL EMAIL. Be security smart and DO NOT click on links or open attachments unless you are certain they are harmless.
- We have new processes in place to avoid this type of situation in the future:
- We will not send out emails for testing like this again. Instead, the communication will go through our internal Teams channel.
- We will be doing additional phishing tests.
- We will continue to communicate and educate our team about security and never stop.
- We use Cisco DUO for our MFA (Multi Factor Authentication) platform. This system can handle multiple different MFA options like texting, entering 6 digit codes, phone calls, and the most secure – a pop-up on your phone. Texting is the least secure so we do not use that for any of our internal platforms that contain client data. We use the 6 digit codes for most applications, but several allow for the most secure option, pop-up authentication on your smartphone. We are doing everything we can to incorporate this pop-up option for every eligible system. I understand this all sounds confusing, so just setup a time to chat about this and I can explain it much better.
The moral of the story is to not let down your guard, add more layers to your security sandwich, and learn from when sh*t happens and do better next time!