Earlier this week, government officials announced arrests in Kuwait, Poland, Romania and South Korea against suspects allegedly connected with the REvil ransomware gang.
The news—which has been covered in everything from major media outlets to cybersecurity trade publications to infosec twitter—amounts to “one of the largest law enforcement crackdowns on suspected ransomware hackers to date,” per NBC News.
It’s great news: in 2020, we saw one successful ransomware attack every eight minutes. During Cybersecurity Awareness Month, SecurID Chief Product Officer Jim Taylor wrote that, over the last year, “we’ve seen hospitals, police departments, the NBA, Minor League Baseball teams and critical infrastructure all get hit by ransomware attacks. As a result, earlier this summer ZDNet published a column asking ‘Have we reached peak ransomware?’”
As good as this week’s news is, ransomware is still a major, costly threat: though the U.S. Justice Department recovered $6.1 million in funds from REvil, the group ultimately brought in more than $200 million. Premiums on cyber insurance covering ransomware have surged by more than 50% in some cases—and some quotes have skyrocketed by 100%.
Businesses can keep up the ransomware crackdown by making the exploit harder to accomplish.
One of the first steps that businesses should take to prevent ransomware is to institute some form of multi-factor authentication (MFA) to confirm that their users are who they claim to be. MFA is such an essential part of any organization’s cybersecurity posture that earlier this year the White House issued an Executive Order mandating that federal agencies use MFA to secure their operations.
But even as foundational as MFA is, many organizations just rely on usernames and passwords to authenticate access requests. Hackers breached Colonial Pipeline using a virtual private network (VPN) that was no longer in use and was not protected by MFA.
VPNs are only as good as the authentication used to access them. On their own, they’re not good enough. Neither are passwords, which were found to be the #1 attack vector in the 2020 Verizon Data Breach Investigations Report.
There are three ways to verify someone’s identity: ask for something they know, something they have or something they are.
Passwords are something you know. But it’s not just a user who can ‘know’ a password. Cybercriminals can effectively spam a system by submitting many passwords in the hopes of eventually guessing correctly. That makes passwords inherently insecure. That flaw is one of the reasons SecurID is a member of the FIDO Alliance and has been working with other global partners to define the standards for a passwordless world.
What cybercriminals typically can’t do is guess a one-time-password before it expires; fake a user’s biometrics; or have an on-demand password sent to a known device (like an employee’s cell phone). By combining multiple factors and adding more layers to how a user authenticates, we make it harder for the bad guys to break in.
That’s what MFA does: it combines various authentication methods to prevent unauthorized users from gaining access.
Every degree of difficulty that we add makes it harder, costlier or more labor-intensive for hackers to gain access. But we have to be careful about layering our security: like Goldilocks, we need something that’s just right. Additional security shouldn’t make it harder for legitimate users to access what they need.
Importantly, as the world continues shifting to hybrid work, we need to ensure that our security encourages users to work within it. That means providing a range of authentication options that work however users do—whether it’s from a Windows-based device, macOS, online, offline or anywhere in between. It also means ensuring that your authentication services work whenever and wherever your team does.
We’ve thought a lot about how to create MFA that balances security and convenience—finding that balance has always been an important way to keep users productive and protected.
But as law enforcement agencies announce new crackdowns, getting the balance right takes on a greater degree of importance: using strong MFA can seal up the vulnerabilities and exploits that ransomware syndicates target, preventing breaches before they occur.
In that light, instituting MFA amounts to good digital citizenship—as a step that we can all take to create a safer internet for each other while withholding resources and territory from the bad guys.