Attacks are harder when a cybercriminal needs to compromise multiple factors, instead of just one knowledge-based factor like a password. MFA authentication can incorporate something you know (a password or PIN), something you have (a physical hardware token or mobile device), or something you are (a fingerprint).
Some of the more popular cloud platforms have MFA as a base security feature without additional payment. This should always be turned on. Microsoft also recently released a feature that allows organisations to tie an MFA session to one device only, which further protects against many MFA bypass attacks.
More information about the threat of stolen credentials can be found here.
For very high-privileged users like global administrators, the best option is physical MFA tokens. Phishing-resistant MFA keys like Yubikeys ensure sensitive login information never leaves the user s device and are not stored on a server. This is the only MFA our team has yet to see bypassed.
A large organisation in manufacturing received the monthly invoice for their cloud services, only to find it was $300,000 (or almost five times) their usual cost.
They notified Beazley of a compromise of their Azure cloud environment, and we helped to coordinate forensics. Investigation determined that the cybercriminals had compromised an Azure cloud account, abused lax permissions to escalate privileges, and created hundreds of new virtual servers to mine cryptocurrency.
The cybercriminals had intentionally avoided making changes to existing resources to avoid making noise and prevent detection. We provided guidance on better securing cloud accounts and implementing budget alerts to help quickly identify future budget overruns.
The information set forth in this communication is intended as general risk management information. It is made available with the understanding that Beazley does not render legal services or advice. It should not be construed or relied upon as legal advice and is not intended as a substitute for consultation with counsel. Although reasonable care has been taken in preparing the information set forth in this communication, Beazley accepts no responsibility for any errors it may contain or for any losses allegedly attributable to this information. Non-insurance products and services are provided by non-insurance company Beazley affiliates and independent third parties. Separate terms and conditions may apply.
For very high-privileged users like global administrators, the best option is physical MFA tokens. Phishing-resistant MFA keys like Yubikeys ensure sensitive login information never leaves the user s device and are not stored on a server. This is the only MFA our team has yet to see bypassed.
