How can your business prevent account takeovers by malicious external actors? What capabilities and policies keep accounts with their legitimate users?
In the earliest days of cybersecurity, keeping malware and viruses at bay served as the main focus for many professionals and businesses. However, while those efforts remain critical to this day (just ask any victim of ransomware), now the focus emphasizes protecting users. Remember, users are the largest and most vulnerable attack vector in any enterprise, regardless of vertical or size. A user’s account in the wrong hands could devastate your organization’s IT environment.
After all, through account takeovers, hackers could steal finances and data, cause downtime, or plant malware for long-term attacks. In fact, it’s actually fairly easy to take over a user’s account, in some ways easier than attacking through direct malware. Users tend to use weak passwords or other authentication factors when left to their own devices. Worse, they often repeat passwords, which leaves your business vulnerable to cyber-attacks on other businesses.
How can you prevent account takeovers? Through stronger identity management.
Preventing Account Takeovers
Establishing Multifactor Authentication
Ultimately, one of the best ways to prevent account takeovers is to make the authentication process more complex in terms of factors demanded. The typical rule of thumb here states that the more factors between the access request and the granting of access, the safer your data and accounts stay.
Multifactor Authentication (MFA) effectively adds factors to the authentication process, with your business choosing which factors apply to which accounts. You may decide to ask all employees to supply biometric factors like fingerprint recognition as part of their average login process. Alternatively, you could ask all of your most privileged users to supply a token during their logins (these tokens can even be their mobile devices).
The choices are up to you. The important part here is to set up more barriers to external hackers so that, in the event of password theft or guess, they can’t easily access an account.
Remember, MFA doesn’t need to include intrusive factors unless you desire them. You can ask your identity and access management provider to deploy factors like geofencing and time of access request monitoring to keep your users’ accounts from the wrong hands.
Better Password Policies
Trying to get employees and other users to follow better password practices is like dieting by only switching your soda choice to a diet soda. Sure, it’s healthier, but unless it’s part of a larger trend of healthier choices, it won’t be sufficient.
However, making password policies can help prevent bad actors from entering. So here are a few suggestions:
- Use a password manager and/or password vault to encourage stronger password creation.
- Ask employees to switch their passwords on a regular basis (every 6 months or so) and prevent them from simply creating variations of original passwords (can’t replace Password with Passw0rd).
- Ask employees not to use a password they use for another account.
The Principle of Least Privilege
But what happens if account takeovers do happen, despite your precautions? It’s not impossible. Even the most sophisticated authentication protocols could fall victim to a sufficiently determined and armed threat actor.
But if your business follows the Principle of Least Privilege, the damage a hacker could do with a single hacked account becomes minimal. The Principle of Least Privilege states that users should only have the permissions they need to perform their jobs and no more. Thus users working in Human Resources can’t access finances, and vice versa. Further, it prevents independent privilege escalation, which hackers often use to gain administrative power through regular compromised accounts.