How Adversaries Are Bypassing Weak MFAAlso: All Eyes on Akamai and Empowering Female Security Leaders
The latest edition of the ISMG Security Report discusses how adversaries have a new favorite tactic to circumvent MFA, why vendor Akamai is an appealing target for private equity, and what the industry can do differently to attract more females to leadership roles.
In this report, you'll hear (click on player beneath image to listen):
- Identity expert Jeremy Grant of Venable LLP describe how the adversaries are bypassing weak multifactor authentication methods;
- ISMG's Michael Novinson discuss how the barrage of acquisition reports around publicly traded digital experience vendor Akamai has intensified in recent weeks and what that may mean for the future of the company;
- Valerie Abend of Accenture explain what the cybersecurity industry needs to be doing differently to attract more females to leadership roles.
The ISMG Security Report appears weekly on this and other ISMG websites. Don't miss the Sept. 22 and Sept. 29 editions, which respectively discuss financial giant Morgan Stanley's failure to invest in proper hard drive destruction oversight and what went wrong for Optus in the wake of one of Australia's biggest data breach incidents.
Anna Delaney: How criminals are bypassing MFA, and why Akamai is an appealing M&A target for private equity. These stories and more on this week's ISMG Security Report.
Hello, I'm Anna Delaney. MFA fatigue a.k.a MFA bombing is fast becoming a favorite tactic of hackers to gain entry to an account or device. The attacker floods a user's authentication app with push notifications in the hope they will accept. Unfortunately, sometimes they do. In a recent interview, our VP of editorial Tom Field asked Jeremy Grant, managing director of technology and business strategy with Venable LLP, and co-founder of the Better Identity Coalition, what trends he is seeing when it comes to the adversaries bypassing MFA?
Jeremy Grant: I think one thing you see is, on the security side, we innovate and we put a protection in place, and then the attackers continue to innovate as well. Whereas a few years ago, we were trying to urge people to turn on any MFA. To be clear, I still would urge that as a security professional, because anything's better than none. But a lot of what was implemented was still based on shared secrets. Password's a shared secret, I know it and you know it. If I tell it to you, I get in. While a one-time passcode, all of this is a shared secret that's only good for 30 seconds. Folks got pretty good with spear-phishing attacks in terms of coming up with sites that looked in some cases, like a pixel perfect replica of sites that you might be using as a consumer. If they can trick you over to handing over your password, they can trick you into handing over that one-time passcode as well. It turns out that 30 seconds is long enough for an account takeover. I've been saying for a long time now that a password strength that people have always focused on for years doesn't matter. I feel every time we're advised to use complex passwords, we're giving people advice about how to go win the last war. If you're falling victim to a phishing attack, which is where most of these things are coming out, then I don't care if your password is 12345 or something that has 34 characters that's complex. If you can be tricked into typing it into your device, or your laptop, then it's going to be compromised. On the MFA front again, whether it's tricking people to handing over that one-time passcode or in some cases, we're also seeing now, what people are calling prompt bombing attacks, where if you're using a push notification-based MFA, that, "Hey, Tom, did you try to log in?" If somebody's already compromised your password, they'll just keep firing those at you until at some point, maybe you hit "yes" to make it go away. Or just by accident. They only have to be right once. If you're getting a bunch of these notifications, the push the button just once, then you can be phished. We've certainly seen this in some of the higher-profile incidences. I think Uber was the most recent one, where a whole bunch of companies were using push notification. Again, if you go target hundred people who you think are privileged users saying the IT side of those companies and you get one person to click through, then you're in. That I think has been something that's getting a lot more attention right now. I think you're starting to see again the focus on things that are resistant to that, like FIDO authentication, because it's based on asymmetric public key pairs. There's nothing to phish but got a long way to go I think in terms of solving those issues.
Delaney: The steady barrage of acquisition reports around publicly traded digital experience vendor Akamai has intensified in recent weeks, says our managing editor for business Michael Novinson. I caught up with him to find out why Akamai is such an appealing M&A target for private equity right now. There is chatter of a potential Akamai acquisition on the horizon. Guide us through the rumors. What do we know?
Michael Novinson: There's been rumors swirling around this for several months gone all the way back to May when Betaville, which is a blog covering the M&A world first reported about chatter around this. Then in July, StreetInsider said that there was a financial buyer who is seeking financing to put a deal together. And then just in the past two weeks, both Betaville and StreetInsider have put out additional report saying that this process is continuing to progress. Most recently, on Monday, StreetInsider said that there was a private buyer who they don't identify who had initiated talks with Akamai around what a potential acquisition might look like. So Akamai's heritage is in the content delivery network space - a direct competitor of Cloudflare - but they haven't expanded aggressively in cybersecurity over the past three or four years, and cybersecurity now makes up roughly 40% of their business. Should the company end up in new hands, they would certainly have a very significant impact on the CISO community.
Delaney: How did we get here, and what actually sparked these rumors in the first place?
Novinson: Taking a step back, we've been seeing a ton of take-private action, which is when notably a private equity firm, but it could be a technology company like Google goes and acquires a publicly traded company and takes them off of the stock market. We've seen this most notably with Thoma Bravo doing that over the past year with Proofpoint, with SailPoint, and now most recently starting the process with Ping Identity. We've seen it with Mimecast and Permira. We've seen it with Tufin and Turn/River Capital. Then there's an offer that's on the table from Vista Equity to take-private deal with KnowBe4. Akamai is the latest in a long list of companies that may be taken off of the public market. Big reason is the economic downturn - stock prices peaked in November, and Akamai's stock price is down 30% from when it peaked, which was in April. Investors feel like they can get a good deal right now. These are often healthy companies seeing double-digit sales or revenue growth, and investors realize economic downturn will ease in the next year or two and they can pay 30%-40%, maybe even 50% less than they would have for the same acquisition a year ago. Seen a lot of companies either leave the public market or engage in talks to leave the public market like Akamai is here, but very few companies going public right now since the IPO landscape is almost completely dried up.
Delaney: Michael, big question - what does the future hold? What are we likely to see next for Akamai?
Novinson: It sounds like these talks are still fairly early that the financing was taking several months. Now the two sides are starting to talk. We may be months away from any type of a formal announcement. It's possible that the two sides can come to terms and we won't hear anything at all. But I do think when there's smoke, there's fire. There's a reason why so much of this dialogue is happening right now. Akamai is a bit of a strange animal, and that there's three different business lines - content delivery, cybersecurity and compute, which is focused on essentially an alternative to AWS. It's based off of the company's acquisition of Linode last year. All of these pieces have different growth profiles. The delivery business is shrinking, the cloud computing business is growing 60% a year, and the security business is growing at roughly 20% a year, which is good, not incredible, not as much as Cloudflare. But it's on par and probably slightly faster than the security industry as a whole. I do wonder if investors typically don't like to have unlike assets together. I do wonder, depending on who the buyer is, if they might separate some of these pieces, investors like Clarity, whether they're in a low growth business or high growth business. I wonder down the road, if we may see some of these pieces separate. But that's to come. We'll see how things play out here. But given the sheer number of media reports around a potential deal here, I wouldn't be surprised to see some action in the months ahead.
Delaney: Very good. Always interesting and a pleasure to speak with you, Michael, thank you for sharing your perspective. Finally, why aren't there more women in security leadership positions? Organizations are paying some attention to encouraging more women to follow leadership paths yet more intention is needed, says Valerie Abend, cyber strategy lead at Accenture. I asked her what the industry needs to be doing differently to attract more females to leadership roles.
Valerie Abend: Attention is good. But it is not intention. I think we have to have a lot of directed and intentional practices that we measure and monitor in an ongoing fashion and are actually executed by the C-suite and reported out with full transparency. Because if you want to accomplish something you will make actions very specific for people and you will hold them accountable accordingly. If you have an intentional focus about rising women to the top, you will make sure that they are at the seat at the table when a cyber incident occurs and that they have a voice at that table. You will bring them forward into actual board meetings where you're discussing cybersecurity and its intersection with the business. You will put them at the table in ways that not only bring them attention, but you will show with metrics how you're driving that improvement. One of the things that we know from experience is that when you are interviewing people, you should interview diverse candidates first, for example. There are a lot of ways in which you can act with intention to give the women more opportunity. We have to make sure that women feel safe because this is a very risky business we're talking about or we're talking about companies that are under attack and making headline news and often the chief information security is the voice and the face of when that breach occurs. It's psychologically quite scary. That comment that Lisa made about personal resilience can only happen if the person in that role feel psychologically safe to be able to say what often are difficult messages about choices that have been made not just in the moment, but over the years to arrive at a place where potentially you are more vulnerable to an attack. I think there's a lot there to unpack about how we make women feel that they are ready for that role and position them in ways that other people see them to be ready for that role.
Delaney: That's it from the ISMG Security Report. I am Anna Delaney. Until next time.