November 7, 2023 at 12:23PM
The recent cyberattacks on MGM Resorts International and Caesars Entertainment highlight the impact of data breaches on organizations. The breach was orchestrated through social engineering tactics using information obtained from LinkedIn. The root cause of such breaches is the continued reliance on legacy sign-in credentials, which are easily compromised. In the age of advanced phishing techniques and generative AI, these attacks have become more successful. Training efforts to identify phishing emails are no longer effective. To combat these threats, organizations should adopt phishing-resistant authentication methods such as Fast Identity Online (FIDO) passwordless authentication. This approach ensures that even if employees fall for social-engineering attacks, they cannot give away sign-in credentials. Organizations that persist in using passwords and knowledge-based credentials are putting themselves at risk and may face accusations of negligence. It is essential for companies to adapt to the changing cybersecurity landscape and implement robust security strategies.
The root cause of the breach at MGM Resorts International and Caesars Entertainment is the continued reliance on legacy sign-in credentials like passwords and SMS one-time passcodes. Hackers were able to obtain the employee’s sign-in credentials by impersonating them and convincing MGM’s IT help desk to provide the credentials. This breach and other high-profile breaches have happened due to the increased success and popularity of phishing and social engineering attacks, especially in the age of multifactor authentication (MFA) bypass toolkits and generative AI. These attacks can be automated and appear more legitimate, leading to more victims being tricked. Traditional training methods to defend against phishing attacks, such as identifying poor grammar or misspelled words, are no longer effective in today’s landscape. To protect against similar attacks, the Cyber Safety Review Board (CSRB) recommends organizations adopt phishing-resistant authentication, such as Fast Identity Online (FIDO) passwordless authentication. This approach requires possession of a device for sign-in or account recovery, ensuring that even if an employee falls for a social engineering attack, they cannot give away sign-in credentials. Organizations can combine phishing-resistant authentication with more advanced identity verification methods to better detect legitimate account lockouts versus attacks. It is crucial for organizations to recognize the changing cybersecurity landscape and eliminate their dependence on passwords and knowledge-based credentials to mitigate the risk of future breaches.