It’s Cybersecurity Awareness Month! In honor of the theme — Do Your Part. #BeCyberSmart — we’re doing our part by educating IT teams and organizations on protecting themselves. Throughout October, the JumpCloud blog will focus on top cybersecurity issues, from IT admin best practices to CISO responsibilities. Tune back in throughout the month for new cybersecurity content or check out our archive of existing security articles for cybersecurity insights written specifically for the IT professional.
As part of Phight the Phish week, we want to discuss how organizations can mitigate or prevent the damage done to their resources and infrastructure due to successful phishing attacks on users.
In 2020, 75% of organizations around the world experienced a phishing attack, and 74% of attacks targeting U.S. organizations were successful (Expert Insights). Phishing attacks affect all organizations, and they’re often successful, no matter the targeted industry, organization size, or level of security training provided to users. However, there are controls that IT administrators can put in place to minimize the threat and consequences of phishing attacks, two of which are: implementing single sign-on (SSO) and layering it with multi-factor authentication (MFA) while also limiting password changes to on a device rather than on various websites.
For context, in this article, we’re going to define:
- A successful phishing attack as an event in which a bad actor successfully steals a user’s credentials (primarily passwords) via phishing.
- An organizational phishing attack as an event in which a user’s stolen credentials are used to access organization-owned resources.
Phishers utilize a number of different tactics and techniques, with a variety of intentions set to get them deeper into an organization or to profit from stolen data. Read more about the fundamentals of phishing here.
The Prevalence of Phishing
Because phishing attacks are so common all around the world, it’s essential that your organization puts the proper controls in place to mitigate risk and reduce potential vulnerabilities. Plus, in the modern era, the prevalence of remote work leads to increased risk for organizations because employees are not working from a physical office every day where you have more control over them and their device use. On top of that, scaling an organization adds even more danger — each new user that you add creates the potential for gaps in your security to form that bad actors can and will take advantage of.
One significant step you should take to prevent phishing attacks is to educate employees on the different forms of phishing, what to do if phishing is suspected, and how to be careful rather than impulsive when reacting to emails, even when they’re in a hurry. However, this is not nearly enough. Users often work quickly to meet deadlines, make assumptions without thinking critically, and, because they may reuse passwords or use similar versions of previously used passwords for business and personal accounts, this can quickly lead to a full blown security incident. Online human behavior today consists of skimming emails, clicking through items quickly, and logging into websites and apps using muscle memory, often without noticing that something seems off — which can all quickly result in a successful phishing attack.
Without the right controls in place, these seemingly small events create massive security issues for your organization that can have lasting effects. This is where implementing a comprehensive SSO security solution layered with multi-factor authentication is integral. Along with that, forcing consistent on-device password changes rather than on-website password changes virtually eliminates the threat of phishing.
How SSO Reduces the Risk of Phishing
Without a single sign-on solution in place, not only are users and IT admins wasting time remembering and resetting a multitude of passwords and dealing with user lockout issues, but each password used to access any company resource adds a new piece of risk to the puzzle. And, once that puzzle gets too large and a mistake is made, your entire organization’s infrastructure, data, personal information, and resources are all vulnerable to theft and manipulation. Organizational phishing attack prevention starts with implementing a reinforced SSO security solution — decreasing the number of attack surfaces out there inherently improves organizational security.
There are SSO point solutions and comprehensive SSO solutions out there. SSO point solutions are quickly becoming a thing of the past because they focus entirely on application access and neglect other critical IT resources like devices, networks, and more, which makes the primary benefits of a comprehensive SSO solution crystal clear.
Those benefits include:
- Improved user experience
- Efficiency of access to virtually all IT resources using a single set of credentials (in other words – it reduces the attack surfaces available)
- Added layers of security built around access and credential management
- Improved productivity within the organization
Plus, a comprehensive SSO solution comes in the form of a cloud directory platform that has many other security and productivity features built-in, such as MFA, password complexity requirements, on-device password change capabilities, policies, device and user management, cloud RADIUS, cloud LDAP, and more. Being able to enjoy all of these capabilities from one platform helps strengthen security because it all works together seamlessly, and there’s no need for other questionable add-on solutions.
After rolling out an SSO solution, most organizations immediately enforce MFA and password complexity requirements to ensure that the single password each employee uses is one that is obscure, hard-to-guess, and not easily leveraged if compromised.
How MFA Reduces the Risk of Phishing
Multi-factor authentication is an excellent security layer to add into your organization, especially for organizational phishing attack prevention — MFA requires that users trying to authenticate prove their identity by providing another factor of authentication that only they should have possession of on top of their password. It’s used to help offset the fact that passwords alone are flawed as a standalone security measure, given the reasons listed above, and, because they can be tricked into sharing those credentials with relative ease.
Related to MFA, step-up authentication can also be put in place to protect sensitive information to help with this type of phishing prevention. With step-up authentication, users may be allowed to access some resources without needing to provide a second factor of authentication; however, when they need to access more sensitive information, they’re prompted for further authorization. Step-up authentication can even exist within an application or system, which prompts the user to supply a second factor even if they already did so to log in initially. This can stop an attacker in their tracks if they were initially successful at authenticating.
Whether or not your organization currently uses single sign-on capabilities, multi-factor authentication should be enforced across employee accounts. If your organization does not use SSO, that means that hundreds to thousands of different credentials may exist, and each one of those credentials is vulnerable to phishing attacks. Enforcing MFA requirements across every critical resource that each employee logs into may feel cumbersome to some — but is it worth the risk to not do it at all?
The best solution to adopt in this scenario would be an SSO platform with integrated MFA capabilities to cut down on the MFA setup and reduce the overall complexity of the process for end users. However, if you already have an SSO solution in place without layered MFA, then it’s past time to look into a more comprehensive security solution.
Phishing vs SSO
Without any context or background knowledge, the idea of having an SSO solution in place amidst a phishing attack can be a scary concept. A common question that arises is, “Wouldn’t having one password that provides access to all of my organization’s resources make it easier for bad actors to wreak havoc via a phishing attack?”. The short answer to this is no, not when it’s implemented correctly — there’s a lot more that goes into this than meets the eye.
If you decide to implement an SSO platform but you choose not to enforce password complexity requirements, MFA, conditional access policies, password change policies, where password changes take place (on-device), or anything related, you’re still leaving your organization at more risk than necessary.
However, if you do implement some or all of these other features across user accounts, the level of security improvement made will be drastic compared to not using SSO in the first place. The thought process in your organization should never be SSO vs MFA — they work together and should be used in conjunction to truly protect your users and your organization’s resources and data.
How to Prevent Organizational Phishing Attacks With SSO, MFA, and Policies
When implementing an SSO solution within your organization, the bare minimum that we recommend you do is adopt and enforce password complexity requirements and regularly scheduled password change policies while enforcing main password changes only on the device, not within any web tools. These things add an important layer of security to each user’s SSO credentials. Further, we recommend that you also add MFA into the mix, and if you’re feeling extra proactive, throw in conditional access policies too.
Strong password complexity requirements will ensure that users are creating new passwords that they haven’t used prior, and if enforced properly, they will be very difficult to guess. With regularly scheduled password change policies on top of that, bad actors will have a much more difficult time getting ahold of any current (and hopefully complex) passwords.
Going up the security ladder, MFA can prevent over 99.9% of account compromise attacks (Corsica Technologies). And, should a malicious actor be able to bypass this security control, conditional access policies can further protect critical access by requiring specific conditions around the device and network from which access is being requested.
An example of MFA in action during a phishing attack:
A user’s SSO account is layered with MFA, and a successful phishing attack gives a bad actor that user’s password. When the bad actor tries to authenticate into the SSO portal, they either receive a push notification or are prompted to enter a time-based one-time password (TOTP) token that is found in an authenticator app, which they do not have access to. Without MFA, that bad actor would’ve had immediate access to any resources that were provisioned to that user.
But, let’s say the bad actor was able to trick the end user into submitting their TOTP token, which they were able to use to attempt to log in. In this case, conditional access policies that block authentication attempts from unmanaged devices or unapproved networks would mean the bad actor in that scenario wouldn’t be able to access the organization’s resources with the password and TOTP combo anyway.
Hopefully in any of these unsavory situations, IT will notice that something is off with that user’s login attempts and enforce an immediate password change while digging into the situation further, thus preventing the bad actors behind successful phishing attacks from accessing any organizational resources.
Organizational Phishing Prevention: JumpCloud’s All-in-One Solution
The JumpCloud Directory Platform includes many features that improve organizational security and user productivity. These features work to prevent any extra fallout from a successful phishing attack other than having to force a password change on an account. One of these features is what we call True Single Sign-On™ which allows users to securely authenticate to virtually any IT resource they need access to, including systems, web apps, legacy apps, networks, file servers, and more, with one set of secure credentials.
Another essential security feature is built-in multi-factor authentication that can be layered over SSO. Within the JumpCloud Console, there are also other features such as password complexity requirements, password reset capabilities, and conditional access policy enforcement. All of these features in JumpCloud work together seamlessly to ensure that only the right users have access to the right resources and to verify identities of those attempting to access those resources, thus minimizing the damage that successful phishing attacks can cause.
Try JumpCloud’s Solution Free
Take the first step towards keeping your organization’s resources safe from successful phishing attacks. Test out JumpCloud’s modern, simplified IAM solution with True SSO, and see if it’s right for your organization! Create a JumpCloud Free account to access the entirety of the platform for free, up to 10 users and 10 devices. Along with that, enjoy 24×7 in-app support — free for the first 10 days!