British Airways and Marriott International hit the headlines last week – for all the wrong reasons.
The UK’s Information Commissioner’s Office (ICO) has announced the first two fines following the introduction of the General Data Protection Regulations (GDPR) in May 2018. British Airways was fined £183m (1.5% of global turnover) relating to a 2018 breach. Marriott International was fined £99.2m (0.7% of global turnover in 2014) relating to a 2014 breach that was reported in 2018.
Man-in-the-middle: the BA story
While the ICO fine is not final, and BA plans to appeal, it is worth noting that even a massive fine of £183m is less than half the fine for which GDPR allows: up to 4% of global turnover.
Another fine mess: a wake-up call for business managers
This case is a wake-up call. Business managers are ruthlessly rational, and they have a responsibility to catalog their business risks. These risks are therefore indeed estimated: the financial damage which might be incurred in some event, multiplied (broadly speaking) by the probability of the event taking place.
Many companies take IT security extremely seriously, but there are also many who have, in the past, chosen to take their chances, calculating that the cost of implementing security measures exceeds the weighted cost of a breach. Of course, it is not as binary as this: it is possible to take security seriously, but not seriously enough! As we are now seeing, however, the risk formula is shifting in both parameters: attacks are becoming more sophisticated and more common, and due to new regulations like GDPR, the potential costs of a breach are much higher.
Those companies who are taking their chances urgently need to revisit their risk assessments!
Properly implemented Multi-Factor Authentication (MFA) can protect credentials
One of the technologies which can protect credentials, including from man-in-the-middle attacks, is properly implemented Multi-Factor Authentication (MFA). Microsoft have been very busy in this area this week, and here are a couple of my highlights!
This blog from Alex Weinert is outstanding on the subject of how important it is to use MFA, and why password choices and policies are unimportant and broadly do nothing to improve the security of passwords as a single authentication factor. Alex sees the countless attacks coming into Azure AD, and is in a rare position to share real information, so this is absolutely worth a read.
FIDO2 support in preview for Azure AD
In addition, FIDO2 support is in preview for Azure Active Directory, so that standards-based support for hardware authentication tokens, across the enterprise and including hybrid joined accounts, will become a reality and we can continue moving towards a passwordless future.
If you are actively planning for FIDO2 tokens, please note the technical requirements for Microsoft compatibility (which relate to the preview and are subject to change), here.
New authentication methods dashboard for MFA with Azure AD
For those of you who have implemented MFA with Azure Active Directory, Microsoft have released an authentication methods dashboard into public preview to give you visibility into which users have registered for MFA, and which of the methods (app, SMS, phone call, etc.) they are actually using.
How Oxford Computer Group can help
Oxford Computer Group, with its focus on timely and accurate management of user credentials, devices, and permissions, helps companies push the risk parameters back. When properly protected accounts hold only the required permissions at any time, attacks are harder to carry out. Both the initial breach of an account, and the exploitation of a breached account (by lateral movement and privilege escalation) become more difficult. In the event of a breach, timely detection and damage limitation and mitigation are also essential, and automated management tools have an important role to play in this case too.