This week we reported on the Reddit data breach. We believe it serves as yet another reminder to businesses they should be investing more resources into cybersecurity. While stopping every data breach is probably not going to happen, businesses have a better chance the more they educate themselves. Andy Smith, VP of Product Marketing at Centrify had this to say about the Reddit data breach and more:
The data breach at Reddit is another stark reminder that security professionals need to keep up with technology advancements to counter bad actors’ innovations in attack methodologies. The takeaway in this incident is that two-factor authentication that uses SMS or phone calls is not much more foolproof than no two-factor authentication.
For years, it has been known that SMS-transmitted one-time password tokens (OTPs) are vulnerable to interception. That’s why the National Institute of Standards and Technologies in its Special Publication 800-63 Guidelines is recommending to restrict the use of SMS for an OTP and advises to completely removed OTP via email. Instead, NIST is propagating the use of either application-enabled or hardware-based security keys that are leveraging the FIDO standard.
Besides leveraging more advanced two-factor authentication methods, the use of risk-based MFA authentication powered by machine learning most likely would have detected abnormal user behavior and either blocked automatically the malicious access attempt or at least would have required further step-up authentication.
Ultimately, the Reddit data breach further emphasizes the importance of rolling out Zero Trust Security as an organization’s new enterprise security strategy, enabling them to verify the user, validate their device, limit access and privilege, and learn and adapt.
Eliminating bad-actors and data breaches is never going to happen. But staying one step ahead of them is the key and businesses simply have to invest the efforts into doing that.