Of all the cybersecurity challenges faced by businesses today, phishing is one of the most prevalent. A global survey of infosec professionals found that 57% of organisations experienced a successful phishing attack in 2020, making it one of the most common causes of data breaches.
It’s not just the scale of the problem – the impact of the breaches caused by phishing is also growing, both financially and reputationally. Among those successful attacks, 55% suffered a ransomware attack, and 35% suffered a financial loss. With the average cost of a data breach coming in at £2.83m, the risks have become too great to ignore. Enterprises now have a variety of tools to help defend against the threat. In this paper we’ll examine why some of the most common methods to protect against phishing are ineffective, and why it’s essential to consider a comprehensive Identity and Access Management (IAM) solution that can tackle the risk more effectively.
Phishing is one of the oldest forms of cyberattack, but has become increasingly sophisticated, and as a result, increasingly successful. In the past, phishing tended to rely on mass emails which were relatively easy for both email filters and users to recognise as malicious. Today, ‘spear phishing’ is increasingly used to target a specific business or individual.
These techniques often involve researching information about the user and the business beforehand, to increase the chances of a successful attack. Spoofed sites can be extremely hard to detect for the average employee, with some even going as far to forward login information to the legitimate site, so that the user will be logged in as normal and not suspect they’ve been the victim of an attack.
The availability of ‘phishing kits’ mean that this process can even be carried out by malicious actors with limited technical skills, allowing a much larger number of people to carry out sophisticated attacks than ever before. This has led to the rapid growth in the frequency and effectiveness of such attacks in recent years, with an FBI report finding that the number of attacks had doubled between 2019 and 2020.
The limited impact of some measures
To deal with phishing, many businesses opt for a variety of different technologies to meet the challenge. However, these approaches have significant shortcomings which still leave enterprises vulnerable to attacks.
The first line of defence most organisations typically adopt to deal with phishing is an email filter. Yet no matter how stringent the filter is, there will always be a percentage of phishing emails that get through, which can still be significant given the sheer scale of the problem.
A variety of methods exist which are used to bypass filters. Spear-phishing attacks, targeting specific individuals at an organisation, are often missed by filters, which mainly focus on emails sent in large volumes. Hijacked mail servers are also often used, which can be difficult to detect. Individual devices and accounts can even be compromised, where the phishing email will genuinely be sent from a legitimate account, without the knowledge of the owner. Combined, these methods mean that no filter can fully protect from phishing emails – it only takes one to be successful, and the more successful attackers are at bypassing a filter, the more likely they are to be successful at convincing an employee.
Multi-factor authentication (MFA) is another common way in which businesses attempt to stop phishing attacks. However, due to a lack of full compatibility, MFA is often not an available solution for all applications, making it difficult to implement comprehensively, leaving areas of exposure. This problem is exacerbated by Shadow IT, where even if an app does support MFA, the IT department may be unaware that it is used by employees and cannot enforce the use of MFA to protect it. MFA is also extremely difficult to implement where there is shared access to single accounts.
An important consideration to note is that MFA does not actually protect login credentials from being stolen by phishing attacks – it only prevents that application from being accessed without additional factors of authentication. While the app will be secure as long as MFA is active, the huge problem of password reuse means that malicious actors will be able to use the compromised, legitimate username and password combination to attempt to gain access to other applications, perhaps even directory or email logins.
MFA also frequently suffers from poor adoption rates. Large enterprises use an average of 288 different cloud apps, which means employees spend a significant amount of time logging in to applications. Adding an extra, time-consuming step to this process means that employees often try to find workarounds or opt out where possible, particularly if they use their own device in a remote working environment, or are using an app without the knowledge or oversight of the IT department.
MFA also exacerbates the problem of users being locked out of accounts and needing assistance from the IT helpdesk. While resetting passwords is generally a straightforward task, a lost, damaged or stolen device used for MFA can make the problem far more complex to resolve, causing significantly more employee downtime.
In addition, not all MFA is completely secure. SMS messages sent to a smartphone, for example, are not encrypted and are sent in plain text, making it possible to intercept them via cloning, or SIM swapping, the latter where the attacker impersonates the victim and convinces their mobile telephone provider to port the number to a new device. This has led to several high-profile data breaches, including Twitter CEO Jack Dorsey suffering a successful attack via this method in 2019.
One of the most popular ways to address the threat of phishing is to educate employees on cybersecurity risks with training often used in conjunction with other technology methods to bolster security. According to the Information Commissioner’s Office, human error is the leading cause of data breaches, and cybersecurity training attempts to address this. However, by still leaving the responsibility of managing passwords and the associated vulnerabilities with employees, the problem unfortunately persists.
Research from My1Login found that even extensive cybersecurity training has little discernible impact on user behaviour. With respect to using personal passwords for business applications, employees who reported receiving ‘a little’ training actually used them more often (63%) than those with no training at all (61%). Even respondents who reported having ‘a lot’ of training had only a slightly lower figure at 57%.
The reuse of passwords was affected slightly more by training, but figures still remained extremely high – while 91% of employees with no training reuse passwords at work, 85% of those who have received training still continue this practice. Some highly insecure practices, such as writing down passwords, showed no difference between the trained and untrained groups at all.
No matter how educated employees are about cybersecurity risks, the effects on employee behaviour are often negligible. With the average employee using over 12 apps per day and the average enterprise using 288 in total, requiring users to memorise separate, high-entropy passwords for each one is simply unworkable, no matter how extensive the training. To effectively secure an organisation, the responsibility of cybersecurity cannot rest solely with the end user.
Personal password managers
Personal password managers, or PPMs, are sometimes rolled out to attempt to address the vulnerabilities inherent in using passwords for user authentication. However, they are completely ill-suited to address the challenges of phishing attacks.
PPMs still leave employees with the responsibility of creating and storing their passwords, which means they still have visibility of their credentials, and can still input them into phishing sites. While PPMs can generate strong passwords to protect against the risks posed by weak and reused passwords, if they can still be visible and entered into cloned sites, they cannot effectively protect against phishing. This lack of centralised management and oversight means the business does not fully control user access and cannot accurately monitor threats.
In addition, PPMs lack the functionality associated with IAM solutions to adapt to an enterprise environment. Shared accounts and granular user permissions for privileged access are often unsupported, requiring employees to share and create passwords in an insecure manner. These changes in user behaviour often lead to poor uptake rates among employees, and lax security practices persist even after their implementation. Personal password managers can even create additional security risks, enabling employees to retain, and sometimes solely own, access to corporate account credentials after they leave the organisation.
How IAM solves the phishing problem
The most effective way to protect against phishing is to remove passwords altogether. One of the most important facets of an Identity and Access Management solution is its ability to deliver passwordless authentication, where open security standards such as SAML or OIDC are used to provide Single Sign-On (SSO). The user’s identity is federated from the corporate directory to the IAM solution, which acts as the Identity Provider (IdP), enabling transmission of a secure token to the Service Provider (SP) to authenticate the user. With no password that can be entered into a spoofed site, phishing becomes impossible.
Passwordless authentication relies on a relationship of trust between the IdP and the SP, so no matter how convincing a spoofed site may look, the token will only grant access to the legitimate application. These tokens are securely encrypted, and only valid for the single session for which the user gains access.
Crucially, passwordless authentication also enhances, rather than inhibits, the user experience for employees. Authentication takes place immediately on accessing the app without the user having to input any credentials, meaning the user saves time and does not require any additional steps to access applications, ensuring extremely high adoption rates.
Secure Web Authentication
While passwordless authentication is extremely secure, many cloud apps currently lack support for the security protocols it requires, and it is frequently incompatible with legacy apps, virtualised environments and mainframes. For these applications, which require the use of passwords to authenticate users, Secure Web Authentication can instead be deployed, providing the same protection against phishing attacks through secure password forwarding and vaulting.
With an SSO solution that uses Secure Web Authentication for password-based login forms, high-entropy passwords can be generated for the user and automatically entered into forms when the user accesses the app. Not only does this result in no change in user behaviour and thus a very high adoption rate, it also enables passwords to not be disclosed to the user. If the user does not know their passwords, they cannot be phished, again making such attacks impossible.
Secure Web Authentication also provides functionality such as supporting shared accounts, and allowing the secure sharing of passwords between employees. Crucially, they ensure that the business remains in control of user access, and take the responsibility of managing and creating passwords away from the end user, removing the inherent vulnerability of password-based authentication to phishing attacks.
While passwordless and Secure Web Authentication solve the issue of employees entering in passwords to cloned sites, it is also imperative that all apps used in the enterprise are protected. This task is made far more difficult by Shadow IT – the use of applications by users without the knowledge or approval of the IT department. According to McAfee, Shadow IT cloud usage is at least ten times greater than known cloud usage, and IT departments can only implement an IAM solution to cover apps they are aware of. With some applications left unprotected, these can remain as attack vectors for phishing, where usernames and passwords are still used without the protection offered by Secure Web Authentication.
IAM solutions solve this problem by allowing businesses to gain full visibility and control over which apps are being used by employees, and how they are accessed. Some IAM solutions can automatically detect cloud apps being used and inform the IT department, who can then integrate the app to the IAM solution with a single click, requiring the use of token-based authentication or secure web authentication to access it. This ensures that all applications are protected from phishing attacks, and the IAM solution provides maximum cost-effectiveness.
Identity Lifecycle Management
A common source of data breaches is former employees who retain access to the network long after they have left the business. Having access to these credentials can pose vulnerabilities out of the visibility or control of IT departments, providing a significant attack vector for any malicious actors.
Since employees frequently reuse passwords, these same credentials can be entered into an unsecure site, or phished from the user at their next job, or from their personal account. Malicious actors will then often make use of a technique known as ‘credential stuffing’ – compromised sets of usernames and passwords, frequently available for purchase on the dark web, are formed into large databases which are used to attack password-based authentication systems. Unlike brute force attacks, the credentials entered are all genuine combinations in use, making them far more effective and dangerous.
Identity and Access Management will also include Identity Lifecycle Management functionality to control the employee onboarding and offboarding process. This puts the business firmly in control of user access, with automatic user provisioning and deprovisioning ensuring that when an employee leaves the business, their access to all applications on the network will be revoked immediately.
While there are a number of ways that organisations currently attempt to tackle phishing, only solving the root of the problem can fully protect businesses from the reputational and financial risks involved. Replacing passwords with token-based authentication, or removing the responsibility of users to manage them, allows the business to remain fully in control of authentication and access throughout the network. By denying these attack vectors, phishing attacks will be rendered ineffective.