Attacks are harder when a cybercriminal needs to compromise multiple factors, instead of just one knowledge-based factor like a password. MFA authentication can incorporate something you know (a password or PIN), something you have (a physical hardware token or mobile device), or something you are (a fingerprint).
Some of the more popular cloud platforms have MFA as a base security feature without additional payment. This should always be turned on. Microsoft also recently released a feature that allows organisations to tie an MFA session to one device only, which further protects against many MFA bypass attacks.
More information about the threat of stolen credentials can be found here.
For very high-privileged users like global administrators, the best option is physical MFA tokens. Phishing-resistant MFA keys like Yubikeys ensure sensitive login information never leaves the user s device and are not stored on a server. This is the only MFA our team has yet to see bypassed.
A large organisation in manufacturing received the monthly invoice for their cloud services, only to find it was $300,000 (or almost five times) their usual cost.
They notified Beazley of a compromise of their Azure cloud environment, and we helped to coordinate forensics. Investigation determined that the cybercriminals had compromised an Azure cloud account, abused lax permissions to escalate privileges, and created hundreds of new virtual servers to mine cryptocurrency.
The cybercriminals had intentionally avoided making changes to existing resources to avoid making noise and prevent detection. We provided guidance on better securing cloud accounts and implementing budget alerts to help quickly identify future budget overruns.
The descriptions contained in this communication are for preliminary informational and risk management purposes only. It is made available with the understanding that Beazley does not render legal services or advice. Although reasonable care has been taken in preparing the information set forth in this document, Beazley accepts no responsibility for any errors it may contain or for any losses allegedly attributable to this information. The product is available on an admitted basis in some but not all US jurisdictions through Beazley Insurance Company, Inc., and is available on a surplus lines basis through licensed surplus lines brokers underwritten by Beazley syndicates at Lloyd’s. The exact coverage afforded by the product described herein is subject to and governed by the terms and conditions of each policy issued. The publication and delivery of the information contained herein is not intended as a solicitation for the purchase of insurance on any US risk. Beazley USA Services, Inc. is licensed and regulated by insurance regulatory authorities in the respective states of the US and transacts business in the State of California as Beazley Insurance Services (License#: OG55497)
For very high-privileged users like global administrators, the best option is physical MFA tokens. Phishing-resistant MFA keys like Yubikeys ensure sensitive login information never leaves the user s device and are not stored on a server. This is the only MFA our team has yet to see bypassed.
