Lax Cybersecurity is a Gamble Your Company Can’t Afford
In the tail end of 2023, news broke of the MGM Casino and Resorts cybersecurity attack. Doubling back and reviewing the attack can give MGM and the rest of the world a reminder of basic security necessities and how staying informed can keep your company’s information safe.
On the weekend of September 9, 2023, attackers gained access to the MGM network and pulled data and locked out access for all employees and services. Guests could not enter their rooms, booking and gambling systems were brought offline, the MGM websites were down and even the IT Team had trouble accessing their infrastructure. This targeted attack crippled a multibillion-dollar company that was utilizing heightened security standards in mere hours. And it was all done using a low-tech method called social engineering.
Social Engineering Preys on Trust
Social engineering is best described as manipulating normal human interaction to gather personal or confidential information from another person for fraudulent purposes. In the MGM case, attackers gathered data from LinkedIn by looking for targets most likely to have heightened security access and network admin privileges to their company servers and systems. Once they gathered data on the targeted individual, the hackers were able to contact the company’s internal support staff and pose as the employee to reset credentials for login, including multi-factor authentication.
With the credentials all to themselves, the attackers were able to infiltrate the central hub of services, servers, and authentication methods for the MGM properties and access company data and Personally Identifiable Information (PII) for employees and customers. The goal was to lock out users and hold as much of the acquired data hostage as possible for ransom. The swift and seemingly simple compromise was executed in a way to bypass strong physical and network security applications that were active and in place. After a standoff, MGM was able to eventually take control of their systems once again, but only days later. In the immediate aftermath, they were forced to shut down their systems across many properties and spend millions on third party assistance for technology consulting, legal fees, and other advisory assistance.
The Importance of Multiple Levels of Security
At the core of this compromise was social engineering, lack of employee awareness and insufficient training. There can be a stone wall of protection, but the person at the gates must know who to let through and who to block. By bringing your team up to speed on recent attacks and the new ways companies are being compromised helps to not have them fall into the same loop and encourages them to question the legitimacy of requests. Investing in the education of employees doesn’t just help them individually but also improves the security of your organization. Putting internal IT standards in place is the first step, but the procedures are incomplete if people don’t understand their importance.
A basic example of the need for security compliance is in password strength. If a hacker is attempting to get into someone’s account using common password tropes such as pets, birthdays, family names, schools, etc., there is a remarkably high chance of success. Understanding the importance of strong passphrases or complex and long passwords can thwart these attempts and exponentially increase the difficulty to crack someone’s accounts. Gone are the days of 8-character password minimums just requiring letters and numbers. Modern password decryption techniques can compromise an 8-character password with upper and lowercase letters, symbols, and numbers within minutes.
Passwords do get compromised though and multi-factor authentication (MFA) is utilized as a secondary layer of security. MFA is likely a physical device that the user must check to get a one-time passcode or approval request to authorize their login. MFA only assists with login security, so it should always be paired with a strong first line of defense password. An important standard operation procedure is to never hand out an MFA passcode or approval request for an application not in use.
Account compromises and social engineering over the phone or email tend to happen when people are rushed and scared to decide and give attackers an MFA code or approve a logon request from their MFA application. Another defense tactic against social engineering attempts is user verification. Your internal or outsourced support desk should use verification via push notification or a one-time token to verify that the person seeking support is who they claim to be and not solely rely on the information provided by the person on the other side of the support ticket.
With a few simple steps, MGM potentially could have drastically reduced the effectiveness of the attackers’ attempted compromise. There are many points of entry within the connected internet age we live in. Having well rounded security physically, over the network and within your employee ranks can save you from having to spend millions of dollars on damages, lost revenue and ransom.