Identity Based Authentication: The Key to Preventing Future MGM-Style Attacks

Join Rob MacDonald, VP of Product Marketing, and Mike Engle, Co-founder of 1Kosmos, as they discuss the recent cyber attack on MGM and explore the world of vishing (voice phishing) in this informative vlog. Discover how organizations can enhance their cybersecurity practices to prevent such incidents and learn about the importance of knowing who’s behind the device. Stay informed and stay secure with insights from the experts at 1Kosmos.

Rob MacDonald:
Hi everyone. Welcome to our latest vlog. My name is Rob MacDonald. I’m vice president of product marketing here at 1Kosmos, and I’m joined today by Mike Engle. Mike, how are you doing?

Mike Engle:
Doing great. Thanks for having me, Rob. I’m a co-founder here at 1Kosmos, and excited to be here on this Friday afternoon.

Rob MacDonald:
Listen, it’s always good to sit down and chat with you. Today, we’re going to talk a little bit about the latest cyber attack that we’ve seen come across the newswire this week. MGM, I think being part of the high-tech world, we’ve all been to Vegas for various different events. I know that I’ve stayed in a couple of MGM resorts. Mike, why don’t you tell us a little bit about your initial thoughts on it and explain what happened?

Mike Engle:
Well, sadly, this has happened countless times over the past couple of years. This one was a bad actor getting in through the front door by coercing some type of help desk to give out a credential. The rumor has it that the bad guy found out about employee information on LinkedIn. You’re Robert MacDonald, you work at 1Kosmos, and then use that information to engage with the help desk to figure out how to trick the help desk into giving them something they shouldn’t have.

Rob MacDonald:
I think the hack is something referred to as vishing.

Mike Engle:
Right.

Rob MacDonald:
You’ve touched, just kind of quickly on that just now. Why don’t you tell us a little bit about what vishing is and the concept behind that, and why it’s become so significant in terms of a cybersecurity threat over the last little while?

Mike Engle:
There’s a couple of ishings out there.

Rob MacDonald:
Lots of ishings.

Mike Engle:
I think we all know phishing very well because we’ve been using email for so long. That’s P-H-I-S-H-I-N-G, right? Well, vishing is using your voice, using a phone call or voiceover IP call to reach out to somebody and pull information from them or convince them to do something. So it’s similar. In emails, you get an email. You’re tricked into clicking a link or changing a routing number. It’s really a similar concept, just a different medium. There’s other terms for SMS phishing, I think that’s called smishing or… I can’t keep up with all the issues, but they’re all the same basic principle.

Rob MacDonald:
All fun terms, just they have pretty serious consequences behind them. Listen, MGM’s not a small organization, they’re worth billions with a B. Do you find it surprising, and again, not to pick on MGM, but do you find it surprising something like this happened and that they were vulnerable to an attack such as this?

Mike Engle:
It’s surprising that they got impacted as badly as they did. I’m not surprised that it happened because people are fallible. It’s just things are going to happen. Could I accidentally leave my super trusted authenticator and something sitting somewhere by accident? Of course. You could leave the bank vault open by mistake. But what surprised me is that it took them, I think it was 12 days to get back in operational, and that’s, I don’t know, some serious business continuity challenges that they had there, so that part is really surprising.

Rob MacDonald:
What did they need to do to get back online? I’m assuming there was ransomware or something along those lines. Can you tell me a little bit about what happened there and maybe what some of the consequences are?

Mike Engle:
I don’t have details. I just heard about 15 hours ago that they’re back to being pretty fully operational, so that’s in the 12th day or 10 plus days, and I didn’t hear that they paid the ransom. Caesars, on the other hand, paid double-digit millions of dollars to get their systems put back online. MGM must have decided not to do that, which you’re not supposed to, because it encourages the bad behavior.

But that means the bad guys locked up all of their data that made their systems not work and would not give it back. Now MGM was forced to go to probably backups or alternate data centers to try to get things back online, so that’s the recovery process that needs to happen.

Rob MacDonald:
That’s interesting because I think the Caesars happened on the very same day as the MGM one from what I can recall. Listen, how can organizations better prepare themselves against a social engineering attack like vishing or phishing or any of the other ishings in the future?

Mike Engle:
I mean, it’s really, a lot of it is user education, so there’s security awareness training and monitoring too. If you monitor those help desk calls and then the subsequent actions that happen. There’s all kinds of InfoSec things that companies typically do. You test your systems regularly, etc.

But one of the things that struck me about this is they said the organization did use multifactor authentication. Username, password, plus some type of one-time code, etc. and they bypassed that as well. There’s probably an opportunity to shore up that part of the vector and provide some options there that might be a little harder for bad guys to get their hands on.

Rob MacDonald:
For sure. Now, one of the things that pops up over your shoulder every now and again is, know who’s behind the device.

Mike Engle:
What? Really?

Rob MacDonald:
Yeah, I know.

Mike Engle:
Look at that.

Rob MacDonald:
Coincidentally. How could knowing who’s behind the device help companies like MGM prevent these types of attacks?

Mike Engle:
It sounds so simple. Know who it is, but digitally, that’s not easy to do, but something we’ve gotten really good at here at 1Kosmos obviously. Flip the script a little bit. Bad actor calls the help desk says, “I’m Bob Smith,” and the help desk pushes a button that says, prove it. Not tell me about your first day of employment or the amount of your last direct deposit. All that stuff is stealable. Or fetch me this thing over there.

But what if they had to look into a camera and match Bob’s photo? Now you’ve upped the game quite a bit. Bad actor in this case, sitting behind their computer in Eastern Europe or wherever it was they were. I don’t want to pick on Eastern Europe, I love the place. But now that’s a much harder attack. Now they have to do deep fakes, or there’s all kinds of other things that takes it to another level. That’s something that we’re seeing more companies have a lot of interest in, is a way to reach out and prove who it is that’s there.

Rob MacDonald:
Awesome. Again, not to pick on MGM or even Caesars for that matter, or any organization that runs into an issue like this because it is pretty serious. But what lessons can we take from this, that organizations or individuals can learn from what happened at MGM, for what happened at Caesars from a cyber attack standpoint to enhance their cybersecurity practices going forward?

Mike Engle:
First is always keep your resume current. I think understanding the gaps in the authentication controls and the reset password, reset controls are a big deal. I’ll give you an example. What if my authenticator, which many people use mobiles, they’re very secure, but there’s ways now for the authentication data on here to replicate to my cloud, to iCloud or Google Cloud. If that happens, you’re exposing now the organization or whatever you’re logging into to the cloud security. It’s only as secure then as my Google Cloud password in that example.

There are some rumors that they might’ve had that type of exposure. But in general, understanding that whole process of proving who you are to a help desk and ensuring that you truly know who is behind the device is one of the most important steps. Of course, training and business having really good backups and testing them regularly and stuff is other things that lots of other companies do as well.

Rob MacDonald:
Speaking of which, I have training I have to do today.

Mike Engle:
Yeah, get busy or you get yelled at.

Rob MacDonald:
For our own certification. Mike, I appreciate you coming by to tell us a little bit about the latest breach, and I look forward to having another vlog with you again sometime soon. Thanks everybody.

Mike Engle:
Let’s do that. Thank you very much.

A Customer First Approach to Identity Based Authentication

Read More