A ransomware incident ensnaring two of Las Vegas’s largest casinos made national headlines last month and inspired a lot of questions about ransomware, multi-factor authentication, single-sign on, access management, and vishing.
It was reported at the beginning of September that systems at Caesars Entertainment and MGM Resorts were infected with ransomware, degrading these organizations’ ability to manage their casinos and hotels. Caesar’s reportedly paid $15 million to get their systems back online; MGM did not pay the ransom and weathered a disruption in its business across the United States for at least ten days.
Subsequent reporting confirmed that in both cases the single sign-on access management system from Okta was compromised through vishing and used as the access point for the attack, despite the fact that protections like multi-factor authentication were in place.
Cut through the jargon
- Ransomware — a bit of code that can traverse a computer’s or server’s file system and encrypt any data it comes across. Once encrypted, files and applications are inaccessible by users. Hackers then demand a ransom payment to hand over the key that will decrypt these files. Even when organizations have complete and unaffected backups and choose not to pay the ransom, restoring a full system can be extremely time-consuming, disruptive, and expensive.
- Access management — the set of tools and processes in place to authenticate user credentials and provide access to file storage, applications, online services, and other systems.
- Single sign-on (SSO) — an access management service that provides authentication for multiple systems from a single set of credentials. (Okta is one such service.)
- Multi-factor authentication (MFA) — a verification method in addition to a password that’s needed for user authentication. Often this is a 6-digit code texted to your mobile device, or a separate app that generates one-time codes valid for only 30 seconds, or an app for push verification that offers users a Yes / No choice when logging in.
- Vishing — (voice + phishing) an attempt by phone to fool someone into compromising their own account or the security of a system they manage.
A little more detail
Both MGM and Caesar’s appear to have been prepared to protect their organizational data from hackers: access management systems were in place; MFA was enforced; SSO had consolidated access management under one umbrella; and Okta is one of SSO’s industry leaders.
So what went wrong?
What happened to MGM and Caesar’s is described in this blog post from Okta’s Defensive Cyber Operations team even before the news was reported. The hack apparently was not a code or system vulnerability in Okta or its version of MFA. Instead, someone called MGM’s IT support pretending to be an MGM employee with a high-level Okta admin permission. This caller claimed that they were accidentally locked out of their account and needed the MFA reset. Once that request was granted, the hacker could gain access to Okta, and from there could really wreak havoc. (The same sequence was repeated at Caesar’s and, according to Okta, other organizations.)
That’s the very short version, and there are still a lot of unanswered questions about exactly how this breach was carried out. But a key takeaway here is what the critical vulnerability was not:
- It was not an app with a bug that created a security loophole.
- It was not a compromised firewall.
- It was not a system secured with low-value passwords.
- It was not a system with MFA disabled or optional.
So what was the point of failure? Someone at the help desk … who was trying to be helpful!
What it really means
Cybersecurity is layered, and just because a single layer failed doesn’t mean the other layers aren’t still a very good idea.
- Strong, unique passwords help ensure that a breach of your password in one system doesn’t invite other breaches.
- MFA is incredibly valuable in protecting your account from access in the case that your password is known by someone else.
- SSO identity providers can close the gaps in cybersecurity over multiple services by directing all authentication through a central system with properly configured guardrails.
- Policies that prioritize “zero trust” encourage appropriate skepticism about every request related to cybersecurity.
Social engineering is often the weak link in a well-layered cybersecurity policy. Hackers might not even need sophisticated tools to gather enough publicly-available personal information about a user to make a successful vishing attack.
It’s not that the layers aren’t important — it’s that every layer is important.
How we can help
Macktez manages password reset requests for many clients, both for individual applications and for SSO identity management. We take that responsibility very seriously, and while we always want to be helpful, we will leave requests unresolved until we can verify their legitimacy.
We do not trust incoming calls for MFA reset requests even when the caller ID is correct. We will call users back at a phone number we have on record, or reach out to our primary client contact to make sure we get a verified contact method for the person making the request.
We will continue to monitor events as reported and adjust our own workflow as needed to provide our clients with the most secure service possible.
We also provide cybersecurity awareness training and dark web monitoring to protect against phishing attempts coming directly to our clients. We also provide domain management to ensure the health and reputation of your own domain. And we can conduct a NIST-based cybersecurity assessment to evaluate an organization’s risk profile and make recommendations as needed.
Get in touch if you have any other questions.