Preventable human error in recent security incidents.

There have been several stories over the past week involving security incidents caused by human error.

Dropbox discloses successful phishing attack.

Dropbox reported earlier this week that it was affected by a phishing campaign that impersonated CircleCI to gain access to GitHub repositories:

“While our systems automatically quarantined some of these emails, others landed in Dropboxers’ inboxes. These legitimate-looking emails directed employees to visit a fake CircleCI login page, enter their GitHub username and password, and then use their hardware authentication key to pass a One Time Password (OTP) to the malicious site. This eventually succeeded, giving the threat actor access to one of our GitHub organizations where they proceeded to copy 130 of our code repositories.”

FTC files complaint against education company for lax security practices.

The US Federal Trade Commission on Monday filed an administrative complaint against education technology provider Chegg for its alleged “poor data security practices” that have resulted in four data breaches since September 2017. The breaches exposed the personal data of approximately 40 million of the company’s customers.

The FTC is requiring Chegg to implement the following measures:

• “Detail and Limit Data Collection: Chegg must document and follow a schedule that sets out what personal information the company collects, why it collects the information, and when it will delete the information.
• “Provide Consumer Access to Data: Chegg must provide its customers access to data collected about them and allow them to request that the company delete that data.
• “Implement Multifactor Authentication:Chegg must provide multifactor authentication or another authentication method to its customers and employees to help protect their accounts.
• “Implement Security Program: Chegg must implement a comprehensive information security program that addresses the flaws in the company’s data security practices including encrypting consumer data and providing security training to its employees.”

Joe Garber, CMO at Axiad, commented on the situation:

“Chegg is yet another example of an organization not being as prepared as necessary for an identity-based cyberattack, and then paying the price. In this case, the warning signs were certainly visible, as they had four breaches in the last three years, which means the latest was preventable. The U.S. Federal Trade Commission (FTC) requiring specific changes to the organization’s cybersecurity posture makes logical sense in this context – particularly the actions required to better secure user accounts. However, the mandate to simply implement MFA probably doesn’t go far enough given the organization’s history of being targeted with phishing attacks. It is important to know that not all MFA is the same, and bad actors often can subvert the authentication process – often by stealing users’ credentials via fake login pages – with lesser capabilities in place. MFA fortified with phishing-resistant methods such as FIDO2 and Certificate-Based Authentication (CBA), as well as leveraging strong hardware tokens and conforming to standards like user behavior validation, provide the most robust level of security against phishing attacks. Such an approach would seemingly be appropriate in this situation.”

CISA offers guidance for implementing MFA.

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued two fact sheets offering advice for implementing phishing-resistant multifactor authentication. The agency urges organizations to adopt FIDO/WebAuthn authentication. CISA states, “While any form of MFA is better than no MFA and will reduce an organization’s attack surface, phishing-resistant MFA is the gold standard and organizations should make migrating to it a high priority effort.”