article

Security Roundup: GDPR Countdown, KnowBe4 Exploit Discovery, Optiv Tools

GDPR Compliance

… bring focus across the organization to compliance initiatives and make changes that are scalable and sustainable, O’Neil said.

Showpad's Theresa O'Neil

Showpad’s Theresa O’Neil

“Prioritize GDPR compliance not only to prevent penalties, but – and perhaps more importantly – to protect the data of your customers,” she said. “While companies should be mindful of the compliance deadline, the important thing is that they make changes within the organization to start protecting the personal data that they collect. It must be a top organizational priority.”

SkyKick has registered with the Dutch Data Protection Authority (DPA) since its European headquarters are in Amsterdam, Doeswijk said.

“The head of the DPA has recently stated that no business is going to be made exempt, but that generally speaking, the focus will be on bigger companies and organizations that deal with lots of sensitive data (health care, minors, convicts, etc.),” he said. “It is clear, however … that any organization that has a data breach or data leak (and the definition of this is really broad as accidentally sharing email addresses without consent) will be scrutinized immediately.”

KnowBe4 Discovers Exploit Bypassing 2-Factor Authentication

Kevin Mitnick, KnowBe4‘s chief hacking officer, uncovered a new exploit that demonstrates how using two-factor authentication (2FA) does not mean a user is automatically protected.

2FA is an extra layer of security that requires something an employee has and something they know, such as a password/username and something that only the user has, such as a code that was sent to them or that they pulled from an app on their phone. This new attack is based on proxying the user through the attacker’s system with a credentials phish that uses a URL-hijacking domain.

Once the user falls for this social engineering tactic and enters their credentials, their authenticated session cookie gets intercepted and it’s easy to hack into the account.

KnowBe4's Roger Grimes

KnowBe4’s Roger Grimes

Roger Grimes, KnowBe4’s data-driven defense evangelist, tells us he’s documented 11 different ways 2FA can be hacked and exploited, and these are only the in-the-wild attacks that already have been demonstrated in the real world.

“The challenge is that most people who use and deploy 2FA overestimate the protection that 2FA gives,” he said. “2FA does make it harder for simple phishing attacks, but as 2FA use increases around the world, hackers aren’t sitting still. They are moving up their phishing attacks with more sophisticated creations that prove that even users with 2FA credentials can be successfully phished.”

On a positive note, 2FA phishing attacks aren’t nearly as popular as traditional attacks, but that is changing, Grimes said. Expect 2FA-involved attacks to increase as 2FA use increases.

“And just like with non-2FA phishing attacks, security awareness training can significantly help,” he said. “The channel can spread the news that 2FA does not provide unhackable protection, and that 2FA has its own inherent limitations, one of which is that they can still be phished (in many different scenarios). The opportunity is a new understanding that someone with a heavy 2FA environment can …

Pages: Previous 1 2 3 4 Next


Leave a comment

Your email address will not be published. Required fields are marked *

The ID is: 101045