via Dark Reading
The recent cyberattack against MGM Resorts grabbed headlines and sent shockwaves across the industry. The hotel and entertainment giant struggled to get systems back online after widespread outages affected several of its landmark Las Vegas properties. In addition to outages of internal networks, the hack also affected slot machines, ATMs, digital room key cards, and electronic payment systems.
Much of the reporting on the incident focused on how the casino’s seemingly impenetrable security was infiltrated by teenaged attackers affiliated with ransomware group Scattered Spider. To those of us in the cybersecurity industry, the attack called attention to one of the most important and difficult challenges: properly understanding and managing access and authentication controls.
The hack of MGM Resorts began with a vishing (voice phishing) breach of the company’s IT help desk. By impersonating employees and requesting access to their accounts over the phone, the attackers were able to sidestep end-user verification and deploy a ransomware attack after gaining administrator rights. Many analysts have become fixated on the idea that MGM could have prevented the incident if only it had been using better identity solutions or stronger methods of verifying user identities.
However, this is incongruous with the facts.
More Identity Verification Isn’t the Answer
The hackers gained access through social engineering. Simply adding more identity products to a growing pile of security solutions is not the answer — and suggests a widespread misunderstanding of authorization and access controls. While protecting identity is a critical fight in the modern cyber landscape, the reality is that identity products alone would not have prevented this attack. Organizations need to instead emphasize proper authentication and access controls alongside identity.
We often utilize identity providers who create, store, and manage digital identities, ensuring that a user is who they say they are when they log onto a network. However, as evidenced by the MGM cyberattack, threat actors can bypass these providers and compromise legitimate identities, granting them undue access to an organization’s environment.
We Need to Secure IT Like We Secure Airplanes
Drawing an analogy from airport security offers an enlightening perspective on where MGM, and many others, might be going wrong. Consider an airport. Here, the primary assets — the airplanes — are shielded from threats like bombs and weapons. The plane, much like a server in an organization, is the sensitive resource. At the airport, stringent security checkpoints ensure there’s no direct access to these airplanes without thorough vetting. Similarly, in a well-secured enterprise, a robust security checkpoint (or a policy enforcement point) should stand as a guardian in front of servers, ensuring no direct access without rigorous checks.
The TSA’s three-step protocol offers a compelling analogy:
- Identity verifications: Security personnel meticulously check your ID or passport, employing special machines to ensure its authenticity.
- Baggage scan: This is a check for potential threats, ensuring passengers aren’t carrying harmful items.
- Repeat verification: When passengers move from general airport areas to boarding zones, they undergo these checks, ensuring consistent security.
This airport protocol can be translated to the enterprise digital realm:
- User authentication: Using tools known as identity providers and complementing with multifactor authentication mechanisms, such as phone verifications, ensures users are genuine.
- Device integrity check: Much like scanning baggage for threats, organizations must scan the data transfers between sensitive servers and services to ensure hijacking is not occurring, unauthorized access is prevented, and ransomware is not transferred to these systems.
- Continuous verification: Just as travelers must repeat TSA checks every time they access boarding areas, no matter if this is your first flight or your hundredth, you go through the security process. Cybersecurity needs this same rigor, where we verify every single request from users to access resources. This is how to apply proper access and authorization controls, so only verified users are able to access the resources they are requesting. Digital access should be continuously verified. Checking the laptop or device every time it wants to cross from the outside world to the front door of the server ensures protection. This means checks need to occur between logins as well.
MGM’s shortcoming? While it performed the first step — identity verification — it overlooked the critical subsequent phases. The notion that merely amplifying identity products could rectify such breaches is fundamentally flawed. It’s analogous to an airport ramping up ID checks but neglecting baggage scanning, naively believing this will prevent harmful items from making their way to planes.
A Better Approach to Authorization and Access
In order to implement better authorization and access controls within your organization, following the NIST 800-207 Zero Trust Architecture model, which states that per-request access decisions must be enforced to prevent unauthorized access to systems and services, is the core to preventing breaches. Replacing legacy technology — like VPNs, VDIs, and on-premises proxies — with a zero trust secure access service edge solution provides greater access and authorization controls and inspects requests every single time. It is critical to also implement standardized, multifactor authentication alongside passwords for better control over identification.
The MGM cyberattack has revealed one of the critical cybersecurity challenges that modern organizations face. To secure our digital landscapes against increasingly sophisticated threats, we must update legacy technologies and move toward a zero-trust approach, one that mirrors the comprehensive, multilayered security we see at our airports. As an industry, we need to vastly improve the way we approach authorization and access controls to combat sophisticated threats.