Despite the negative security press that Microsoft has been getting, whether that’s failing Windows 10 updates, Azure vulnerabilities or compromised subdomains, we can take it as read that the tech giant wants to protect its customers and their accounts. So when the company warns that 1.2 million accounts were compromised in January, almost all of which were preventable by one simple security measure, and that this is now a typical month, we should all sit up and take notice.
The 1.2 million figure is around 0.5% of enterprise accounts on their systems. “That’s a really, really, really high number,” Alexander Weinert, Microsoft’s Director of Identity Security, told an RSA audience in February.”If you have an organization of 10,000 users, 50 of them are going to be compromised this month.”
A compromised account is an issue—regardless of the level of exposure. And, as with everything from smartphones to social media to online payments, the tools are now there to defend against all but the most sophisticated of these attacks. The truly shocking issue here, is that only 11% of enterprise users make use of those tools. That means a staggering 89% of accounts remain open to fairly simple attacks.
We are, of course, talking multi-factor authentication or MFA. The simplest possible add-on to a username and password. And while the most basic MFA comprises a one-time passcode sent by email or SMS, often criticized for being insecure and open to compromise, it’s immeasurably better than not having anything at all. And once we move to keys and authenticators, it becomes exponentially better still.
“Multi-factor authentication,” Microsoft confirmed, “would have prevented the vast majority of those one-million compromised accounts.” And you can bet the picture is no better in the consumer world across that multitude of accounts.
And it gets worse. A truly alarming 80% of those compromised enterprise accounts, which if you do the quick math is almost 1 million hacked accounts in January alone, were hit by either “password spray” or “replay” attacks.
Password spray simply means automatically testing combinations of common passwords and known usernames on a system. You know how poor the most popular passwords are these days—those are lists that attackers keep close to hand. This is a straight numbers game. By contrast, replay attacks exploit our fondness for reusing the same passwords on different systems. Made much worse when people reuse passwords from their personal accounts on their work ones.
So, in addition to not having MFA enabled, 80% of those 1.2 million attacks could likely have been prevented with strong passwords and no password reuse.
The twin evils of phishing and social engineering need no detailed explanation by now. Malicious emails and messages, tailored around popular news items or spoofed to appear to come from friends and colleagues, leading fake login pages that steal credentials. These more sophisticated types of attacks only accounted for 20% of that vast number of hacked Microsoft accounts.
The picture can get much worse depending on the type of account. “When we look at the probability of comprise,” Weinert said, “look at what happens when you have an SMTP enabled user. The compromise probability surges—it’s just crazy. IMAP, SMTP, POP enablement creates a much, much higher target.”
As Weinert put it, “hackers love legacy authentication,” and almost all of the password spray and replay attacks hit accounts where legacy authentication was in place. Again, another risk that is easy to identify and that needs to be addressed.
As I reported last year, Microsoft has been urging enterprises to shift to MFA for some time. And these statistics make such a move an absolute no-brainer. MFA should not be a bullet on a company’s IT strategy slide, it should be a line-item on its to-do list. Enabling MFA and educating users as to the correct use of passwords should be a prerequisite. With that done, you can turn to the much harder task of filtering or training out phishing attacks, and explaining social engineering.