Protecting your MSP — The threats
Identity is a growing and vulnerable perimeter. The user is often the first and last layer of defense an organization has, and scams are becoming increasingly convincing.In the 2019 MGM cyberattack, in which a threat group found its way in through helpdesk impersonation, the hackers were, “young, savvy, and familiar with basic IT workflows, they knew identity and access management protocols and [were] native English speakers.” — Preventing Helpdesk Phishing with Duo and Traceless Webinar
- Vishing: Voice phishing through fraudulent phone calls to trick victims into providing sensitive information, often login credentials or financial details.
- Number spoofing: Pretending to be a legitimate source — a business, colleague or trusted contact to access personal information, money or spread malware.
- Phishing Kits: To make phishing campaigns more efficient, attackers will often reuse their phishing sites across multiple hosts by bundling the site resources into a phishing kit.
Protecting your MSP — The solution
Solving the problem of helpdesk phishing requires preventative action and a tested plan in place to mitigate the fallout if a breach does occur. So, how do we bridge that trust between an MSP and a client? Gene argues “We need to start thinking critically about MFA securing communications. We are in a world where voice calling is not enough to confirm transactions.”In a quick poll during the webinar, MSP attendees shared that they use a few mechanisms for verifying identity: security questions, PINs, employee IDs, or phone number call-backs. For the savvy, an app-based MFA push enabled smoother helpdesk interactions.It’s all about identity verification. More traditional methods for helpdesks might have been a callback, but this can be time-consuming and in the era of ‘vishing’, it is no longer effective.Watch the full webinar for more security insights, tips and best practices for verifying identities and securing communications with customers.How can Duo MSP help?
Duo aims to provide a holistic identity security solution with multi-layered defenses and features like device trust and centralized access controls to help MSPs keep their clients safe. This includes:- Free push verification to check user identity in real-time before granting access or making changes while customers are still on the phone
- Granular role-based controls so employees can still access their data while keeping more sensitive information secure/reducing the risk of lateral threat expansion
- Segmented access policies to keep track of who is accessing from where for greater visibility and to create a baseline for identifying abnormalities
- MFA for an extra layer of security and an audit trail, along with single sign-on and passwordless authentication for more advanced access security protections
A solution worth your time is one that focuses on security efficacy but is also designed for better customer and management experience.