On September 11, 2023, MGM reported that they experienced a “Cyber Security Incident”. The incident which began in late August still has a stronghold on their business and customer information with far-reaching implications for their financial future. Many are asking, how did this happen? People who are not well versed in cybersecurity might assume that it was a master hacker behind the keyboard who worked some code magic to infiltrate their IT system. Currently, sources report it was simply a bad actor using social media to find an employee who had elevated access to the company’s IT systems and networks. In these instances, once they have a name and a title the phishing campaigns come out of the woodworks. The goal is to get the target to give them the next level of information, i.e., their username and password. In this case, the bad actor simply took public information and called the MGM help desk to request a password change posing as the targeted user!
So, you may be asking yourself where was their identity verification? The truth of the matter is most people give social media more than they realize! Add to this that most business professionals have LinkedIn and Facebook coupled with IG. This gives the bad actor the ability to author a book about both your Business and Personal life. Historical answers such as; What is your mother’s maiden name? Are easy to find within the “Social Media Ether”.
Recent Photo of the MGM Security Team...JK!
MGM Needs a Zero-Trust Assessment!
Here is where Zero Trust training and implementation might have helped the MGM team! The principles of Zero Trust state “Verify Explicitly, use least privilege access and Assume Breach”. First, we know there’s not much to be done from the business’ perspective when it comes to user error. Like many, there’s little MGM can do about social media unless they make no social media a policy. The application of Zero Trust would have started as soon as the bad actor had a working username and password. When the bad actor entered the stolen credentials, at once a Multi-Factor Authentication prompt should have alerted the real user! Let’s say the user approved the notification on their phone. MGM’s identity protection service, which typically evaluates authentication risks should have alerted their Cyber security team to unfamiliar sign-in and/or atypical travel. Conditional Access policies take these risk signals and factor in when a device is unmanaged. This then causes the connection attempt to be denied. If they had Assumed Breach the new unmanaged endpoint would’ve had to be onboarded, scanned, and checked before allowing access. A Zero Trust Network Segmentation configuration would have alerted Security Professionals when the account entered a section of the network that was restricted. Using least privileged access methods such as Privileged Identity Management or Privileged Access Management would force another set of eyes to approve access to sensitive systems or elevated account privilege.
We can easily surmise that MGM is not assuming breach since there doesn’t seem to be any segmentation controlling or at least tracking access, the device in use is not corporate managed, and security alerting either isn’t being watched or there is no effective alert automation in place. To be clear I don’t work for MGM to know what security measures they have deployed, and we can all agree that there is a lot more that could be done here. The facts are it should be exceedingly difficult in these days of constant cyber-attack to gain access to any resources with just a username and password, especially in the financial sector.
Ask yourself, has my company invested in securing our IT Systems and Networks using the Zero Trust framework? If not, you can take the ACE Zero Trust Assessment today and start working with an Acceleration Officer on a custom ZT implementation plan.
Comments