I keep telling you about human error and cyber risk. Well, once again, we had a high-profile hack and ransomware event last week. The recent cyberattack on MGM sites in the U.S. has highlighted the vulnerability of businesses to human error or behavior.
The attack involved voice phishing, where hackers impersonated an employee to gain access to systems and compromise the casino. This type of attack is common, with 74% of security incidents having a root cause in human error or behavior.
To better protect against these attacks, businesses need to address the human risk factor. Compliance training for staff is not enough, as it is often infrequent and not targeted. Human risk management training, using data and predictive analysis, can identify employees most at risk and provide targeted training to prevent security breaches. Data points such as job titles, data access, and risky behaviors like clicking links or reusing passwords can be used to create a risk profile for employees. This allows for more prescriptive and targeted mitigation steps. A holistic measurement of human risk is necessary, taking into account business risks like account compromise and data loss. A data-driven and predictive approach is needed to protect businesses effectively. Eventually, organizations may be required to have evidence of an effective human risk management program. It is crucial for companies to acknowledge that checkbox training is insufficient and move towards a more comprehensive approach to human risk management.
What Happened?
MGM Resorts, a prominent hotel and entertainment company, has fallen victim to a severe cyber-attack that began with a fraudulent call to their Service Desk. The attack has caused widespread outages across their Las Vegas properties, including the MGM Grand, Bellagio, Aria, and Cosmopolitan. The internal networks, ATMs, slot machines, digital room key cards, electronic payment systems, TV services, and phone lines have all been affected. Staff are now resorting to using pen and paper to manage the large queues of guests. The attackers responsible for the breach are known as Scattered Spider or UNC3944 and claim to be a subgroup of the ALPHV ransomware group.
They gained access to MGM Resorts' systems through social engineering by impersonating an employee and requesting access to their account. After initial entry, they escalated their privileges and launched a ransomware attack. The extent of the data breach and the potential consequences are still unknown. However, ALPHV has been known to post stolen files on the dark web in previous cases. The attackers have also stated that they still have access to some of MGM's infrastructure and are prepared to carry out additional attacks if their demands are not met.
This incident highlights the importance of better authentication protocols to prevent initial access. Stronger verification methods could have allowed the service desk to confirm the identity of the impersonator. It is also interesting to note that the attack initially was not planned as a ransomware attack but escalated due to "revenge for bad faith negotiation."
This emphasizes the need for organizations to detect and address threats during the reconnaissance phase before they escalate into more significant attacks. To prevent social engineering at the service desk, it is crucial to enforce user verification before allowing password resets or account unlocks. Solutions like Specops Secure Service Desk offer authentication methods that go beyond knowledge-based verification, requiring something the user possesses, such as a device. Implementing such measures can significantly enhance security and reduce the risk of impersonation or unauthorized access.
Overall, this cyber-attack serves as a reminder of the ongoing threat landscape and the importance of robust cybersecurity measures in place to protect businesses from potential breaches.