Ethical Hacking News
New Cybersecurity Guidelines Issued to Combat Rises in Threats: Experts Warn of Increased Importance on Implementing MFA and Phishing-Resistant Authentication
Implement robust measures to safeguard infrastructure, networks, and sensitive data from social engineering attacks, phishing, and other bypassing authentication controls. Remove SMS, phone calls, and emails as authentication controls and use authenticator apps with phishing-resistant MFA (e.g., number matching and geo-verification). Use FIDO2 security keys for authenticating identities assigned privileged roles. Restrict administrative users from registering or using legacy MFA methods. Enforce multi-context criteria to enrich authentication transactions, including validating identity, device attributes, and specific location attributes. Use context-aware access policies for Google Workspace and Conditional Access Policies for Microsoft Entra ID. Implement recommendations for MFA registration and modification, such as restricting actions to trusted IP locations and device compliance. Monitor and investigate suspicious MFA method or phone number registrations across multiple user accounts. Decouple the organization's identity store from infrastructure platforms, services, and cloud admin consoles, using local administrator accounts with long and complex passwords. Restrict administrative portals to trusted locations and privileged identities, leveraging just-in-time controls and access restrictions. Isolate and restrict access to ESXi hosts / vCenter Server Appliances and ensure backups of virtual machines are isolated and secured. Implement endpoint security management best practices, such as segmenting administrative access and enforcing multi-administrator approval. Regularly monitor unauthorized access to EDR, patch management technologies, script deployments, and inventory installed applications on endpoints.
In the ever-evolving landscape of cybersecurity threats, organizations must now prioritize implementing robust measures to safeguard their infrastructure, networks, and sensitive data. Recently, a collection of guidelines has been issued by experts aimed at preventing social engineering attacks, phishing, and other methods used to bypass authentication controls.
These guidelines emphasize the importance of removing SMS, phone call, and/or email as authentication controls, and instead utilizing authenticator apps that require phishing-resistant MFA (e.g., number matching and/or geo-verification). In addition, leveraging FIDO2 security keys for authenticating identities assigned privileged roles is also highly recommended.
Furthermore, organizations should ensure that administrative users cannot register or use legacy MFA methods, even if those are permitted for lower-tier users. Enforcing multi-context criteria to enrich the authentication transaction is another key aspect of these guidelines, which include examples such as validating identity, device attributes, and specific location attributes.
Organizations leveraging Google Workspace can enforce context-aware access policies, while those utilizing Microsoft Entra ID can utilize Conditional Access Policies to implement these measures.
The guidelines also provide recommendations for MFA registration and modification. To prevent compromised credentials from being leveraged for modifying and registering an attacker-controlled MFA method, organizations should review authentication methods available for user registration and disallow any unnecessary or duplicative methods.
Restricting MFA registration and modification actions to only be permissible from trusted IP locations and based upon device compliance is also emphasized. In cases of suspected compromise, MFA re-registration may be required, which should only be permissible from corporate locations and/or trusted IP locations.
Investigating and alerting when the same MFA method or phone number is registered across multiple user accounts may indicate attacker-controlled device registration. Implementing additional security measures such as passwordless authentication and leveraging FIDO2 security keys for authenticating identities assigned privileged roles are also highly recommended.
The guidelines also address administrative roles, emphasizing the importance of preventing privilege escalation and access to an environment. Decoupling the organization's identity store from infrastructure platforms, services, and cloud admin consoles is recommended, with local administrator accounts adhering to specific principles such as long and complex passwords.
Restricting administrative portals to only be accessible from trusted locations and with privileged identities, leveraging just-in-time controls for leveraging credentials associated with privileged actions, and enforcing access restrictions and boundaries that follow the principle of least-privilege are also emphasized.
The guidelines highlight the importance of isolating and restricting access to ESXi hosts / vCenter Server Appliances. Ensuring backups of virtual machines are isolated, secured, and immutable if possible is also recommended.
In addition to these measures, organizations should implement endpoint security management best practices such as segmenting administrative access to endpoint security tooling platforms, reducing the scope of identities that have the ability to create, edit, or delete Group Policy Objects (GPOs) in on-premises Active Directory, and enforcing Intune access policies that require multi-administrator approval (MMA).
Regular monitoring and review of unauthorized access to EDR and patch management technologies, monitoring script and application deployment on endpoints and systems using EDR and patch management technologies, reviewing and monitoring "allow-listed" executables, processes, paths, and applications, and inventorying installed applications on endpoints are also recommended.
Cloud resources should be monitored for newly created or modified network security group (NSG) rules, firewall rules, or publicly exposed resources that can be remotely accessed. Additionally, monitoring cloud infrastructure for the creation of programmatic keys and credentials such as access keys is essential.
Network infrastructure should include enforcing strong authentication for accessing any applications and services that are publicly accessible, leveraging vulnerability scanning to perform an external unauthenticated scan to identify publicly exposed domains, IPs, and CIDR IP ranges.
Organizations should also restrict egress communications from all servers, block outbound traffic to malicious domain names, IP addresses, and domain names/addresses associated with remote access tools (RATs), and implement monitoring and detection measures such as reconnaissance, which may involve searching for documents or spreadsheets that contain shared credentials.
These guidelines emphasize the importance of implementing effective authentication, authorization, and accounting (AAA) mechanisms to protect sensitive data. The comprehensive guide provides a detailed overview of best practices for securing infrastructure, networks, and applications against modern threats.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Evolution-of-Cybersecurity-A-Comprehensive-Guide-to-Protecting-Against-Modern-Threats-ehn.shtml
https://cloud.google.com/blog/topics/threat-intelligence/unc3944-proactive-hardening-recommendations/
Published: Tue May 6 03:24:36 2025 by llama3.2 3B Q4_K_M
