Digestible IT Bites

Account Protection

Written by Stefan Koch | 11.01.2024 13:29:20

Today's topic in our business communication security series is all about "Account Protection". This topic divides into several subdisciplines which is either in the responsibility of the user or system administrator of the respective system. In this blog article we will have a look at the most impactful mechanisms to protect your accounts against external attacks.

 

Table of Contents


 

 

Introduction

In our previous articles we already covered some very closely related topics like password security and anti phishing.

To cover all related tiny nifty details to implement business communication security we now arrived at account protection. The integrity of accounts is absolutely key in a corporate environment. Preventing compromised accounts is a task for every account owner. Taking over responsibility for our accounts (no matter whether they are corporate or private) is the first step if you want to protect data from unwanted access.

 

It's important to understand that this article is not a fully-fledged account security strategy. We intend to talk about key security measures to increase general awareness for those topics. For a deeper understanding you should talk to your IT security expert.

 

Multifactor

Multifactor-Authentication (MFA), Two-Factor-Authentication (2FA) and similar became absolute fundamental requirements to protect your accounts. Nothing is as easy to set up and returns a much higher level of security for your accounts.

This method generates a so called One-Time-Password (OTP) which you need to enter in addition to your regular password. This OTP will be generated in real time and expires very quickly to make sure it can't be phished easily.

One of the preferred methods is, to use an authenticator app (Microsoft, Google, etc. but also SMS or E-Mail are valid options). Some password management tools like Bitwarden contain TOTP functionality so you can generate your token from within the tool without needing a separate device like a smartphone.

It is highly recommended to set up multifactor authentication for any kind of application which is processing personal or other sensitive data. Especially E-Mail, password managers, payment provider, any kind of account with active subscriptions and databases should have MFA enabled.

 

Security Token

A more and more popular way to protect accounts are security tokens. They exist in various form factors but mainly as USB sticks. Not every system supports those tokens, but they are one of the most secure mechanism when i.e. combined with other OTP mechanisms. I used to implement them for very critical systems like password management tools for which you must create an initial master account. Those master accounts are rarely used after creation but must be kept with the business owner for the lifetime of the service. Enabling MFA for those accounts via a security token is a great independent solution as you don't need a smartphone. Those tokens can be locked in a safe and should be tested in fixed time intervals.

 

Artificial Intelligence

Meanwhile, several identity providers (i.e. Microsoft Entra ID Protection) have implemented pattern based artificial intelligence to identify unusual login behavior and attempts. By enabling those features, system administrators can heavily increase the level of account protection. An unusual login attempt would trigger if a user unexpectedly tried to login from a different country far away from the common login area. Another example is if several unsuccessful login attempts occur because MFA failed for whatever reason.

Depending on the specified policies you can temporarily disable those accounts automatically to prevent further attempts and potential harm. The user must then authenticate properly via a certain method or reach out to the support team to get their account re-enabled.

I found this very useful as those tools have proper auditing and logging enabled which gives you the ability to investigate further by yourself and come up with measures to prevent those attempts in future.

 

Conclusion

We all share the responsibility for protecting our accounts from unwanted access. We do not only harm ourselves but also others if data is leaked. There are many simple ways to increase the security by setting complex passwords and activating multifactor authentication whenever possible. There might be no guarantee for absolute account protection but by leveraging standard security measures you can decrease the probability for a successful account takeover tremendously.

 

PLEASE NOTE: In case you suspect your account to be compromised you should change your password immediately. Please also talk to your IT department in such cases. They wont be mad at you - I promise!

 

Find us on social media as well!