Skip to content
Imran ViraniNov 25, 20223 min read

Security Impurities: News of the Week (October 12th - 18th)

SOCial Studies: What the Devo report can teach us about burnout in cybersecurity

Burnout in tech is real. Many technical employees are feeling the crunch due to long hours, numerous pain points, or some combination of the two. This is an issue of mental and physical health, but it is also a security vulnerability. With news of high-profile hacks happening because of employees being phished out of their login credentials, extra focus is being paid to the stressful situations that cause employees to have these mishaps.

This week, a report by cybersecurity firm Devo showed the hard truths about burnout for security operations centers (SOCs). The report states that SOC employees are significantly overworked, have limited budgets to work with, and have trouble prioritizing their long list of responsibilities. Over 40% of employees surveyed said counselling and stress management programs would help their SOC teams face these challenges. This speaks to how vital mental health and work/leisure balance is to effective production.

To help stem the tide of burnout, companies should understand that more resources and lighter workloads now can mean better performance and security later.

When you Vish upon a TOAD… : Banking scams in Italy

Vishing (voice phishing) scams are among the most annoying social engineering attacks. Most of us have felt the experience of rushing to our phones as they begin to ring, only to roll our eyes as a robotic voice attempts to scam us out of our information or money. However, when vishing scams are well-researched, they can be very believable, and very dangerous.

This type of vishing is in the news this week, with a scam involving banking malware on Android devices. In Italy, online-banking users are being targeted by phone calls from hackers pretending to be bank employees. These ‘employees’ instruct customers to install a malicious security app on their phones. Once installed, the app allows hackers to gain remote access to users’ banking information. This scam is more complex than an average vishing call because it involves a unique telephone-oriented attack delivery (TOAD). For this TOAD attack, the vishers first collect information from fake banking websites set up to attract potential victims. Using the data victims have put into these websites, the vishers can make their phone calls sound more believable.

These sorts of attacks are dangerous and can befall individuals and organizations alike. To protect yourself and your company, please feel free to read some of our other articles about vishing, how it works, and how best to protect against it.

Maor Authentication, Maor Security: Is 3FA really that much better than 2FA?

We at Mirai Security love to rave about the importance of multi-factor authentication (MFA). But not all MFA methods are created equal. In choosing what one is right for you, a choice often must be made between convenience and security. This week, Ofer Maor, the CTO of cybersecurity company Mitiga, wrote an article for HelpNet Security. In it, he states that 2FA (two-factor authentication, a form of MFA) is outdated. With standard 2FA, users have a password/account name mechanism with one additional factor, usually a one-time password (OTP) or an authentication app. Maor claims that this does not offer more security than an average password, only more convenience than other login methods. Moreover, Maor says 2FA users are more susceptible to issues like MFA fatigue.

Instead of 2FA, Maor recommends 3FA, which includes an additional factor, such as tying logins to a specific device or hardware token. While this adds an extra layer of security, it also adds a layer of complexity that not everyone may want to deal with. This is where the balance must be weighed. Yes, Maor is right when he says 2FA has its issues, but it offers a mix of security and convenience that some low-risk users may find acceptable. 3FA might be the best option for higher-risk accounts, but it all depends on what you think is right for you, and how you value risk vs. ease of use.