CISA outlines guidance to prevent big tech being hacked again so easily

Hacker
(Image credit: Unknown)

The US Cybersecurity and Infrastructure Security Agency (CISA) has published a new report recommending that businesses make some changes to their security in light of the infamous Lapsus$ attacks. 

Lapsus$ is a threat group that used a range of relatively simple tactics to breach some of the biggest names in tech, including Microsoft, Nvidia, and Samsung. It was also responsible for leaking content from Rockstar Games' upcoming video game Grand Theft Auto VI.

Seven people in connection with Lapsus$, aged between 16 and 21, were arrested last year, but the group has claimed since that it is still active, and CISA warns that it and other similar threat actors are able to use "a playbook of effective techniques" to launch attacks to a "great and wide effect." 

SIM swapping and passwordless

Chief among the Lapsus$ tactics was sim swapping, whereby attackers managed, via social engineering attacks and other methods, to access incoming messages from phones belonging to employees at the target firm, in order to receive valuable info such as two-factor authentication codes delivered via SMS. 

CISA therefore wants the Federal Trade Commission and Federal Communications Commission to "mandate and standardize best practices to combat SIM swapping," as well as imploring cell operators to "better protect their customers by implementing stringent authentication methods."

This could include letting users lock their accounts out of SIM swaps, requiring strong verification procedures to allow them, and letting them see a record of what SIM swaps have occurred.

To further combat the issues, CISA also suggest that companies adopt passwordless solutions, which require no credentials or multi-factor authentication codes that can be intercepted. 

Passkeys are the current favorite, with their FIDO 2 standards set by the FIDO Alliance, a cross-industry association featuring all the names in big tech on the board of members, including Apple, Amazon, Google, and Microsoft. Many of the best password manager options are also starting to support eh use of passkeys, including Dashlane, 1Password and Bitwarden. 

They work by storing a cryptographic key on your device, which is not known to anyone. It is combined automatically with the pubic key of the service the user is trying to access their account for, granting them access. 

All that's needed to authenticate the login is whatever is used to lock the device itself. Typically, in the case of smartphones, this means biometric data, such as a fingerprint or facial recognition. A physical security key can also be used. 

As the known operators within Lapsus$ were so young, CISA also suggests that a Congress-funded prevention programs should be launched to stop juveniles getting involved with cybercrime, as well as redirecting those already involved away from it.   

Lewis Maddison
Reviews Writer

Lewis Maddison is a Reviews Writer for TechRadar. He previously worked as a Staff Writer for our business section, TechRadar Pro, where he had experience with productivity-enhancing hardware, ranging from keyboards to standing desks. His area of expertise lies in computer peripherals and audio hardware, having spent over a decade exploring the murky depths of both PC building and music production. He also revels in picking up on the finest details and niggles that ultimately make a big difference to the user experience.

Read more
A digital representation of a lock
Exploits on the rise: How defenders can combat sophisticated threat actors
An image of network security icons for a network encircling a digital blue earth.
Why effective cybersecurity is a team effort
Hack The Box crisis simulation event
“Everyone will experience a hack” - how incident response can protect your organization
Abstract image of cyber security in action.
It’s time to catch up with cyber attackers
An abstract image of a lock against a digital background, denoting cybersecurity.
Building a resilient workforce security strategy
Cartoon Phishing
Hackers use GenAI to attack more frequently and effectively
Latest in Pro
Isometric demonstrating multi-factor authentication using a mobile device.
NCSC gets influencers to sing the praises of 2FA
Sam Altman and OpenAI
OpenAI is upping its bug bounty rewards as security worries rise
Context Windows
Why are AI context windows important?
BERT
What is BERT, and why should we care?
A person holding out their hand with a digital AI symbol.
AI is booming — but are businesses seeing real impact?
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Dangerous new CoffeeLoader malware executes on your GPU to get past security tools
Latest in News
Nintendo Switch 2 Joy-Con up-close from app store
Nintendo's new app gave us another look at the Switch 2, and there's something different with the Joy-Con
cheap Nintendo Switch game deals sales
Nintendo didn't anticipate that Mario Kart 8 Deluxe was 'going to be the juggernaut' for the Nintendo Switch when it was ported to the console, according to former employees
Three angles of the Apple MacBook Air 15-inch M4 laptop above a desk
Apple MacBook Air 15-inch (M4) review roundup – should you buy Apple's new lightweight laptop?
Witchbrook
Witchbrook, the life-sim I've been waiting years for, finally has a release window and it's sooner than you think
Amazon Echo Smart Speaker
Amazon is experimenting with renaming Echo speakers to Alexa speakers, and it's about time
Shigeru Miyamoto presents Nintendo Today app
Nintendo Today smartphone app is out now on iOS and Android devices – and here's what it does