Securing user authentication protocols effectively

In March this year, a cybersecurity expert found a security bug—ProxyToken—in Microsoft Exchange Server. The vulnerability allows cybercriminals to circumvent the authentication process to access victims’ emails and configure their mailboxes.

Typically, Exchange employs two sites, a front and back end, to verify users. Nevertheless, its Delegated Authentication feature squarely blames the back-end for authentication. ProxyToken sends an authentication request with a non-empty SecurityToken cookie to activate this feature. Since the back-end isn’t configured to deal with authentication under default settings, the threat actor’s requests circumvent authentication completely.

To make it work, cybercriminals must already have an account on that Exchange server, assuaging its threat. Insider threats are always possible, however. Criminals could then use this technique to acquire information to carry out phishing attacks, which inflicted a loss of more than $1.7 billion in 2019.

Given this threat and others of this kind, here’s how businesses can better protect their user authentication protocols.

Keep track of user behavior

User authentication is not merely about a simple username and password. Conventional methods like this are susceptible and can’t make up attacks like ProxyToken that circumvent authentication breaks. One useful solution is to keep track of user behavior.

Constant supervision will set up a baseline for each user’s typical behavior. With this information, businesses can implement behavioral biometrics, which validates people based on their use patterns. This monitoring is also a vital part of contextual approvals, a vital rule of zero-trust security. These methods go beyond conventional verification to find and address attacks like ProxyToken.

Use multifactor authentication

Enabling multifactor authentication is another major step. Single authentication techniques are prone to attacks like ProxyToken, so it’s safe to use more than one method to ensure that if a cybercriminal gets past one obstacle, they still can’t penetrate the system.

Microsoft itself underlines that MFA can stop 99.9% of account compromise attacks. As well as being vastly effective, MFA is also free of charge and easy to enforce, making it a perfect security measure.

Limit authorization

Authentication and authorization bear no similarities, and recalling that is important to avoid threats like ProxyToken. A threat actor may use ProxyToken or a similar technique to circumvent authentication, but better controls can still lessen damage.

As a refresher, authentication ascertains if users are authentic while authorizing handles permissions. Controlled authorization protocols like least-privilege access controls restrict the authorization any one user has. Consequently, an attacker that circumvents the authentication stage will still have limited access, reducing their potential for destruction.

Keep software updated

Although it may appear obvious, companies should also remember to keep their software as up-to-date as possible. Experts found ProxyToken in March, and Microsoft managed to fix the flaw by July. A simple software update will keep Exchange servers secure from these attacks.

While software updates may not appear like a serious issue, many businesses fall behind in this area, leaving them exposed. Nearly one-third of world companies have undergone a data breach owing to an unpatched vulnerability, which implies that enabling automatic updates and monitoring for flaws will prevent a substantial number of cyberattacks.

Protected authentication protocols are critical

Threat actors always find ingenious means like ProxyToken to bypass organizations’ security systems. Given a spike in these threats, businesses must take a more hands-on approach to security, including stronger authentication protocols.

User authentication is not just restricted to a simple username and password in this day and age. Cybercriminals today are more ingenious, requiring multistage approaches like MFA and constant supervision to halt them. Organizations can eradicate most of the threats the face if they tighten their authentication and authorization controls.

About AMSAT

AMSAT’s state-of-the-art infrastructure and effective systems help organizations defend against present and future threats, which can be tailored to specific needs of our clients. The AMSAT team includes some of the leading security practitioners in a broad set of cybersecurity capabilities. This covers areas of application and network security, analysis, pro-active, legal, reactive and forensic services. AMSAT also provides the largest and most efficient Security Operations Center in multiple countries where cybersecurity experts are monitoring events on 24/7, helping organizations implement robust, consistent and stable cybersecurity practices.