Managed Detection and Response (MDR) services from UnderDefense

Traditional authentication protocols have long been known to hack hackers. Easy access to company data and mailboxes completely bypasses the protection offered by multi-factor authentication. UnderDefense is taking important steps against these cyber threats. These threats can block legitimate users from connecting to your system when needed. Legacy authentication poses a security threat, unlike managed services for detection and response.

What is legacy authentication?

This authentication refers to basic authentication, which is a standard method of collecting username and password information. Basic authentication is commonly used in email protocols such as IMAP, SMTP, and POP3. Basic authentication requires only one authentication method (the user’s password) and applies only to legacy mail clients that do not support modern authentication protocols.

It seems like every few months there is a new wave of ideas. After that comes a screen worth seeing, not just hype. Most importantly, I’m always listening to teams that challenge new ideas and the latest cool “tools”. On the one hand, the business must be protected from technologies that do not match the company’s risk factors. Either way, finding balance is key and the right answer.

What is the risk of using traditional authentication?

Although traditional authentication methods are still widely (legitimately) used by many organizations, they provide access to corporate data and are a serious vulnerability for hackers. The reason is simple. Unlike modern authentication protocols, traditional authentication methods do not understand or support multi-factor authentication. A few surprising facts about legacy authentication:

Over 99% of password theft attacks use traditional authentication protocols.

Over 97% of certificate padding attacks rely on traditional authentication.

Accounts in organizations with legacy authentication disabled are 67% less risky than accounts with legacy authentication enabled.

Let’s look at an example of why current authentication is such a security risk. Hackers managed to obtain a list of compromised username and password combinations at your company (including some senior executives) through a variety of methods. Undoubtedly, the information contained in the mailboxes of these users can be useful for many other hacking activities. But that’s normal. All users should be well protected with UnderDefense’s Managed Detection and Response (MDR) services, which can block almost any attack on their account. Attacks, when you use modern authentication, are ineffective against legacy authentication protocols.

All users are protected by MFA, but legacy authentication protocols in the client are not blocked. Hackers can use the stolen username and password combinations with older email clients (such as Outlook 2010 and earlier versions) that do not use modern authentication. At this point, per-user security policies or conditional access policies are applied to enforce MFA. Hackers use passwords only to connect to mailboxes and use legacy authentication protocols such as SMTP, POP3, and IMAP to instantly synchronize the contents of all mailboxes on a local device. At this point, the user loses control over their data. Even if the victim changes the user’s password or disables traditional authentication (both of which break email synchronization), hackers can still steal all the information from the mailbox up to that point. Save an offline copy. It can be demonstrated for any purpose. This may include the theft of data or personal information or the discovery of sensitive information that may lead to an attempt to extort or steal personal information.

In short, enabling MFA also requires traditional authentication to be disabled. Before UnderDefense does this for you, let’s take a look at how to identify and block legacy authentication in your environment. The abundance of valuable information and its economic importance make the industry particularly vulnerable to cyberattacks. Loss of information as a result of cyber-attacks can have serious consequences, including social, economic, and loss of the company’s reputation. Cyber security has a high priority in today’s world due to sufficient awareness of real threats.

How can I detect and block legacy authentication?

There are several ways to prevent old authentication. If you have enabled default security settings (manually or if your client was created after October 2019), they are already locked at the client level. You can also block directly in the menu. The best way to disable legacy authentication is with conditional access. This is useful if you are working on modern authentication for certain services and need a little more time before blocking access to them with legacy authentication. Note that only authentication services are allowed. All other legacy authentication protocols (without exception) are blocked by default. Add a new filter for client applications, select Filters, and enable all options for legacy authentication clients. This shows all instances of legacy authentication, including the authenticating user, the device the user is using, and the authentication protocol. Ensure that protocols such as POP3 successfully authenticate users from unusual (or impossible) locations. This is strong evidence that the account has been compromised and the user’s mailbox has been synced to an unauthorized device. In such cases, users are advised to reset their passwords immediately. This will prevent further successful syncing, but there’s not much you can do about the data that’s already been stolen.

However, we have seen situations where users needed to sign out of their work email account and sign back in before switching to modern authentication. For the Android operating system, the picture is less clear due to the variety of devices, operating systems, and native email programs. It is important to use those applications that not only fully support modern authentication, but can also use security policies to encrypt, protect and securely delete corporate data stored on the network. It does not affect personal information stored on the device and does not require the device to be fully registered with the mobile device management solution.

Legacy authentication poses a significant security risk and should be identified and blocked in your environment. Ignoring this issue could prevent most IT users and services from accessing email. The first step is to identify how you use legacy authentication, and then take the steps necessary to migrate those devices and services to modern authentication. For some services, the path may not be easy and some services may have to be changed or even reset during the process. There is high risk because it means an “open door” policy for misuse of company data. Be proactive now and say goodbye to legacy authentication in your environment!

About the author

Editorial Staff

Add Comment

Click here to post a comment