The Activision Hack and the Need for Better Practices

Hackers want to break into company networks. That’s not surprising. What is surprising is how many breaches succeed with devastatingly simple techniques. We saw that in September with Uber, and we’re just now learning about another jaw-dropping hack that reportedly hit Activision in December.

According to reports, threat actors used a smishing attack (SMS phishing) to extract a two-factor authentication code–also sent via SMS–from a user with high network privileges. It took the threat actors a few tries with different employees, but eventually they were able to fool someone. 

It’s not hard to imagine how it happened. You’re busy living your life. Maybe you’re taking out the laundry, the kids need attention, you’re checking your phone before heading into a restaurant. And right then, at exactly the wrong time, you receive exactly the right message that tricks you into handing over information you shouldn’t.

Looking back you might think the smish was obvious, but catch you at the wrong moment and the most hyper aware person can be taken in. 

Humans: The Forever Exploit

Even as computer systems become more secure, the human element will always be a problem, because nobody is perfect–all it takes is one mistake to let the bad guys in. That’s why the U.K.’s National Cyber Security Centre published a blog post in late 2022 calling for better practices to protect against phishing events and other hacks. Instead of expecting your people to have a 100 percent save rate, build systems that prevent attacks in the first place, as well as processes that thwart those who still get in despite your defenses.

There are a few ways that Perimeter 81 can help with this, and the first is with a well-defined set of zero trust access rules. Your company may have a wide array of cloud resources and on-prem servers, but very few people need access to every single of them.

Zero Trust Network Access (ZTNA) solves this problem with easily applied access rules for specific groups, or even individuals, for only the specific resources they need. Then, should hackers obtain credentials, it will be much harder to do serious damage to the company, because they will only be able to see what the original user of the stolen credentials could see, nothing more. 

Restrictive permissions must also work in concert with continuous verification of context- and device-based rules. These can be rules about location, or times of day that resources are available. Managed devices, meanwhile, should meet specific device security standards before gaining access to company resources. Called Device Posture Check (DPC) these rules can include requirements for a certain antivirus suite, a minimum operating system version, a custom security certificate, and more. 

Steps for Privileged Accounts

Context and zero trust access rules are a fantastic approach when we’re talking about marketing or sales teams. But what happens if threat actors are able to harvest the credentials of someone who has much broader access to the system, and company trade secrets?

In these cases, there are a few extra things you can do. First, the multi-factor authentication steps for those users must be the highest possible that your identity provider supports. Physical keys are a good option as they can more easily prevent attempts to obtain MFA authorization codes. Enhanced verification options that require you to match numbers between the screen and a mobile application could also work. The important thing is to make it hard for employees to simply push a button or accidentally supply MFA codes providing access to unwanted visitors.

Above all do not allow your employees–especially ones with high network privileges–to authenticate via SMS. It’s simply not secure, and exposes the network and resources to all kinds of attacks such as SIM jacking where an employee’s phone number is stolen by threat actors.

In addition to more robust MFA solutions, monitoring logs for the actions of high privileged users is critical. That way you can more easily discover actions that seem out of place.

Extra Steps: Web Defense

Beyond securing accounts, you need solutions that disrupt the flow of phishing emails, links, and malware to your employees. Perimeter 81’s Web Filtering allows administrators to prevent employees from engaging with known risky sites, as well as barring entry to sites that are known to commonly distribute malware. 

Perimeter 81’s Malware Protection, meanwhile, defends user devices against the worst the web has to offer including drive-by downloads and webmail attachments that can carry any number of threats from ransomware to rootkits.  

Both Web Filtering and Malware Protection are available from Perimeter 81 as part of a Secure Web Gateway add-on license

Awareness training is important and should still be part of your mitigation efforts, but depending on people to resist every phishing campaign that comes along is not a solid game plan.