The convenience of accessing online services from anywhere can inadvertently expose you and your firm to significant cybersecurity risks. If you’re using public WiFi “just real quick” for any purpose, especially work tasks, you’re opening the door to sophisticated attacks that prey on unsuspecting users and weak cybersecurity practices.  

Whether you’re a firm with ten people or a thousand, if you’re using an unsecured network without proper measures in place, someone close by can hijack your device without you even knowing it—and that could cost millions.   

cyber operations secure your attack surface now

Man-in-the-Middle Attacks  

With physical proximity, a criminal can overload a device’s wireless system, whether a phone or a laptop, and forcibly disconnect you from a legitimate network and trick you into reconnecting to their network. It’s called a man-in-the-middle attack (MITM), and it preys on two things: your inherent trust in your devices to connect to legitimate networks and lax security measures. These attacks are particularly malicious because they don’t require phishing or social engineering tactics, and they don’t raise immediate red flags.  

Here’s an example. If you’re in an airport and connect to the airport’s legitimate public WiFi, you may be kicked off at some point. It’s easy to assume the network signal was weak for a moment or that it was overloaded. So, you try to reconnect. Easy enough—by default, most devices are set up to automatically connect to familiar networks (or at least ask if you want to join a recognized network). You reconnect to the airport’s public network and resume your work.   

Except you’re not on the airport network at all. A criminal nearby has created a WiFi network and given it the same name as the “legitimate” network, in this case, the airport. When you log on to the fake network, this hacker can steal your account session without asking for your username and password.

Once the hacker controls your session, they can gain persistent access. That means they can maintain prolonged unauthorized, undetected access to your sensitive data and communications despite restarts or changed credentials. 

Think about that. If you have a wire transfer in process, this bad actor can quickly reproduce an email from you and divert the approved funds to their account instead of the real one. “Hey, quick change of plans for the investment. The funds need to be rerouted to this bank account because (made up reason).” The email address looks legit. The sender is familiar. The email is an actual email the recipient would expect to see, so they don’t question the change. How much money would your firm lose in that scenario?

See also  Not Bundling XDR & Managed IT, Leaves Room for Vulnerabilities

How Cybersecurity Operations Can Help  

Without monitoring in place, you don’t know how the incident happened. And when you don’t know how it happened, you don’t know how to prevent it from happening again.

Agio’s cybersecurity operations (cyber ops) is key to stopping an MITM attack. Sticking with the scenario above, our team would use the visibility from cyber ops to detect signs of a compromised account before emails are sent to investors. We could then stop the attacker and determine the root cause to prevent them from coming back. Our analysts can determine precisely when that compromise took place and hone in on the timeframe to look at what was happening with the user, their device, and the systems the device was connected to. In this example, public WiFi was what was happening, leading to an MITM attack.

The next steps would be to revoke all active sessions to prevent further unauthorized access, validate email rules (specifically forwarding rules) for any anomalies, require the affected user to change passwords for added security, and confirm the legitimacy of the multi-factor authentication (MFA).

msp feature checklist

What You Can Do  

You need a high level of visibility and a team smart enough to catch sophisticated attacks when attackers get around your other security controls. The most important step in protecting yourself, your employees, and your firm is taking a multi-layered security approach that encompasses robust access controls, device management, user education, and proactive monitoring.

  • Disable auto-join for public WiFi networks: By disabling the auto-join feature, you force manual connections, which prompts users to scrutinize network names and details before joining, reducing the likelihood of accidentally connecting to a rogue network.  
  • Enable risk-based conditional access policies: Adaptive access controls enforce additional authentication requirements when unusual or high-risk activities are detected. 
  • Use a full-tunnel VPN when connected to public WiFi: Virtual Private Networks (VPNs) create an encrypted tunnel for all internet traffic, shielding your online activities from potential eavesdroppers or attackers on the same network. With a VPN, you effectively neutralize the threat of MITM attacks by preventing unauthorized parties from intercepting or tampering with your data transmissions.  
  • Use strong passwords: Strong passwords are vital for security and are the first line of defense against unauthorized access to your accounts. They should be complex and unpredictable to resist brute-force attacks and guessing.   
  • Don’t reuse passwords: One reused password can lead to a compromise that endangers multiple accounts. Unique passwords for each account help contain breaches and limit their impact, safeguarding your digital identity and personal information from cascading security threats.  
  • Remember, MFA isn’t infallible: While MFA is a critical security layer, it can be bypassed or compromised, especially if application consent is manipulated.  
  • Stay vigilant with application permissions: Overly permissive application permissions increase the potential attack surface and expand how an attacker could exploit a system if they gain initial access through techniques like MITM.  
  • Stay on top of device compliance and management: Non-compliant, non-managed devices pose risks associated with allowing access to them, so ensuring devices meet security standards is essential.  
  • Monitor and review access logs: Regular scrutiny of access logs and sign-in activities helps detect suspicious activities early.  
  • Pay attention to email rules and forwarding: Attackers often create inbox rules to hide their tracks or facilitate data exfiltration. Regular audits of email rules are necessary to detect and respond to such tactics.  
  • Establish travel and remote access requirements: You should have protocols to validate access during travel and consider using a VPN with more stringent checks. 
See also  Are You Using The Same Three Passwords From Five Years Ago?

Moving Forward  

Complacency is a cybercriminal’s greatest ally. Using public WiFi networks, assuming devices will connect to legitimate networks, and ignoring security best practices lead to added risk.

The stealthy nature of MITM attacks underscores the need for robust security measures and heightened user awareness to safeguard against such threats. Your firm can fortify its defenses against attacks by embracing a multi-layered security approach, implementing robust access controls, maintaining device compliance, fostering user awareness, and leveraging proactive monitoring solutions like XDR.  

Don’t leave your firm vulnerable. Contact Agio today to discuss implementing robust cybersecurity measures, including extended detection and response (XDR) solutions, to protect against man-in-the-middle attacks and other emerging threats. Our team of experts will work with you to assess your current security posture, identify potential weaknesses, and develop a comprehensive plan tailored to your organization’s unique needs. Secure your digital assets and operations. Schedule a consultation now.