What is a push-bombing attack and how to defend against it
π£ A fundamental problem for organizations after migrating to βοΈ the cloud βοΈ became sign-ins. Think about itβ¦
π£ What is a push-bombing attack and how to defend against it π£
A core problem for organizations after migrating to βοΈ cloud βοΈ has become sign-in. Think about how many things your company does that require a username and password. Employees keep signing into different systems and cloud apps.
Attackers use various methods to obtain those credentials. Their goal is user-level access to company data.
Wondering how much worse account compromise has gotten? Between 2019 and 2021, account-takeover incidents rose 307%.
π Does multi-factor authentication solve password theft? π
Yes β and no. Many organizations and individuals use multi-factor authentication (MFA). It's a way of stopping attackers who have obtained usernames and passwords by adding another layer (email or SMS authentication, or a phone app).
One way to bypass MFA is push-bombing.
π€ How does push-bombing work? π€
In push-bombing, attackers already have the user's credentials. They attempt to sign in many times, sending the legitimate user a barrage of "push" notifications. Many people would question a single unsolicited prompt β but when bombarded, they can easily approve access by mistake.
βοΈ Ways to fight push-bombing in your organization βοΈ
π Educate staff π
Knowledge is power. Inform your staff about what push-bombing is and how it works. Train them on what to do if they receive an MFA prompt they didn't request.
π‘οΈ Use phishing-resistant MFA π‘οΈ
You can prevent push-bombing by switching to a different form of MFA. Phishing-resistant MFA uses a device passkey or a physical security key. Companies like Yubico, Kensington, Nitrokey, and others make physical authentication keys that completely sidestep push-bombing β there's no push prompt to approve. This is harder to set up, but much more secure than text- or app-based MFA.
π Enforce unique strong passwords π
For attackers to even send push prompts, they need user credentials. Enforcing unique, strong passwords significantly reduces the chance of a password being cracked. If you or your staff struggle to remember passwords, use a password manager β for example Bitwarden or Passbolt.
π Need help improving identity and access security? π
Multi-factor authentication alone isn't enough. Companies need multiple layers of protection to reduce the risk of cloud-service breaches.
Looking for help strengthening access security? Book a meeting with us today: https://calendly.com/roman-krutina-ict-group/30-minute-meeting