Fortalice Solutions on the topic of the UnitedHealth Breach:
As news outlets have reported, threat actors responsible for the recently disclosed massive UnitedHealth ransomware attack (ALPHC Ransomware Gang) gained access by leveraging compromised credentials on a remote access application, a remote access application without multifactor authentication (MFA) in place. The result? The nation’s largest health insurer is scrambling to understand the full extent of the massive breach that UnitedHealth Group admits resulted in the theft of stolen health and personal data from a "substantial proportion" of Americans this past February.
Unfortunately, the absence of MFA on external VPNs and remote access platforms is a particularly upsetting, and increasingly common, trend in the 2024, not one confined to the halls of UnitedHealth. In today’s world of tight budgets, nearly every organization – big and small alike - struggles with executive buy-in (before an event), insufficient funding for cybersecurity priorities, and an over-committed security staff, on top of a litany of other considerations that stifle, at best, or negate, at worst, cybersecurity best practices. To that end, there is one simple rule that the cybersecurity practitioners at Fortalice Solutions cannot emphasize enough: ALL EXTERNALLY FACING REMOTE ACCESS MUST HAVE MFA. Period. End of story.
To be clear: this is not an ALL CAPS comment sneakily designed to elicit clicks from tinfoil hat wearing, fearmongering alarmists online. It is common sense. It is best practice. Moreover, MFA is not a wish list item nor should it be categorized in your security team’s “nice to have” column. Simply put, the lack of MFA is a nonstarter for any company or organization truly committed to securing itself, its employees, its partners, its brand reputation, and, of course, its bottom line. Anything less – in this dynamic and volatile security landscape of 2024 – is akin to corporate or organizational malfeasance.
In this industry, the discussion is frequently about “if not when.” A lack of MFA only intensifies and accelerates that conversation. It really is just a matter of time before the threat actors find the attack surface if they haven’t found it already. Don’t be a victim.
Fortalice can help assist with education on the issue through board training and tabletop exercises, ensuring best practices are followed through secure configuration assessments, or identifying unknown gaps through penetration testing.