Note that in Cloudflare’s case, they were not breached because they properly secured their infrastructure. The entire point of hardware keys is that you need to be physically at the location, which dramatically increases the cost of gaining unauthorized access.
Cloudflare said that three of its employees fell for the phishing scam, but that the company’s use of hardware-based MFA keys prevented the would-be intruders from accessing its internal network.
It’s impressive that despite three of its employees falling for the scam, Cloudflare kept its systems from being breached. The company’s use of hardware-based security keys that comply with the FIDO2 standard for MFA was a critical reason. Had the company relied on one-time passwords from sent text messages or even generated by an authentication app, it likely would have been a different story.
What bothers me more is that I have been to bank branches where the employees walk around with Yubikeys to access their workstations, yet they won’t do anything beyond SMS 2FA, if that for bank logins for customers.
What other features are missing from cloud vendors’ systems and processes that would offer better protection?
OPSEC will always be more important than mitigations, which is what 2FA is. If you don’t have good OPSEC, no security measure will adequately protect you from a motivated, knowledgeable, and well-financed threat. A mitigation prevented Cloudflare employees from opening the doors to their attackers, but they clearly still have a big problem. If you’re into podcasts, I recommend listening to episode 6 of Darknet Diaries , The Beirut Bank Job. Often, the problem is humans.
One issue I see with security measures is the first instinct is to take away power from users, which is why it’s no surprise that companies will always use security as a reason to introduce unpopular functionality, even if it doesn’t make sense. “Trusted Computing”, a term you’ve probably heard a lot of lately, was initially pushed by Microsoft so they could prevent you from doing things on your own computer if it didn’t serve their interests.
EDIT: In this case, a TPM with your custom keys will prevent the persistence of malware. That’s its primary security benefit. When I said companies use security to justify why a new restriction is being introduced, I didn’t intend for “trusted computing” to be an example of this. I can’t think of a good example off the top of my head, but there certainly are examples in the wild.
There’s this one scene in Mr. Robot (mild spoilers ahead)
Mr. Robot Spoilers
where Elliot sees an elderly woman working at a company. He views her as a weak link to easily gain access to the company, but when pushed, she doesn’t give him access and foists him on someone else. The implication is that she calls security on him while keeping him busy.
Not a perfect response to social engineering, but better than just folding over without confirming his credentials.
Security awareness is far more important than better software. But there should be good processes for employees to follow to overcome social engineering.