Page 160 - Cyber Defense eMagazine September 2025
P. 160
• Best practice: Integrate in-house tuning with vendor solutions (like PerimeterX and Akamai Bot
Manager).
3. Authentication that Adapts
• Get rid of static MFA. Make use of risk-based policies:
• Only use step-up authentication in cases where the session risk score is high.
• Take into account device history, IP reputation, geolocation, and impractical travel.
4. Security Controls for APIs
• Keep web login flows and login APIs separate.
• As an illustration, apply rate limits and schema validation, especially for mobile app login APIs.
5. Transparency & User Education
• Inform clients about the dangers of password reuse and send out password breach notifications
when credentials are found to be reused.
• Openness fosters trust.
A Guide for CEOs and CISOs
Phase 1: Visibility & Discovery
• Map every login endpoint, including mobile flows and APIs.
• Benchmark failed login ratios: suspicious increases frequently indicate credential stuffing.
Phase 2: Incorporate Controls
• Enhance the current IAM with threat intelligence, bot detection, and adaptive authentication.
• Enhance IAM rather than completely replace it.
Phase 3: Ongoing Examination
• Conduct red-team drills that replicate credential stuffing in particular.
• Apply the concepts of chaos engineering to test the resilience of your login flow in the event of an
attack.
Phase 4: Involvement with Businesses
• Report credential stuffing as revenue loss and customer fraud rather than a "login failure issue."
• Frame board talks about revenue and reputational risk.
Cyber Defense eMagazine – September 2025 Edition 160
Copyright © 2025, Cyber Defense Magazine. All rights reserved worldwide.
