Multifactor authentication (MFA) adds a layer of protection to sign-in processes. When signing into a platform with MFA, you are required to provide two pieces of evidence to identify yourself. This has become a necessity for organizations to implement as passwords present a single point of failure. Also important to note, MFA is becoming a requirement for obtaining or renewing cyber insurance.
Common password attacks to consider:
How to think through your attack surface:
Regardless of end user training around phishing, it will continue to be successful. Minimizing impact with MFA is a critical step. You do not want to be compromised due to a trivial phishing attack after implementing a range of costly security controls in your environment. Even with the best security software deployed in an environment, it’s common for users to end up putting their credentials into a ‘false/malicious’ website.
Breaches aren’t stopping anytime soon. As users use corporate passwords on other applications/sites, it’s common for one of the applications/sites to be compromised, exposing the reused corporate password and ending up on a leak page (ref: https://haveibeenpwned.com/PwnedWebsites) or sold to attackers.
Even using the strongest security software, organizations must strike a balance between security and usability. Unfortunately, browser add-ons and other malicious software may slip through the cracks and harbor the ability to scrape passwords. If a company doesn’t have specific controls in place, malware will often attempt to pull passwords from infected machines.
Business E-mail Compromise (Tied to phishing, however a risk that should be considered)
Business e-mail compromise (BEC) is very common and not a focus for most businesses until they are compromised. Attackers will target hundreds of employees with phishing e-mails, eventually gain access, and will then pivot to your environment (IE: SharePoint) or start targeting clients/partners.
How to Prioritize MFA:
Now that it’s clear how important MFA is in an environment, the next step is to prioritize how it should be implemented. As there are many MFA approaches/solutions/products it’s good to map out where you would want it implemented and then take a step back to identify the solution that solves the problem for you and will be the easiest to manage/implement.
The first focus areas should be remote access, email access, and privileged/administrative accounts with reducing the attack surface for your business in mind. It’s also important to prioritize critical business applications that store sensitive data (PII, PHI, or critical information) that users or third parties access.
Can MFA Be Bypassed?
Yes, MFA can be bypassed. However, it’s typically not trivial. When implementing MFA, it’s important to understand how it could be compromised. For example, if users receive an e-mail to authenticate and your e-mail has been compromised, you should then assume the account is at additional risk. The next level of security for your most sensitive accounts would be to implement a privileged access management (PAM) solution that would require check in and check out of privileged credentials to further mitigate risk.
Our team and experienced partners implement MFA for a wide range of environments, most commonly after a compromise. We would highly recommend leaning on us or another party that can provide the right solution that will align with the business long term and ensure it is implemented in a secure manner.
Michael is a Sr. Director of Technical Advisory Services at MOXFIVE where he provides strategic advisory services and solutions to large enterprises during and after impactful incidents. He holds a Masters Degree in Cyber Security and is accredited through SANS for the GCFA, GCIA, and GOSI certifications. He has had a wide range of experience from building and managing global Security Operation Centers, Threat Hunting Teams, DevOps Teams, and Infrastructure Teams.
MOXFIVE provides the clarity and peace of mind needed for attack victims during the incident response process. Our platform approach enables victims of attacks to work with a Technical Advisor who provides the expertise and guidance needed in a time of crisis, and facilitates the delivery of all technical needs required, consistently and efficiently.Learn More
With experience on the front lines responding to incidents daily, MOXFIVE Technical Advisors have the unique ability to connect the dots between business, information technology, and security objectives to help you quickly identify the gaps and build a more resilient environment.