Important Factors of Implementing Multi-Factor Authentication Security

Multi-Factor Authentication (MFA) is covered across most internet services and by nearly every manufacturer and developer out there. That said, the importance, best practices, and consistency in standards regarding efficiently and effectively implementing MFA across an organization, are far too often overlooked.

Why Passwords are No Longer Enough

Passwords are not the ultimate security you may think they are. Unfortunately, even if your password is a complex string of letters, numbers, and special characters, hackers still have the ability to reach you. By using a layered defense across your IT infrastructure, unauthorized individuals will be significantly less likely to gain access to your sensitive information. This is something that a managed IT services expert can help implement. Let’s walk through how multi-factor authentication can provide you with a safer, smarter way to run your business.

Cyber Insurance MFA Requirements

Data breaches can result in major legal fees and fines of hundreds of thousands of dollars. They also can take a serious hit on your reputation. Without cyber insurance, you are putting your customers and employees at a greater risk. Where general liability insurance covers property damage and bodily injuries, cyber insurance, which is often excluded, covers the liability for violated sensitive information. This includes health records, credit card numbers, and Social Security numbers, to name a few things. It also helps with the recovery of the compromised data, notifies customers about the breach, and covers financial losses.

With so much of our lives shifting online in 2020, the rate of cyberattacks has skyrocketed. Back in May, President Biden signed the Executive Order on Improving the Nation’s Cybersecurity to mandate multi-factor authentication for federal agencies. This order sends a signal to all cyber insurance companies that this is a step they need to take. While it has yet to be standardized, many of these companies have taken that step, improving their managed IT services for networking, communications, and security.

Who Should Have mFA Enabled

A common question asked by business leaders is, "Does every employee really need MFA enabled? Does MFA really need to be enforced as part of our cybersecurity policy?" The short answer is YES and YES. Simply put, anyone that has access to company resources needs to have MFA enabled on their accounts. Don't cut corners. Accept no substitutions.

For example, if someone in your company has access to Human Resources, Accounting, Manufacturing, Sales, or any other corporate data they need to be protected.  Attackers are trying to find a foothold in any company, regardless of size or industry. Once attackers have access to an account it doesn't matter whether it's a front-line worker or a C-suite executive. Access is key—whether it be to an email account on Microsoft 365, a Virtual Private Network (VPN) into a private cloud, or a Microsoft Azure virtual desktop. 

Once an account is accessed by an attacker, they can impersonate users by using email accounts, take over additional accounts within your organization, or siphon data regardless of the user's position or access level. The higher the level of access, the easier it is to move and gain information within your organization. The most common scenario is when executives have their accounts compromised, get hit with ransomware requesting funds to be transferred, or bank routing information is changed. 

Services That Should Have MFA Enabled

Over the past decade, cybersecurity efforts have continued to evolve, in order to keep up with expanding hacking abilities. Most companies struggle to fully deploy, or even get funding for, a single MFA solution that can integrate across multiple technologies and services. Having MFA enabled for just email isn't enough to provide complete identity protection within the environment.

With the advent of working remotely, once internal-only tools and services are now available externally through cloud and Software-as-a-Service (SaaS) solutions for file storage, databases, email, and HR portals.  Any resource that is accessible externally should have MFA enabled, including administrative access to a websites, email portals, Remote Desktop Services (RDS), VPNs, or other third-party portals.

Here are some of the ways that you can currently incorporate multi-factor authentication into your digital workspace.

General Remote Access

Remote access systems should support compliance with industry regulations. Failing to meet those standards can cause a disruption to the business, as well as a loss of trust. Multi-factor authentication for remote access is used in situations involving organizations’ relationships with third parties. Your organization should have a protocol that ensures that only your assigned technicians have remote access. The common credentials they should be given are a unique password, a security token to authorize their identity through a card or their smart device, and the secure biometric verification of facial recognition software or fingerprint scanning.

VPN

Virtual private networks (VPNs) create an encrypted tunnel for off-site users to connect with company data. It is the industry-standard method for providing remote access to internal applications. Businesses have been using VPNs for years to promote security, but they still could be breached. Protect your VPN against credential theft by providing higher degrees of identity assurance. This makes sure that the right people have access outside of the office. VPNs can support the authentication methods of push notifications, one-time password authentication, and biometric verification, as well as the applications of Google Authenticator and Microsoft Authenticator.

Office 365

Microsoft has made great strides in security enhancement for its hosted services. Office 365 showcases its additional security by making you approve sign-ins to your account using a mobile device. It is recommended that you download both the Outlook app and Microsoft Authenticator for all multi-factor authentication purposes. You will be able to bulk update your Office 365 through the admin center, resulting in active users being required to do some secondary verification the next time they sign in. You can change the settings for the cached token time to how you see fit. Microsoft’s Azure Active Directory also allows administrators to specify geographic location and trusted device conditions to prevent unauthorized access.

Cloud Portals

Cloud platforms can host multiple portals that are either private or public to end-users. With the proliferation of cloud applications comes the attention of hackers who focus their efforts on the data stored there. You have the power to choose how and when to enroll your users in layered security. It can be demanded as part of their registration to your app, suggested on their account management page, or added incrementally when the user wants to access certain high-security features. The best bet would be to encourage your users to register more than one secondary factor for account recovery because, if they lose access to the first, they will be locked out of their account.

Multi-factor authentication is capable of blocking over 99.9% of attacks on your account. Of course, no security system is perfect. But the additional layers that multi-factor authentication provides your IT infrastructure certainly decreases the vulnerability of your digital security architecture. 

What Does Multi-Factor Authentication Protect You Against?

In Verizon’s 2021 Data Breach Investigations Report, it was found that breaches involving phishing went up by 11% in one year, while ransomware incidents doubled. By boosting your managed IT services strategy with the use of multi-factor authentication, you are able to better combat hacking methods that aim to bypass your security.

Phishing

Phishing emails are typically too good to be true or from an unusual sender. They play up the emotional aspects of human decision-making. Common features consist of hyperlinks or attachments they expect you to access, and a sense of urgency within the message. With just one link, hackers can install malicious code on your device and steal your information. In a two-year experiment held by Duo, 60% of their phishing campaigns were successful in capturing at least one login credential. This shows how easy it is—without the proper authorization points—for hackers to get people to open and click their emails.

Ransomware

Designed to spread across networks, ransomware attacks file servers, databases, and applications. Once malware has established its presence on an endpoint, it stays on the system until it has accomplished its task. In the case of ransomware, the task is to paralyze an organization and then demand money within a certain time period to decrypt the files. Even your data backups could be encrypted, leaving you with no way to step around the issue. Because of this, cybercriminals have generated billions of dollars in payments. It is important to note that, if you were to send the hacker money, there is still no guarantee that you will be able to recover those files.

common MFA Challenges and Issues

An issue often experienced by organizations that enable MFA security is when there is an authentication conflict, or legacy authentication enabled, for a service that bypasses the use of MFA all together. The most common scenario is within Microsoft Office 365's legacy authentication. Legacy authentication is the most basic authentication used with cloud-based services. Legacy authentication is utilized by several services within 365, including Microsoft's Autodiscover and Outlook Anywhere services.  Without disabling support for legacy authentication, attackers can abuse access to these services and bypass MFA—leaving your organization vulnerable to a breach.  Microsoft has some shocking data around legacy authentication and how frequently it's abused:

Source:  https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/block-legacy-authentication

Why Consistency is Critical to Enforcing MFA

Consistency is critical to any business.  Business processes are in place to make sure that work is performed quickly and efficiently every time with repeatable results.  Businesses also put processes in place to help onboard employees—because a consistent onboarding process makes for happier employees.  These same repeatable results are desired for the security of your company and its data. Having MFA enabled across the environment ensures a consistent predictable outcome in terms of cybersecurity protection.

A Virtual Private Network (VPN) is a critical entry point into any corporate environment. VPN services provide a direct connection between an endpoint device (like a laptop) and your internal network resources (like a server in an office, private cloud, or datacenter). VPN accounts (sometimes referred to as 'local accounts'), especially those not integrated with Active Directory, are less likely to be removed when an employee leaves your organization or is no longer with the company. Without consistency on account provisioning and deprovisioning, these accounts become a prime target for attackers. VPN accounts are commonly seen for sale for as low as $15 on the dark web and allow easy access to internal resources. When MFA security isn't enabled or enforced on VPN accounts, those accounts become susceptible to abuse—leaving your organization open to a breach.

The same mindset and attention to consistency applies when publishing a remote desktop service. A remote desktop typically will have access to server resources for allowing easy access to a Windows-based machine. Unfortunately, these types of unsecured accounts are made available online for purchase by attackers—for very cheap with multiple accounts included for the same company. Without MFA enabled, login activity can become difficult to track.

Furthermore, company-wide portals, such as those containing HR and other sensitive data, should also be protected via MFA. Because these services are not hosted internal to the company and are hosted by third party providers, monitoring log ins and access becomes extremely difficult without access to the supporting infrastructure. The creation and removal of accounts is critical to making sure data is not leaked.

How Often MFA Should Be Authenticated

Determining how often to force MFA authentication, and under what circumstances, are two of the biggest questions to answer when forming an MFA policy. Consistency across platforms, including VPN, RDS, email, and third-party hosted services is essential to securing the identity of your employees and your organization's data—no matter where corporate information lives. With the shift of workers between in-office and out of the office statuses, IT departments and Managed Services Providers (MSPs) are seeing an increase in the deployment of Multi-Factor Authentication (MFA) on employee desktops at home.

When working remotely from home, employees are no longer protected by most of the corporate security products and services. These home computers are not only more easily accessible by family members when working remotely, but are typically connected to a home network (like internet access) that isn't segmented from other less secure devices (like printers and smart TVs). Confirming the identity of who is using specific endpoints is paramount to ensuring the security of those endpoints.

Want to Fortify Your Multi-Factor Authentication (MFA) Deployment?
Let Centre Technologies help to improve your security posture by requesting a meeting to discuss your current (or future) MFA posture and ways to improve it.