As is so often the case in IT, the importance of a particular process, technology or requirement only becomes apparent to end users and/or management when something bad happens.
Many times when there is a major “fire”, management is finally willing to pay for that colo or cloud service you’ve been suggesting. A critical server crashes, they finally approve the upgrade to the backup system you’ve been begging for. Major security flaw discovered in your firewall’s firmware “sure we will finally pay for the support agreement” so you can upgrade the code.
Similar to those examples; MFA becomes a hot topic for management anytime an executive’s email gets hacked or another article hits the news about a major breach that could have been easily avoided if MFA were in place.
A recent example comes directly from US Homeland Security in the form of an emergency directive/notification sent out last month:
This directive details an ongoing attack, which is believed to the be the work of a foreign nation’s intelligence agency, against companies and organizations across the globe.
The attack is relatively simple in its implementation:
First hack into a company’s external DNS provider. How do they do this? Well, who would have guessed – Password1 is not a secure password.
Then once you have access to the DNS entries, reroute them to your own webserver after which you proxy them back to the site you’ve hacked. For the end user of that site it seems like they are still getting to the right place, which they are…however the hacker’s server is now doing a man in the middle attack allowing them to capture your session, credentials, etc…….
You might be thinking well what good is that (and if that was all that was happening, you wouldn’t be wrong)…..”won’t the SSL lock in the browser protect me against that happening?” Well it would, except that now that the attacked controls your public DNS , they are able to issue a valid SSL certificate using any public certificate authority. Once a hacker has control of your external DNS, they have the ability to issue a valid SSL certificate for your domain name and then install it on their own webserver.
And so, in case it’s not immediately clear as to what would have stopped this from the get go……MFA on your DNS/CA provider ensures that even if your password really was that bad, the hacker still wouldn’t have gotten in without physical access to “something you have”.
Although it may not be something you think is that common; we all probably use MFA and have been for decades. An ATM card, as an example, is a form of MFA. The best description I’ve heard in the past is that MFA is ‘something you know’ paired ‘with something you have’. I.e. an ATM card and your pin.
MFA in the IT world comes in many flavors and levels of sophistication/security. Whether a simple, and not incredibly secure, message emailed or texted to your phone to confirm a login, an authenticator service/app from DUO, Okta, Microsoft, Google, or, even a more secure, crypto token or fob……having at least one of these methods in place should be a priority for all IT admins and for all IT resources like your DNS/CA/Registrar, etc.
Further as attacks continue to become more and more common across all types of organizations, we as IT influencers should be pushing our critical end users (think CxOs, Directors and other VIPs) to start using MFA to protect their businesses and reputations.
Finally, while we understand the challenges of deploying new technology to end users, especially ones that require additional levels of effort by those end users, we at UCRIGHT firmly believe that in the short to near term future that it’s going to become a necessity to deploy advanced MFA to all users in your environment to fully safeguard your business.
There is obviously a cost associated with each new technology you deploy – Google recently released a great study around it’s internal deployment of crypto keys made by Yubico which you can read more about here: https://www.yubico.com/2016/02/use-of-fido-u2f-security-keys-focus-of-2-year-google-study/
An interesting take way from the study was that even with the cost of the keys, the time and money saved by not having password lockouts, reducing IT intervention to fix, paid for 2 keys per user. This was in addition to the time savings across the enterprise by not having to manually enter codes for each login.
Here at UCRIGHT we realize not every company is like Google and may not have the know how or resources to go down this path by themselves. That’s why we’ve partnered with leading companies in the MFA space and can help you design and implement a solution for your company.
Contact us today for help tailoring the right MFA solution for your needs!